Management Software AT-S63 ◆ Features Guide AT-S63 Version 2.2.0 for the AT-9400 Layer 2+ Switches AT-S63 Version 3.0.0 for the AT-9400 Basic Layer 3 Switches 613-000801 Rev.
Copyright © 2007 Allied Telesis, Inc. All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesis, Inc. Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation. Netscape Navigator is a registered trademark of Netscape Communications Corporation. All other product names, company names, logos or other designations mentioned herein are trademarks or registered trademarks of their respective owners. Allied Telesis, Inc.
Contents Preface ............................................................................................................................................................ 17 How This Guide is Organized........................................................................................................................... 18 Product Documentation .................................................................................................................................... 20 Where to Go First ....
Contents Chapter 2: Enhanced Stacking ..................................................................................................................... 55 Supported Platforms ......................................................................................................................................... 56 Overview ...........................................................................................................................................................
AT-S63 Management Software Features Guide Chapter 10: Classifiers ................................................................................................................................ 109 Supported Platforms....................................................................................................................................... 110 Overview.................................................................................................................................................
Contents Section III: Snooping Protocols ..............................................................................173 Chapter 15: IGMP Snooping .......................................................................................................................175 Supported Platforms .......................................................................................................................................176 Overview .......................................................................
AT-S63 Management Software Features Guide Chapter 21: Multiple Spanning Tree Protocol ........................................................................................... 225 Supported Platforms....................................................................................................................................... 226 Overview.........................................................................................................................................................
Contents Chapter 26: MAC Address-based VLANs ..................................................................................................285 Supported Platforms .......................................................................................................................................286 Overview .........................................................................................................................................................287 Egress Ports ..........................
AT-S63 Management Software Features Guide Interface Monitoring........................................................................................................................................ 342 Port Monitoring ............................................................................................................................................... 343 VRRP on the Switch .............................................................................................................................
Contents Chapter 34: PKI Certificates and SSL ........................................................................................................397 Supported Platforms .......................................................................................................................................398 Overview .........................................................................................................................................................399 Types of Certificates ..........
AT-S63 Management Software Features Guide IGMP Snooping .............................................................................................................................................. 452 Internet Protocol Version 4 Packet Routing.................................................................................................... 453 MAC Address-based Port Security.................................................................................................................
Contents Appendix D: MIB Objects ............................................................................................................................489 Access Control Lists .......................................................................................................................................490 Class of Service ..............................................................................................................................................
Figures Figure 1: Static Port Trunk Example.....................................................................................................................................77 Figure 2: Example of Multiple Aggregators for Multiple Aggregate Trunks ..........................................................................84 Figure 3: Example of an Aggregator with Multiple Trunks ....................................................................................................
Figures 14
Tables Table 1: AT-9400 Switch Features ......................................................................................................................................31 Table 2: Management Interfaces and Features ...................................................................................................................36 Table 3: Twisted Pair Ports Matched with GBIC and SFP Slots ..........................................................................................
Tables Table 50: Port Configuration and Status (AtiStackSwitch MIB) ........................................................................................503 Table 51: Spanning Tree (AtiStackSwitch MIB) .................................................................................................................504 Table 52: Static Port Trunks (AtiStackSwitch MIB) ...........................................................................................................
Preface This guide describes the features of the AT-9400 Layer 2+ and Basic Layer 3 Gigabit Ethernet Switches and the AT-S63 Management Software.
Preface How This Guide is Organized This guide has the following sections and chapters: Section I: Basic Operations Chapter 1, “Overview” on page 29 Chapter 2, “Enhanced Stacking” on page 55 Chapter 3, “SNMPv1 and SNMPv2c” on page 65 Chapter 4, “MAC Address Table” on page 71 Chapter 5, “Static Port Trunks” on page 75 Chapter 6, “LACP Port Trunks” on page 81 Chapter 7, “Port Mirror” on page 93 Section II: Advanced Operations Chapter 8, “File System” on page 99 Chapter 9, “Event Logs and the Syslog Cl
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols Chapter 20, “Spanning Tree and Rapid Spanning Tree Protocols” on page 213 Chapter 21, “Multiple Spanning Tree Protocol” on page 225 Section VI: Virtual LANs Chapter 22, “Port-based and Tagged VLANs” on page 247 Chapter 23, “GARP VLAN Registration Protocol” on page 261 Chapter 24, “Multiple VLAN Modes” on page 273 Chapter 25, “Protected Ports VLANs” on page 279 Chapter 26, “MAC Address-based VLANs” on page 285 Section VI
Preface Product Documentation For overview information on the features of the AT-9400 Switch and the AT-S63 Management Software, refer to: AT-S63 Management Software Features Guide (PN 613-000801) For instructions on starting a local or remote management session, refer to: Starting an AT-S63 Management Session Guide (PN 613-000817) For instructions on installing or managing stand-alone switches, refer to: AT-9400 Gigabit Ethernet Switch Installation Guide (PN 613-000357) AT-S63 Management So
AT-S63 Management Software Features Guide Where to Go First Allied Telesis recommends that you read Chapter 1, “Overview” on page 29 in this guide before you begin to manage the switch for the first time. There you will find a variety of basic information about the unit and the management software, like the two levels of manager access levels and the different types of management sessions. This guide is also your resource for background information on the features of the switch.
Preface Starting a Management Session For instructions on how to start a local or remote management session on the AT-9400 Switch, refer to the Starting an AT-S63 Management Session Guide.
AT-S63 Management Software Features Guide Document Conventions This document uses the following conventions: Note Notes provide additional information. Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data. Warning Warnings inform you that performing or omitting a specific action may result in bodily injury.
Preface Where to Find Web-based Guides The installation and user guides for all Allied Telesis products are available in portable document format (PDF) on our web site at www.alliedtelesis.com. You can view the documents online or download them onto a local workstation or server.
AT-S63 Management Software Features Guide Contacting Allied Telesis This section provides Allied Telesis contact information for technical support as well as sales and corporate information. Online Support You can request technical support online by accessing the Allied Telesis Knowledge Base: http://kb.alliedteleisn.com. You can use the Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions.
Preface 26
Section I Basic Operations The chapters in this section contain background information on basic switch features.
Section I: Basic Operations
Chapter 1 Overview This chapter has the following sections: “Layer 2+ and Basic Layer 3 Switches” on page 30 “AT-S63 Management Software” on page 35 “Management Interfaces and Features” on page 36 “Management Access Methods” on page 41 “Manager Access Levels” on page 43 “Installation and Management Configurations” on page 44 “IP Configuration” on page 46 “Redundant Twisted Pair Ports” on page 47 “History of New Features” on page 49 29
Chapter 1: Overview Layer 2+ and Basic Layer 3 Switches The switches in the AT-9400 Gigabit Ethernet Series are divided into two groups: Layer 2+ Switches – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Switches – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP The switches of the two groups offer many of the same features and capabilities. However, there are a couple of significant differences.
AT-S63 Management Software Features Guide Table 1. AT-9400 Switch Features Layer 2+ Switches (Version 2.2.0) Basic Layer 3 Switches (Version 3.0.
Chapter 1: Overview Table 1. AT-9400 Switch Features Layer 2+ Switches (Version 2.2.0) Basic Layer 3 Switches (Version 3.0.
AT-S63 Management Software Features Guide Table 1. AT-9400 Switch Features Layer 2+ Switches (Version 2.2.0) Basic Layer 3 Switches (Version 3.0.0) Stack1 1 2 3 4 5 6 7 8 802.1Q-compliant and non-802.
Chapter 1: Overview Table 1. AT-9400 Switch Features Layer 2+ Switches (Version 2.2.0) Basic Layer 3 Switches (Version 3.0.0) Stack1 1 2 3 4 5 6 7 8 Remote Secure Shell management Y Y Y Y Y Y Y Y TACACS+ and RADIUS authentication Y Y Y Y Y Y Y Y Management access control list Y Y Y Y Y Y Y Y 1. Basic Layer 3 switches using version 3.0.0 of the management software and the AT-StackXG Stacking Module. 2. The only accessible file system in a stack is on the master switch.
AT-S63 Management Software Features Guide AT-S63 Management Software The AT-9400 Switch is managed with the AT-S63 Management Software. The software comes preinstalled on the unit with default settings for all the operating parameters of the switch. If the default settings are adequate for your network, you can use the switch as an unmanaged unit. Note The default settings are listed in Appendix A, “AT-S63 Management Software Default Settings” on page 439.
Chapter 1: Overview Management Interfaces and Features The AT-S63 Management Software has three management interfaces: Menus interface Command line interface Web browser interface You can use the menus and command line interfaces from a local management session through the Terminal Port on the switch or remotely with a Telnet or Secure Shell client. The web browser interface is used from remote HTTP and HTTPS sessions using a web browser.
AT-S63 Management Software Features Guide Table 2.
Chapter 1: Overview Table 2.
AT-S63 Management Software Features Guide Table 2. Management Interfaces and Features Command Line Interface Menus Interface Routing interfaces Y Y Static routes Y Routing Information Protocol (RIP) Y Address Resolution Protocol (ARP) table Y BOOTP and DHCP clients Y BOOTP relay agent Y Virtual Router Redundancy Protocol Y Web Browser Interface Internet Protocol Routing Y Port Security MAC address-based port security Y Y Y 802.
Chapter 1: Overview 2. You cannot upload or download files to a compact flash card with the web browser interface. Also, the interface does not support switch-to-switch uploads. 3. You cannot modify the event log full action from the web browser interface. 4. You can view the encryption keys from the web browser interface, but you cannot create or delete them. 5.
AT-S63 Management Software Features Guide Management Access Methods You can access the AT-S63 Management Software on the switch several ways: Local Management Sessions Local session Remote Telnet session Remote Secure Shell (SSH) session Remote web browser (HTTP or HTTPS) session Remote SNMP session You establish a local management session to the switch by connecting a terminal or a PC with a terminal emulator program to the Terminal Port on the front panel using the management cable
Chapter 1: Overview Remote SNMP Management You can also remotely configure the switch using a Simple Network Management Protocol (SNMP) application, such as AT-View. This management method requires an understanding of management information base (MIB) objects.
AT-S63 Management Software Features Guide Manager Access Levels The AT-S63 Management Software has two manager access levels of manager and operator. The manager access level lets you view and configure the operating parameters, while the operator access level only lets you only view the parameters settings. You log in by entering the appropriate username and password when you start a management session. To log in as a manager, type “manager” as the login name. The default password is “friend.
Chapter 1: Overview Installation and Management Configurations The AT-9400 Switches can be installed in three configurations. Stand-alone Switch All the AT-9400 Switches can be installed and operated as managed or unmanaged, stand-alone Gigabit Ethernet switches. Stand-alone switches are managed by initiating a local or remote session on the unit. Enhanced Stacking You can simplify the management of the switches in your network by connecting them together into an enhanced stack.
AT-S63 Management Software Features Guide Here are the main points of stacking: The AT-9400 Gigabit Ethernet Switches operate as a single, logical unit where functions such as port trunks and port mirrors, can span all of the devices in the stack. The switches are managed as a unit. The switches share a common MAC address table. The switches must be installed in the same wiring closet in the same equipment rack. The switches are cabled together with the AT-StackXG Stacking Module.
Chapter 1: Overview IP Configuration Do you intend to remotely manage the switch with a Telnet or Secure Shell client, or a web browser? Or, will the management software be accessing application servers on your network, like a Simple Network Network Time Protocol server for setting its date and time, or a TFTP server for uploading or downloading files? If so, then the switch will need an IP configuration. To assign an IP configuration to the switch, you need to create a routing interface.
AT-S63 Management Software Features Guide Redundant Twisted Pair Ports Several AT-9400 Switches have twisted pair ports and GBIC or SFP slots that are paired together. The twisted pair ports are identified with the letter “R” for “Redundant” as part of their number on the front faceplate of the unit. The switch models with paired ports and slots are listed in Table 3.
Chapter 1: Overview Note These guidelines do not apply to the SFP slots on the AT-9408LC/SP switch and the XFP slots on the AT-9424Ts/XP and AT-9448Ts/XP switches.
AT-S63 Management Software Features Guide History of New Features The following sections contain the history of new features in the AT-S63 Management Software. Version 3.0.0 Table 4 lists the new features in version 3.0.0 of the AT-S63 Management Software. Table 4. New Features in AT-S63 Version 3.0.0 Feature Change Stacking with the AT-StackXG Stacking Module New feature. For information, refer to Chapter 1, Overview in the AT-S63 Stack Command Line Interface User’s Guide.
Chapter 1: Overview Version 2.1.0 Table 5 lists the new features in version 2.1.0. Table 5. New Features in AT-S63 Version 2.1.0 Version 2.0.0 Feature Change Internet Protocol version 4 packet routing Added the following new features: Equal Cost Multi-path (ECMP) for supporting multiple routes in the routing table to the same remote destination. Variable length subnet masks for the IP addresses of routing interfaces and static and dynamic routes. Table 6 lists the new feature in version 2.0.
AT-S63 Management Software Features Guide Version 1.3.0 Table 7 lists the new features in version 1.3.0 of the AT-S63 Management Software. Table 7. New Features in AT-S63 Version 1.3.0 Feature 802.1x Port-based Network Access Control Management Access Control List Change Added the following new features: Guest VLAN. For background information, see “Guest VLAN” on page 372.
Chapter 1: Overview Version 1.2.0 Table 8 lists the new features in version 1.2.0. Table 8. New Features in AT-S63 Version 1.2.0 Feature MAC Address Table Quality of Service 52 Change Added the following new parameters to the CLI commands for displaying and deleting specific types of MAC addresses in the MAC address table: STATIC, STATICUNICAST, and, STATICMULTICAST for displaying and deleting static unicast and multicast MAC addresses.
AT-S63 Management Software Features Guide Table 8. New Features in AT-S63 Version 1.2.0 (Continued) Feature 802.1x Port-based Network Access Control Change Added a new parameter to authenticator ports: Supplicant Mode for supporting multiple supplicant accounts on an authenticator port. For background information, see “Authenticator Ports with Single and Multiple Supplicants” on page 363.
Chapter 1: Overview 54
Chapter 2 Enhanced Stacking This chapter contains the following sections: Section I: Basic Operations “Supported Platforms” on page 56 “Overview” on page 57 “Master and Slave Switches” on page 58 “Common VLAN” on page 59 “Master Switch and the Local Interface” on page 60 “Slave Switches” on page 61 “Enhanced Stacking Compatibility” on page 62 “Enhanced Stacking Guidelines” on page 63 “General Steps” on page 64 55
Chapter 2: Enhanced Stacking Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from all three management interfaces in the AT-S63 Management Software: 56 Command line interface Menus int
AT-S63 Management Software Features Guide Overview Having to manage a large number of network devices typically involves starting a separate management session on each device. This usually means having to end one management session in order to start a new session on another unit. The enhanced stacking feature can simplify this task because it allows you to easily transition among the different AT-9400 Switches in your network from just one management session.
Chapter 2: Enhanced Stacking Master and Slave Switches An enhanced stack must have at least one master switch. This switch is your management access point to the switches of a stack. After you have started a local or remote management session on a master switch, you can redirect the session to any of the other switches. The other switches in the stack are known as slave switches. They can be managed through the master switch or directly, such as from a local management session.
AT-S63 Management Software Features Guide Common VLAN A master switch searches for the other switches in an enhanced stack by sending out a broadcast packet out a local subnet. (The designation of this subnet is explained in “Master Switch and the Local Interface,” next.) Since a broadcast packet cannot cross a router or a VLAN boundary, you must connect the switches of an enhanced stack with a common VLAN.
Chapter 2: Enhanced Stacking Master Switch and the Local Interface Before a switch can function as the master switch of an enhanced stack, it needs to know which subnet is acting as the common subnet among the switches in the stack. It uses that information to know which subnet to send out its broadcast packets and to monitor for the management packets from the other switches and from remote management workstations.
AT-S63 Management Software Features Guide Slave Switches The slave switches of an enhanced stack must be connected to the master switch through a common VLAN. A slave switch can be connected indirectly to the master switch so long as there is an uninterrupted path of the common VLAN from the slave switch to the master switch. A slave switch does not need a routing interface on the common VLAN if you use the Default_VLAN (VID 1) as the common VLAN.
Chapter 2: Enhanced Stacking Enhanced Stacking Compatibility This version of enhanced stacking is compatible with earlier AT-S63 versions and the enhanced stacking feature in the AT-8000 Series, AT-8400 Series, and AT-8500 Series Switches.
AT-S63 Management Software Features Guide Enhanced Stacking Guidelines Here are the guidelines to using the enhanced stacking feature: Section I: Basic Operations There can be up to 24 switches in an enhanced stack. The switches in an enhanced stack must be connected with a common port-based or tagged VLAN. The VLAN must have the same name and VLAN identifier (VID) on each switch, and the switches must be connected using tagged or untagged ports of the VLAN.
Chapter 2: Enhanced Stacking General Steps Here are the basic steps to implementing the enhanced stacking feature on the AT-9400 Switches in your network: 1. Select a switch to act as the master switch of the enhanced stack. This can be any Allied Telesis switch that supports this feature. In a stack with different switch models, Allied Telesis recommends using an AT-9400 Switch as the master switch. For further information, refer to “Enhanced Stacking Compatibility” on page 62. 2.
Chapter 3 SNMPv1 and SNMPv2c This chapter describes SNMPv1 and SNMPv2c community strings for SNMP management of the switch.
Chapter 3: SNMPv1 and SNMPv2c Supported Platforms This feature is supported on all AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from all three management interfaces in the AT-S63 Management Software: 66 Command line interface Menus interface
AT-S63 Management Software Features Guide Overview You can manage a switch by viewing and changing the management information base (MIB) objects on the device with the Simple Network Management Program (SNMP). The AT-S63 Management Software supports SNMPv1, SNMPv2c, and SNMPv3. This chapter explains SNMPv1 and SNMPv2c. For information on SNMPv3, refer to Chapter 19, ”SNMPv3” on page 197.
Chapter 3: SNMPv1 and SNMPv2c Community String Attributes A community string has attributes for controlling who can use the string and what the string will allow a network management to do on the switch. The community string attributes are defined below: Community String Name A community string must have a name of one to eight alphanumeric characters. Spaces are allowed. Access Mode This attribute defines the permissions of a community string. There are two access modes: Read and Read/Write.
AT-S63 Management Software Features Guide the community strings. Each community string can have up to eight trap IP addresses. It does not matter which community strings you assign your trap receivers. When the switch sends a trap, it looks at all the community strings and sends the trap to all trap receivers on all community strings. This is true even for community strings that have a access mode of only Read.
Chapter 3: SNMPv1 and SNMPv2c Default SNMP Community Strings The AT-S63 Management Software provides two default community strings: public and private. The public string has an access mode of just Read and the private string has an access mode of Read/Write. If you activate SNMP management on the switch, you should delete or disable the private community string, which is a standard community string in the industry, or change its status from open to closed to prevent unauthorized changes to the switch.
Chapter 4 MAC Address Table This chapter contains background information about the MAC address table.
Chapter 4: MAC Address Table Overview The AT-9400 Switch has a MAC address table with a storage capacity of 16,000 entries. The table stores the MAC addresses of the network nodes connected to its ports and the port number where each address was learned. The switch learns the MAC addresses of the end nodes by examining the source address of each packet received on a port. It adds the address and port on which the packet was received to the MAC table if the address has not already been entered in the table.
AT-S63 Management Software Features Guide MAC address table from becoming filled with addresses of nodes that are no longer active. The period of time that the switch waits before purging an inactive dynamic MAC address is called the aging time. This value is adjustable on the AT-9400 Switch. The default value is 300 seconds (5 minutes). The MAC address table can also store static MAC addresses. A static MAC address is a MAC address of an end node that you assign to a switch port manually.
Chapter 4: MAC Address Table 74 Section I: Basic Operations
Chapter 5 Static Port Trunks This chapter describes static port trunks.
Chapter 5: Static Port Trunks Supported Platforms This feature is supported on all AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Supported This feature can be managed from all three management interfaces: 76 Command line interface Menus interface Web browser interface Section I: Ba
AT-S63 Management Software Features Guide Overview A static port trunk is a group of two to eight ports that function as a single virtual link between the switch and another device. Traffic is distributed across the ports to improve performance and enhance reliability by reducing the reliance on a single physical link. A static port trunk is easy to configure. You simply designate the ports of the trunk and the management software automatically groups them together.
Chapter 5: Static Port Trunks Load Distribution Methods This section discusses load distribution methods and applies to both static and LACP port trunks. One of the steps to creating a static or LACP port trunk is selecting a load distribution method, which determines how the switch distributes the traffic load across the ports in the trunk.
AT-S63 Management Software Features Guide A similar method is used for the two load distribution methods that employ both the source and destination addresses. Only here the last three bits of both addresses are combined by an XOR process to derive a single value which is then compared against the mappings of the bits to ports.
Chapter 5: Static Port Trunks Guidelines The following guidelines apply to static trunks: 80 Allied Telesis recommends limiting static port trunks to Allied Telesis network devices to ensure compatibility. A static trunk can have up to eight ports. Stand-alone switches can support up to six static and LACP trunks at a time (for example, four static trunks and two LACP trunks). An LACP trunk is countered against the maximum number of trunks only when it is active.
Chapter 6 LACP Port Trunks This chapter explains Link Aggregation Control Protocol (LACP) port trunks.
Chapter 6: LACP Port Trunks Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from two of the management interfaces: 82 Command line interface Menus interface Section I: Basic Operation
AT-S63 Management Software Features Guide Overview LACP (Link Aggregation Control Protocol) port trunks perform the same function as static trunks. They increase the bandwidth between network devices by distributing the traffic load over multiple physical links. The advantage of an LACP trunk over a static port trunk is its flexibility. While implementations of static trunking tend to be vendor specific, the implementation of LACP in the AT-S63 Management Software is compliant with the IEEE 802.
Chapter 6: LACP Port Trunks If there will be more than one aggregate trunk on a switch, each trunk might require a separate aggregator or it might be possible to combine them into a common aggregator. The determining factor will be whether the trunks are going to the same device or different devices. If the trunks are going to the same device, each must have its own aggregator. If they are going to different devices, the trunks can be members of a common aggregator.
AT-S63 Management Software Features Guide Here is how the example looks in a table format. Aggregator Description Aggregator Ports Aggregate Trunk Ports Aggregator 1 1-3 1-3 Aggregator 2 12-14 12-14 Caution The example cited here illustrates a loop in a network. Avoid network loops to prevent broadcast storms. If the aggregate trunks go to different devices, you can create one aggregator and the AT-9400 Switch will form the trunks for you automatically.
Chapter 6: LACP Port Trunks Here is how this example looks in table format. Aggregator Description Aggregator Ports Aggregate Trunk Ports Aggregator 1 1-3, 12-14 1-3 12-14 You could, if you wanted, create separate aggregators for the different aggregate trunks in the example above. But letting the switch make the determination for you whenever possible saves time later if you physically reassign ports to a different trunk connected to another device.
AT-S63 Management Software Features Guide LACP System Priority It is possible for two devices interconnected by an aggregate trunk to encounter a conflict when they form the trunk. For example, the two devices might not support the same number of active ports in an aggregate trunk or might not agree on which ports are to be active and which are to be in standby. If a conflict does occur, the two devices need a mechanism for resolving the problem and deciding whose LACP settings are to take precedence.
Chapter 6: LACP Port Trunks Adminkey Parameter The adminkey is a hexadecimal value from 1 to FFFF that identifies an aggregator. Each aggregator on a switch must have a unique adminkey. The adminkey is restricted to a switch. Two aggregators on different switches can have the same adminkey without generating a conflict.
AT-S63 Management Software Features Guide Load Distribution Methods The load distribution method determines the manner in which the switch distributes the traffic across the active ports of an aggregate trunk. The method is assigned to an aggregator and applies to all aggregate trunks within it. If you want to assign different load distribution methods to different aggregate trunks, you must create a separate aggregator for each trunk.
Chapter 6: LACP Port Trunks Guidelines The following guidelines apply to creating aggregators: 90 LACP must be activated on both the switch and the other device. The other device must be 802.3ad-compliant. An aggregator can consist of any number of ports. The AT-S63 Management Software supports up to eight active ports in an aggregate trunk at a time.
AT-S63 Management Software Features Guide Section I: Basic Operations When creating a new aggregator, you can specify either a name for the aggregator or an adminkey, but not both. If you specify a name, the adminkey is based on the operator key of the lowest numbered port in the aggregator. If you specify an adminkey, the default name is DEFAULT_AGG followed by the port number of the lowest numbered port in the aggregator.
Chapter 6: LACP Port Trunks 92 Section I: Basic Operations
Chapter 7 Port Mirror This chapter explains the port mirror feature.
Chapter 7: Port Mirror Supported Platforms This feature is supported on all AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Supported This feature can be managed from all three management interfaces: 94 Command line interface Menus interface Web browser interface Section I: Basic Ope
AT-S63 Management Software Features Guide Overview The port mirror feature allows for the unobtrusive monitoring of ingress or egress traffic on one or more ports on a switch, without impacting network performance or speed. It copies the traffic from specified ports to another switch port where the traffic can be monitored with a network analyzer. The port(s) whose traffic is mirrored is called the source port(s). The port where the traffic is copied to is referred to as the destination port.
Chapter 7: Port Mirror 96 Section I: Basic Operations
Section II Advanced Operations This section contains the following chapters: Section II: Advanced Operations Chapter 8, ”File System” on page 99 Chapter 9, ”Event Logs and the Syslog Client” on page 105 Chapter 10, ”Classifiers” on page 109 Chapter 11, ”Access Control Lists” on page 119 Chapter 12, “Class of Service” on page 131 Chapter 13, ”Quality of Service” on page 139 Chapter 14, ”Denial of Service Defenses” on page 161 97
Section II: Advanced Operations
Chapter 8 File System The chapter explains the switch’s file system and contains the following sections: Section II: Advanced Operations “Overview” on page 100 “Boot Configuration Files” on page 101 “File Naming Conventions” on page 102 “Using Wildcards to Specify Groups of Files” on page 103 99
Chapter 8: File System Overview The AT-9400 Switch has a file system in flash memory for storing system files. You can view a list of the files as well as copy, rename, and delete files. For those AT-9400 Switches that support a compact flash memory card, you can perform the same functions on the files stored on a flash card, as well as copy files between the switch’s file system and a flash card.
AT-S63 Management Software Features Guide Boot Configuration Files A boot configuration file contains the series of commands that recreate the current or a specific configuration of the switch when the unit is power cycled or reset. The commands in the file recreate all the VLANs, port settings, spanning tree settings, port trunks, port mirrors, and so forth. A switch can contain multiple boot configuration files, but only one can be active on a switch at a time.
Chapter 8: File System File Naming Conventions The flash memory file system is a flat file system—directories are not supported. However, directories are supported on compact flash cards. In both types of storage, files are uniquely identified by a file name in the following format: filename.ext where: filename is a descriptive name for the file, and may be one to sixteen characters in length.
AT-S63 Management Software Features Guide Using Wildcards to Specify Groups of Files You can use the asterisk character (*) as a wildcard character in some fields to identify groups of files. In addition, a wildcard can be combined with other characters. The following are examples of valid wildcard expressions: *.cfg *.key 28*.
Chapter 8: File System 104 Section II: Advanced Operations
Chapter 9 Event Logs and the Syslog Client This chapter describes how to monitor the activity of a switch by viewing the event messages in the event logs and sending the messages to a syslog server.
Chapter 9: Event Logs and the Syslog Client Supported Platforms This feature is supported on all AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Supported This feature can be managed from all three management interfaces: 106 Command line interface Menus interface Web browser interface
AT-S63 Management Software Features Guide Overview A managed switch is a complex piece of computer equipment that includes both hardware and software. Multiple software features operate simultaneously, interoperating with each other and processing large amounts of network traffic. It is often difficult to determine exactly what is happening when a switch appears not to be operating normally, or what happened when a problem occurred.
Chapter 9: Event Logs and the Syslog Client Syslog Client The management software features a syslog client for sending event messages to a syslog server on your network. A syslog server can function as a central repository for events from many different network devices.
Chapter 10 Classifiers This chapter explains classifiers for access control lists and Quality of Service policies.
Chapter 10: Classifiers Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from all three of the management interfaces in the AT-S63 Management Software: 110 Command line interface Menus
AT-S63 Management Software Features Guide Overview A classifier defines a traffic flow. A traffic flow consists of packets that share one or more characteristics. A traffic flow can range from being very broad to very specific. An example of the former might be all IP traffic while an example of the latter could be packets with specific source and destination MAC addresses. A classifier contains a set of criteria for defining a traffic flow.
Chapter 10: Classifiers is dictated by the QoS policy, as explained in Chapter 13, “Quality of Service” on page 139. In summary, a classifier is a list of variables that define a traffic flow. You apply a classifier to an ACL or a QoS policy to define the traffic flow you want the ACL or QoS policy to affect or control.
AT-S63 Management Software Features Guide Classifier Criteria The components of a classifier are defined in the following subsections. Destination MAC Address (Layer 2) Source MAC Address (Layer 2) You can identify a traffic flow by specifying a source and/or destination MAC address. For instance, you might create a classifier for a traffic flow destined to a particular destination node, or from a specific source node to a specific destination node, all identified by their MAC addresses.
Chapter 10: Classifiers Preamble Destination Address Source Address Type/ Length 64 bits 48 bits 48 bits 16 bits Tag Protocol Identifier 16 bits User Priority CFI 3 bits 1 bit Frame Data CRC 368 to 12000 bits 32 bits VLAN Identifier 12 bits Figure 4. User Priority and VLAN Fields within an Ethernet Frame You can identify a traffic flow of tagged packets using the user priority value.
AT-S63 Management Software Features Guide Observe the following guidelines when using this variable: When selecting a Layer 3 or Layer 4 variable, this variable must be left blank or set to IP. If you choose to specify a protocol by its number, you can enter the value in decimal or hexadecimal format. If you choose the latter, precede the number with the prefix “0x”. The range for the protocol number is 1536 (0x600) to 65535 (0xFFFF).
Chapter 10: Classifiers Observe these guidelines when using this criterion: The Protocol variable must be left blank or set to IP. You cannot specify both an IP ToS value and an IP DSCP value in the same classifier. IP Protocol (Layer 3) You can define a traffic flow by the following Layer 3 protocols: TCP UDP ICMP IGMP IP protocol number If you choose to specify the protocol by its number, you can enter the value in decimal or hexadecimal format.
AT-S63 Management Software Features Guide Observe this guideline when using these criteria: The Protocol variable must be left blank or set to IP. TCP Source Ports (Layer 4) TCP Destination Ports (Layer 4) A traffic flow can be identified by a source and/or destination TCP port number contained within the header of an IP frame. Observe the following guidelines when using these criteria: The Protocol variable must be left blank or set to IP.
Chapter 10: Classifiers Guidelines Follow these guidelines when creating a classifier: 118 Each classifier represents a separate traffic flow. The variables within a classifier are linked by AND. The more variables defined within a classifier, the more specific it becomes in terms of the flow it defines.
Chapter 11 Access Control Lists This chapter describes access control lists (ACL) and how they can improve network security and performance.
Chapter 11: Access Control Lists Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Switches – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Switches – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from all three management interfaces in the AT-S63 Management Software: 120 Command line interface
AT-S63 Management Software Features Guide Overview An access control list is a filter that controls the ingress traffic on a port. It defines a category of traffic and the action of the port when it receives packets of the category. The action can be to accept the defined packets or discard them.
Chapter 11: Access Control Lists 4. Finally, if a packet does not meet the criteria of any ACLs on a port, it is accepted by the port.
AT-S63 Management Software Features Guide Parts of an ACL An ACL must have the following information: Section II: Advanced Operations Name - An ACL must have a name. The name of an ACL should indicate the type of traffic flow being filtered and, perhaps, also the action. An example might be “HTTPS flow - permit.” The more specific the name, the easier it will be for you to identify it. Action - The action of an ACL can be permit or deny.
Chapter 11: Access Control Lists Guidelines Here are the rules to creating ACLs: 124 A port can have multiple permit and deny ACLs. An ACL must have at least one classifier. An ACL can be assigned to more than one switch port. An ACL filters ingress traffic, but not egress traffic. The action of a ACL can be either permit or deny. A permit ACL overrides a deny ACL on the same port when the ACLs define the same traffic.
AT-S63 Management Software Features Guide Examples This section contains several examples of ACLs. In this example, port 4 has been assigned one ACL, a deny ACL for the subnet 149.11.11.0. This ACL prevents the port from accepting any traffic originating from that subnet. Since this is the only ACL on the port, all other traffic is accepted. As explained earlier, a port automatically accepts all packets that do not meet the criteria of the classifiers assigned to its ACLs.
Chapter 11: Access Control Lists To deny traffic from several subnets on the same port, you can create multiple classifiers and apply them to the same ACL, as illustrated in the next example. Three subnets are denied access to port 4. The three classifiers defining the subnets are applied to the same ACL. Create Classifier 01 - Classifier ID: ..... 22 02 - Description: ...... 149.11.11 flow . . 12 - Src IP Addr: ..... 149.11.11.0 13 - Src IP Mask: .... 255.255.255.
AT-S63 Management Software Features Guide The same result can be achieved by assigning the classifiers to different ACLs and assigning the ACLs to the same port, as in this example, again for port 4. Create Access Control Lists (ACL) 1 - ACL ID ................. 4 2 - Description .......... 149.11.11-deny 3 - Action .................. Deny 4 - Classifier List ...... 22 5 - Port List .............. 4 Create Access Control Lists (ACL) 1 - ACL ID ................. 22 2 - Description .......... 149.22.22.
Chapter 11: Access Control Lists In this example, the traffic on ports 14 and 15 is restricted to packets from the source subnet 149.44.44.0. All other IP traffic is denied. Classifier ID 11, which specifies the traffic flow to be permitted by the ports, is assigned to an ACL with an action of permit. Classifier ID 17 specifies all IP traffic and is assigned to an ACL whose action is deny. Since a permit ACL overrides a deny ACL, the port will accept the traffic from the 149.44.44.
AT-S63 Management Software Features Guide The next example limits the ingress traffic on port 17 to IP packets from the subnet 149.22.11.0 and a Type of Service setting of 6, destined to the end node with the IP address 149.22.22.22. All other IP traffic and ARP packets are prohibited. Create Classifier Create Access Control Lists (ACL) 1 - ACL ID ................. 4 2 - Description .......... ToS 6 traffic - permit 3 - Action .................. Permit 4 - Classifier List ...... 6 5 - Port List ...........
Chapter 11: Access Control Lists 130 Section II: Advanced Operations
Chapter 12 Class of Service This chapter describes the Class of Service (CoS) feature.
Chapter 12: Class of Service Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Supported This feature can be managed from all three management interfaces: 132 Command line interface Menus interface Web browser interface Sec
AT-S63 Management Software Features Guide Overview When a port on an Ethernet switch becomes oversubscribed—its egress queues contain more packets than the port can handle in a timely manner—the port may be forced to delay the transmission of some packets, resulting in the delay of packets reaching their destinations. A port may be forced to delay transmission of packets while it handles other traffic. Some packets destined to be forwarded to an oversubscribed port from other switch ports may be discarded.
Chapter 12: Class of Service Table 10. Default Mappings of IEEE 802.1p Priority Levels to Priority Queues IEEE 802.1p Priority Level Port Priority Queue 0 Q1 1 Q0 (lowest) 2 Q2 3 Q3 4 Q4 5 Q5 6 Q6 7 Q7 (highest) For example, when a tagged packet with a priority level of 3 enters a port on the switch, the packet is stored in Q3 queue on the egress port.
AT-S63 Management Software Features Guide Table 11. Customized Mappings of IEEE 802.1p Priority Levels to Priority Queues (Continued) IEEE 802.1p Priority Level Port Priority Queue 6 Q6 7 Q7 (highest) Note that because all ports must use the same priority-to-egress queue mappings, these mappings are applied at the switch level. They cannot be set on a per-port basis.
Chapter 12: Class of Service Scheduling A switch port needs a mechanism for knowing the order in which it should handle the packets in its eight egress queues. For example, if all the queues contain packets, should the port transmit all packets from Q7, the highest priority queue, before moving on to the other queues, or should it instead just do a few packets from each queue and, if so, how many? This control mechanism is called scheduling.
AT-S63 Management Software Features Guide Table 12 shows an example. Table 12. Example of Weighted Round Robin Priority Maximum Number of Packets Port Egress Queue Q0 (lowest) 1 Q1 1 Q2 5 Q3 5 Q4 5 Q5 5 Q6 10 Q7 15 In this example, the port transmits a maximum number of 15 packets from Q7 before moving to Q6, from where it transmits up to 10 packets, and so forth. For Q0 to Q6, the range of the maximum number of transmitted packets is 1 to 15.
Chapter 12: Class of Service Table 13.
Chapter 13 Quality of Service This chapter describes Quality of Service (QoS).
Chapter 13: Quality of Service Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from all three management interfaces: 140 Command line interface Menus interface Web browser interfac
AT-S63 Management Software Features Guide Overview Quality of Service allows you to prioritize traffic and/or limit the bandwidth available to it. The concept of QoS is a departure from the original networking protocols, which treated all traffic on the Internet or within a LAN in the same manner. Without QoS, every traffic type is equally likely to be dropped if a link becomes oversubscribed.
Chapter 13: Quality of Service The QoS functionality described in this chapter sorts packets into various flows, according to the QoS policy that applies to the port the traffic is received on. The switch then allocates resources to direct this traffic according to bandwidth or priority settings in the policy. A policy contains traffic classes, flow groups, and classifiers. Therefore, to configure QoS, you: Create classifiers to sort packets into traffic flows.
AT-S63 Management Software Features Guide Classifiers Classifiers identify a particular traffic flow, and range from general to specific. (See Chapter 10, “Classifiers” on page 109 for more information.) Note that a single classifier should not be used in different flows that will end up, through traffic classes, assigned to the same policy. A classifier should only be used once per policy. Traffic is matched in the order of classifiers.
Chapter 13: Quality of Service Flow Groups Flow groups group similar traffic flows together, and allow more specific QoS controls to be used, in preference to those specified by the traffic class. Flow groups consist of a small set of QoS parameters and a group of classifiers. After a flow group has been added to a traffic class it cannot be added to another traffic class. A traffic class may have many flow groups. Traffic is matched in the order of the flow groups.
AT-S63 Management Software Features Guide Traffic Classes Traffic classes are the central component of the QoS solution. They provide most of the QoS controls that allow a QoS solution to be deployed. A traffic class can be assigned to only one policy. Traffic classes consist of a set of QoS parameters and a group of QoS flow groups. Traffic can be prioritized, marked (IP TOS or DSCP field set), and bandwidth limited. Traffic is matched in the order of traffic class.
Chapter 13: Quality of Service Policies QoS policies consist of a collection of user defined traffic classes. A policy can be assigned to more than one port, but a port may only have one policy. Note that the switch can only perform error checking of parameters and parameter values for the policy and its traffic classes and flow groups when the policy is set on a port. QoS controls are applied to ingress traffic on ports.
AT-S63 Management Software Features Guide QoS Policy Guidelines Following is a list of QoS policy guidelines: Section II: Advanced Operations A classifier may be assigned to many flow groups. However, assigning a classifier more than once within the same policy may lead to undesirable results. A classifier may be used successfully in many different policies. A flow group must be assigned at least one classifier but may have many classifiers.
Chapter 13: Quality of Service Packet Processing You can use the switch’s QoS tools to perform any combination of the following functions on a packet flow: Limiting bandwidth Prioritizing packets to determine the level of precedence the switch will give to the packet for processing Replacing the VLAN tag User Priority to enable the next switch in the network to process the packet correctly Replacing the TOS precedence or DSCP value to enable the next switch in the network to process the pack
AT-S63 Management Software Features Guide Both the VLAN tag User Priority and the traffic class / flow group priority setting allow eight different priority values (0-7). These eight priorities are mapped to the switch’s eight CoS queues. The switch’s default mapping is shown in Table 10 on page 134. Note that priority 0 is mapped to CoS queue 1 instead of CoS queue 0 because tagged traffic that has never been prioritized has a VLAN tag User Priority of 0.
Chapter 13: Quality of Service Replacing Priorities The traffic class or flow group priority (if set) determines the egress queue a packet is sent to when it egresses the switch, but by default has no effect on how the rest of the network processes the packet. To permanently change the packet’s priority, you need to replace one of two priority fields in the packet header: The User Priority field of the VLAN tag header.
AT-S63 Management Software Features Guide DiffServ Domains Differentiated Services (DiffServ) is a method of dividing IP traffic into classes of service, without requiring that every router in a network remember detailed information about traffic flows. DiffServ operates within a DiffServ domain, a network or subnet that is managed as a single QoS unit. Packets are classified according to user-specified criteria at the edge of the network, divided into classes, and assigned the required class of service.
Chapter 13: Quality of Service To use the QoS tool set to configure a DiffServ domain: 1. As packets come into the domain at edge switches, replace their DSCP value, if required. Classify the packets according to the required characteristics. For available options, see Chapter 10, “Classifiers” on page 109. Assign the classifiers to flow groups and the flow groups to traffic classes, with a different traffic class for each DiffServ code point grouping within the DiffServ domain.
AT-S63 Management Software Features Guide Examples The following examples demonstrate how to implement QoS in three situations: Voice Applications “Voice Applications,” next “Video Applications” on page 155 “Critical Database” on page 157 Voice applications typically require a small but consistent bandwidth. They are sensitive to latency (interpacket delay) and jitter (delivery delay). Voice applications can be set up to have the highest priority.
Chapter 13: Quality of Service Policy 6 Policy 11 Create Classifier Create Classifier 01 - Classifier ID: ..... 22 02 - Description ....... VoIP flow . 12 - Src IP Addr ....... 149.44.44.44 13 - Src IP Mask ...... 01 - Classifier ID: ..... 23 02 - Description ....... VoIP flow . 14 - Dst IP Addr ....... 149.44.44.44 15 - Dst IP Mask ....... Create Flow Group Create Flow Group 1 - Flow Group ID ............. 14 2 - Description ................... VoIP 3 - DSCP Value ................. 4 - Priority ....
AT-S63 Management Software Features Guide Video Applications Traffic Class - No action is taken by the traffic class, other than to specify the flow group. Traffic class has a priority setting you can use to override the priority level of packets, just as in a flow group. If you enter a priority value in both places, the setting in the flow group overrides the setting in the traffic class. Policy - Specifies the traffic class and the port to which the policy is to be assigned.
Chapter 13: Quality of Service Policy 17 Policy 32 Create Classifier Create Classifier 01 - Classifier ID: ..... 16 02 - Desciption ......... Video flow . 12 - Src IP Addr ....... 149.44.44.44 13 - Src IP Mask ....... 01 - Classifier ID: ..... 42 02 - Desciption ......... Video flow . 12 - Dst IP Addr ........ 149.44.44.44 13 - Dst IP Mask ....... Create Flow Group Create Flow Group 1 - Flow Group ID ............. 41 2 - Description ................... Video 3 - DSCP Value .................
AT-S63 Management Software Features Guide packets so they leave containing the new level, you would change option 5, Remark Priority, to Yes. Critical Database Traffic Class - The packet stream is assigned a maximum bandwidth of 5 Mbps. Bandwidth assignment can only be made at the traffic class level. Policy - Specifies the traffic class and the port where the policy is to be assigned. Critical databases typically require a high bandwidth.
Chapter 13: Quality of Service Policy Component Hierarchy The purpose of this example is to illustrate the hierarchy of the components of a QoS policy and how that hierarchy needs to be taken into account when assigning new priority and DSCP values. A new priority can be set at the flow group and traffic class levels, while a new DSCP value can be set at all three levels—flow group, traffic class and policy.
AT-S63 Management Software Features Guide Create Classifier 01 - Classifier ID: ..... 1 . 14 - Dst IP Addr ..... 149.11.11.0 15 - Dst IP Mask ..... 255.255.255.0 Create Classifier Create Flow Group 1 - Flow Group ID ......... 1 . 3 - DSCP Value ............. 10 . 9 - Classifier List ............1,2 01 - Classifier ID: ..... 2 . 14 - Dst IP Addr ..... 149.22.22.0 15 - Dst IP Addr ...... 255.255.255.0 Create Traffic Class 1 - Traffic Class ID: ........ 1 . 5 - DSCP value ............. 30 .
Chapter 13: Quality of Service 160 Section II: Advanced Operations
Chapter 14 Denial of Service Defenses This chapter explains the defense mechanisms in the management software that can protect your network against denial of service (DoS) attacks.
Chapter 14: Denial of Service Defenses Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from all three management interfaces: 162 Command line interface Menus interface Web browser
AT-S63 Management Software Features Guide Overview The AT-S63 Management Software can help protect your network against the following types of denial of service attacks. SYN Flood Attack Smurf Attack Land Attack Teardrop Attack Ping of Death Attack IP Options Attack The following sections describe each type of attack and the mechanism employed by the AT-S63 Management Software to protect your network.
Chapter 14: Denial of Service Defenses SYN Flood Attack In this type of attack, an attacker sends a large number of TCP connection requests (TCP SYN packets) with bogus source addresses to the victim. The victim responds with acknowledgements (SYN ACK packets), but because the original source addresses are bogus, the victim node does not receive any replies.
AT-S63 Management Software Features Guide Smurf Attack This DoS attack is instigated by an attacker sending a ICMP Echo (Ping) request that has the network’s IP broadcast address as the destination address and the address of the victim as the source of the ICMP Echo (Ping) request. This overwhelms the victim with a large number of ICMP Echo (Ping) replies from the other network nodes.
Chapter 14: Denial of Service Defenses Land Attack In this attack, an attacker sends a bogus IP packet where the source and destination IP addresses are the same. This leaves the victim thinking that it is sending a message to itself. The most direct approach for defending against this form of attack is for the AT-S63 Management Software to check the source and destination IP addresses in the IP packets, searching for and discarding those with identical source and destination addresses.
AT-S63 Management Software Features Guide 2. If the source IP address is not local to the network, it discards the packet because it assumes that a packet with an IP address that is not local to the network should not be appearing on a port that is not an uplink port. This protects against the possibility of a Land attack originating from within your network. 3. If the source IP address is local to the network, the port forwards the packet to uplink port 1.
Chapter 14: Denial of Service Defenses Teardrop Attack An attacker sends an IP packet in several fragments with a bogus offset value, used to reconstruct the packet, in one of the fragments to a victim. Because of the bogus offset value, the victim is unable to reassemble the packet, possibly causing it to freeze operations. The defense mechanism for this type of attack has all ingress fragmented IP traffic received on a port sent to the switch’s CPU.
AT-S63 Management Software Features Guide Ping of Death Attack The attacker sends an oversized, fragmented ICMP Echo (Ping) request (greater than 65,535 bits) to the victim, which, if lacking a policy for handling oversized packets, may freeze. To defend against this form of attack, a switch port searches for the last fragment of a fragmented ICMP Echo (Ping) request and examines its offset to determine if the packet size is greater than 63,488 bits.
Chapter 14: Denial of Service Defenses IP Options Attack In the basic scenario of an IP attack, an attacker sends packets containing bad IP options. There are several types of IP option attacks and the AT-S63 Management Software does not distinguish between them. Rather, the defense mechanism counts the number of ingress IP packets containing IP options received on a port.
AT-S63 Management Software Features Guide Mirroring Traffic The Land, Teardrop, Ping of Death, and IP Options defense mechanisms allow you to copy the examined traffic to a mirror port for further analysis with a data sniffer or analyzer. This feature differs slightly from port mirroring in that prior to an actual violation of a defense mechanism, only the packets examined by a defense mechanism, rather than all packets, are mirrored to the destination port.
Chapter 14: Denial of Service Defenses Denial of Service Defense Guidelines Below are guidelines to observe when using this feature: 172 A switch port can support more than one DoS defense at a time. The Teardrop and the Ping of Death defenses are CPU intensive. Use these defenses with caution.
Section III Snooping Protocols The chapters in this section contain overview information on the snooping protocols.
Section III: Snooping Protocols
Chapter 15 IGMP Snooping This chapter explains Internet Group Management Protocol (IGMP) snooping feature in the following sections: Section III: Snooping Protocols “Supported Platforms” on page 176 “Overview” on page 177 175
Chapter 15: IGMP Snooping Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from all three management interfaces: 176 Command line interface Menus interface Web browser interface Se
AT-S63 Management Software Features Guide Overview IPv4 routers use IGMP to create lists of nodes that are members of multicast groups. (A multicast group is a group of end nodes that want to receive multicast packets from a multicast application.) The router creates a multicast membership list by periodically sending out queries to the local area networks connected to its ports. A node wanting to become a member of a multicast group responds to a query by sending a report.
Chapter 15: IGMP Snooping Without IGMP snooping a switch would have to flood multicast packets out all of its ports, except the port on which it received the packet. Such flooding of packets can negatively impact network performance. The AT-9400 Switch maintains its list of multicast groups through an adjustable timeout value, which controls how frequently it expects to see reports from end nodes that want to remain members of multicast groups, and by processing leave requests.
Chapter 16 MLD Snooping This chapter explains Multicast Listener Discovery (MLD) snooping: Section III: Snooping Protocols “Supported Platforms” on page 180 “Overview” on page 181 179
Chapter 16: MLD Snooping Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from the following management interfaces: 180 Command line interface Menus interface Section III: Snooping Pro
AT-S63 Management Software Features Guide Overview MLD snooping performs the same function as IGMP snooping. The switch uses the feature to build multicast membership lists. It uses the lists to forward multicast packets only to switch ports where there are host nodes that are members of the multicast groups. The difference between the two is that MLD snooping is for IPv6 and IGMP snooping for IPv4 environments. (For background information on IGMP snooping, refer to “Overview” on page 177.
Chapter 16: MLD Snooping 182 Section III: Snooping Protocols
Chapter 17 RRP Snooping This chapter explains RRP snooping and contains the following sections: Section III: Snooping Protocols “Supported Platforms” on page 184 “Overview” on page 185 “Guidelines” on page 186 183
Chapter 17: RRP Snooping Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from the following management interfaces: 184 Command line interface Menus interface Section III: Snooping Pro
AT-S63 Management Software Features Guide Overview The Router Redundancy Protocol (RRP) allows multiple routers to share the same virtual IP address and MAC address. In network topologies where redundant router paths or links exist, the protocol enables routers, through an election process, to designate one as the master router. This router functions as the provider of the primary path between LAN segments. Slave routers function as backup paths in the event that the master router or primary path fails.
Chapter 17: RRP Snooping Guidelines The following guidelines apply to the RRP snooping feature: 186 The default setting for this feature is disabled. Activating the feature flushes all dynamic MAC addresses from the MAC address table. RRP snooping is supported on ports operating in the MAC addressbased port security level of automatic. This feature is not supported on ports operating with a security level of limited, secured, or locked. RRP snooping is supported on port trunks.
Chapter 18 Ethernet Protection Switching Ring Snooping This chapter has the following sections: Section III: Snooping Protocols “Supported Platforms” on page 188 “Overview” on page 189 “Restrictions” on page 191 “Guidelines” on page 193 187
Chapter 18: Ethernet Protection Switching Ring Snooping Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models Not supported. Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature must be managed from the command line interface.
AT-S63 Management Software Features Guide Overview Ethernet Protection Switching Ring is a feature found on selected Allied Telesis products, such as the AT-8948 Series Gigabit Layer 3 Switches. It offers an effective alternative to spanning tree based options when using ring based topologies to create high speed resilient networks. EPSR consists of a master node and a number of transit nodes in a ring configuration.
Chapter 18: Ethernet Protection Switching Ring Snooping After creating the VLANs, you activate EPSR snooping by specifying the control VLAN with the ENABLE EPSRSNOOPING command. The switch immediately begins to monitor the VLAN for control messages from the master switch and reacts accordingly should it receive EPSR messages on one of the two ports of the VLAN.
AT-S63 Management Software Features Guide Restrictions EPSR snooping has three important restrictions. All the restrictions are related to control EPSR messages and the fact that EPSR snooping can not generate these messages. The AT-9400 Switch cannot fulfill the role of master node of a ring because EPSR snooping does not generate EPSR control messages. That function must be assigned to another Allied Telesis switch that supports EPSR, such as the AT-8948 Fast Ethernet Layer 3 Switch.
Chapter 18: Ethernet Protection Switching Ring Snooping S AT-8948 Switch P Master Node Transit Node AT-9400 Switch Transit Node Figure 17. Double Fault Condition in EPSR Snooping Now assume the link is reestablished between the switch and transit node. At that point, the port on the transit node enters a preforwarding state in which it forwards EPSR packets over the control VLAN to the AT-9400 Switch.
AT-S63 Management Software Features Guide Guidelines The guidelines to EPSR snooping are: Section III: Snooping Protocols The AT-9400 Switch can support up to sixteen control VLANs and so up to sixteen EPSR instances. The AT-9400 Switch can not be the master node of a ring. EPSR snooping does not support the transit node unsolicited method of fault notification. The switch must be operating in the user-configure VLAN mode to support the feature.
Chapter 18: Ethernet Protection Switching Ring Snooping 194 Section III: Snooping Protocols
Section IV SNMPv3 The chapter in this section contains overview information on SNMPv3.
Section IV: SNMPv3
Chapter 19 SNMPv3 This chapter provides a description of the AT-S63 implementation of the SNMPv3 protocol.
Chapter 19: SNMPv3 Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from all three management interfaces: 198 Command line interface Menus interface Web browser interface Section I
AT-S63 Management Software Features Guide Overview The SNMPv3 protocol builds on the existing SNMPv1 and SNMPv2c protocol implementation which is described in Chapter 3, “SNMPv1 and SNMPv2c” on page 65. In SNMPv3, User-based Security Model (USM) authentication is implemented along with encryption, allowing you to configure a secure SNMP environment. In addition, SNMP terminology changes in the SNMPv3 protocol. In the SNMPv1 and SNMPv2c protocols, the terms agent and manager are used.
Chapter 19: SNMPv3 SNMPv3 Authentication Protocols The SNMPv3 protocol supports two authentication protocols—HMACMD5-96 (MD5) and HMAC-SHA-96 (SHA). Both MD5 and SHA use an algorithm to generate a message digest. Each authentication protocol authenticates a user by checking the message digest. In addition, both protocols use keys to perform authentication.
AT-S63 Management Software Features Guide SNMPv3 Privacy Protocol After you have configured an authentication protocol, you have the option of assigning a privacy protocol if you have the encrypted version of the AT-S63 software. In SNMPv3 protocol terminology, privacy is equivalent to encryption. Currently, the DES protocol is the only encryption protocol supported. The DES privacy protocol requires the authentication protocol to be configured as either MD5 or SHA.
Chapter 19: SNMPv3 SNMPv3 MIB Views The SNMPv3 protocol allows you to configure MIB views for users and groups. The MIB tree is defined by RFC 1155 (Structure of Management Information). See Figure 18.
AT-S63 Management Software Features Guide After you specify a MIB subtree view you have the option of further restricting a view by defining a subtree mask. The relationship between a MIB subtree view and a subtree mask is analogous to the relationship between an IP address and a subnet mask. The switch uses the subnet mask to determine which portion of an IP address represents the network address and which portion represents the node address.
Chapter 19: SNMPv3 SNMPv3 Storage Types Each SNMPv3 table entry has its own storage type. You can choose between nonvolatile storage which allows you to save the table entry or volatile storage which does not allow you to save an entry. If you select the volatile storage type, when you power off the switch your SNMPv3 configuration is lost and cannot be recovered. At each SNMPv3 menu, you are prompted to configure a storage type.
AT-S63 Management Software Features Guide SNMPv3 Message Notification When you generate an SNMPv3 message from the switch, there are three basic pieces of information included in the message: The type of message The destination of the message SNMP security information To configure the type of message, you need to define if you are sending a Trap or Inform message. Basically, the switch expects a response to an Inform message and the switch does not expect a response to a Trap message.
Chapter 19: SNMPv3 SNMPv3 Tables The SNMPv3 configuration is neatly divided into configuring SNMPv3 user information and configuring the message notification. You must configure all seven tables to successfully configure the SNMPv3 protocol. You use the following tables for user configuration: Configure SNMPv3 User Table Configure SNMPv3 View Table Configure SNMPv3 Access Table Configure SNMPv3 SecurityToGroup Table First, you create a user in the Configure SNMPv3 User Table.
AT-S63 Management Software Features Guide Configure SNMPv3 Notify Table Configure SNMPv3 Target Address Table Configure SNMPv3 Target Parameters Table You start the message notification configuration by defining the type of message you want to send with the SNMPv3 Notify Table. Then you define a IP address that is used for notification in the Configure SNMPv3 Target Address Table. This is the IP address of the SNMPv3 host.
Chapter 19: SNMPv3 “SNMPv3 Target Parameters Table” on page 209 “SNMPv3 Community Table” on page 209 SNMPv3 User Table The Configure SNMPv3 User Table menu allows you to create an SNMPv3 user and provides the options of configuring authentication and privacy protocols. With the SNMPv3 protocol, users are authenticated when they send and receive messages. In addition, you can configure a privacy protocol and password so messages a user sends and receives are encrypted.
AT-S63 Management Software Features Guide SNMPv3 Notify Table The Configure SNMPv3 Notify Table menu allows you to define the type of message that is sent from the switch to the SNMP host. In addition, you have the option of defining the message type as either an Inform or a Trap message. The difference between these two types of messages is that when a switch sends an Inform message, the switch expects a response from the host.
Chapter 19: SNMPv3 SNMPv3 Configuration Example You may want to have two classes of SNMPv3 users—Managers and Operators. In this scenario, you would configure one group, called Managers, with full access privileges. Then you would configure a second group, called Operators, with monitoring privileges only. For a detailed example of this configuration, see Appendix B, “SNMPv3 Configuration Examples” on page 475.
Section V Spanning Tree Protocols The section has the following chapters: Section V: Spanning Tree Protocols Chapter 20, “Spanning Tree and Rapid Spanning Tree Protocols” on page 213 Chapter 21, “Multiple Spanning Tree Protocol” on page 225 211
Section V: Spanning Tree Protocols
Chapter 20 Spanning Tree and Rapid Spanning Tree Protocols This chapter provides background information on the Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP).
Chapter 20: Spanning Tree and Rapid Spanning Tree Protocols Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Supported This feature can be managed from all three management interfaces: 214 Command line interface Menus interface
AT-S63 Management Software Features Guide Overview The performance of a Ethernet network can be negatively impacted by the formation of a data loop in the network topology. A data loop exists when two or more nodes on a network can transmit data to each other over more than one data path. The problem that data loops pose is that data packets can become caught in repeating cycles, referred to as broadcast storms, that needlessly consume network bandwidth and can significantly reduce network performance.
Chapter 20: Spanning Tree and Rapid Spanning Tree Protocols Bridge Priority and the Root Bridge The first task that bridges perform when a spanning tree protocol is activated on a network is the selection of a root bridge. A root bridge distributes network topology information to the other network bridges and is used by the other bridges to determine if there are redundant paths in the network.
AT-S63 Management Software Features Guide Path Costs and Port Costs After the root bridge has been selected, the bridges determine if the network contains redundant paths and, if one is found, select a preferred path while placing the redundant paths in a backup or blocking state. Where there is only one path between a bridge and the root bridge, the bridge is referred to as the designated bridge and the port through which the bridge is communicating with the root bridge is referred to as the root port.
Chapter 20: Spanning Tree and Rapid Spanning Tree Protocols Table 16 lists the STP port costs with Auto-Detect when a port is part of a port trunk. Table 16. STP Auto-Detect Port Trunk Costs Port Speed Port Cost 10 Mbps 4 100 Mbps 4 1000 Mbps 2 Table 17 lists the RSTP port costs with Auto-Detect. Table 17.
AT-S63 Management Software Features Guide Table 19.
Chapter 20: Spanning Tree and Rapid Spanning Tree Protocols Forwarding Delay and Topology Changes If there is a change in the network topology due to a failure, removal, or addition of any active components, the active topology also changes. This may trigger a change in the state of some blocked ports. However, a change in a port state is not activated immediately. It might take time for the root bridge to notify all bridges that a topology change has occurred, especially if it is a large network.
AT-S63 Management Software Features Guide seconds and the default is two seconds. Consequently, if the AT-9400 Switch is selected as the root bridge of a spanning tree domain, it transmits a BPDU every two seconds. Point-to-Point and Edge Ports Note This section applies only to RSTP. Part of the task of configuring RSTP is defining the port types on the bridge. This relates to the device(s) connected to the port.
Chapter 20: Spanning Tree and Rapid Spanning Tree Protocols 1 3 5 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT L/A D/C 1000 LINK / ACT 10/100 LINK / HDX / FDX 1 SFP 3 5 7 9 11 Gigabit Ethernet Switch ACT COL 13 15 17 19 TERMINAL PORT 21 23R L/A SFP D/C 1000 LINK / SFP MASTER L/A L/A 23 RPS 24 POWER D/C 2 4 6 8 10 12 14 16 18 20 22 23 24R 2 24 STATUS FAULT ACT 4 6 8 10 12 14 16 18 20 22 24R Edge Port 1
AT-S63 Management Software Features Guide Mixed STP and RSTP Networks RSTP IEEE 802.1w is fully compliant with STP IEEE 802.1d. Your network can consist of bridges running both protocols. STP and RSTP in the same network can operate together to create a single spanning tree domain. If you decide to activate spanning tree on the switch, there is no reason not to activate RSTP on the AT-9400 Switch even when all other switches are running STP.
Chapter 20: Spanning Tree and Rapid Spanning Tree Protocols Spanning Tree and VLANs The spanning tree implementation in the AT-S63 Management Software is a single-instance spanning tree. The switch supports just one spanning tree. You cannot define multiple spanning trees. The single spanning tree encompasses all ports on the switch. If the ports are divided into different VLANs, the spanning tree crosses the VLAN boundaries.
Chapter 21 Multiple Spanning Tree Protocol This chapter provides background information on the Multiple Spanning Tree Protocol (MSTP).
Chapter 21: Multiple Spanning Tree Protocol Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from all three management interfaces: 226 Command line interface Menus interface Web bro
AT-S63 Management Software Features Guide Overview As mentioned in Chapter 20, ”Spanning Tree and Rapid Spanning Tree Protocols” on page 213, STP and RSTP are referred to as single-instance spanning trees that search for physical loops across all VLANs in a bridged network. When loops are detected, the protocols stop the loops by placing one or more bridge ports in a blocking state.
Chapter 21: Multiple Spanning Tree Protocol Multiple Spanning Tree Instance (MSTI) The individual spanning trees in MSTP are referred to as Multiple Spanning Tree Instances (MSTIs). A MSTI can span any number of AT-9400 Switches. The switch can support up to 16 MSTIs at a time. To create a MSTI, you first assign it a number, referred to as the MSTI ID. The range is 1 to 15. (The switch is shipped with a default MSTI with an MSTI ID of 0.
AT-S63 Management Software Features Guide Sales VLAN 1 3 5 Production VLAN 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT 1000 LINK / L/A ACT 10/100 LINK / HDX / FDX D/C 1 SFP 3 5 7 9 13 15 17 19 TERMINAL PORT 21 23R SFP 1000 LINK / MASTER L/A L/A 23 4 6 8 10 12 14 16 18 20 22 23 24R RPS 24 POWER 2 24 STATUS FAULT ACT D/C 2 Gigabit Ethernet Switch ACT COL 11 L/A D/C SFP 4 6 8 10 12 14 16 18 20 22 24R Block
Chapter 21: Multiple Spanning Tree Protocol Figure 26 illustrates the same two AT-9400 Switches and the same two virtual LANs. But in this example, the two switches are running MSTP and the two VLANs have been assigned different spanning tree instances. Now that they reside in different MSTIs, both links remain active, enabling the VLANs to forward traffic over their respective direct link.
AT-S63 Management Software Features Guide A MSTI can contain more than one VLAN. This is illustrated in Figure 27 where there are two AT-9400 Switches with four VLANs. There are two MSTIs, each containing two VLANs. MSTI 1 contains the Sales and Presales VLANs and MSTI 2 contains the Design and Engineering VLANs.
Chapter 21: Multiple Spanning Tree Protocol MSTI Guidelines Following are several guidelines to keep in mind about MSTIs: 232 The AT-9400 Switch can support up to 16 spanning tree instances, including the CIST. A MSTI can contain any number of VLANs. A VLAN can belong to only one MSTI at a time. A switch port can belong to more than one spanning tree instance at a time by being an untagged and tagged member of VLANs belonging to different MSTI’s.
AT-S63 Management Software Features Guide VLAN and MSTI Associations Part of the task to configuring MSTP involves assigning VLANs to spanning tree instances. The mapping of VLANs to MSTIs is called associations. A VLAN, either port-based or tagged, can belong to only one instance at a time, but an instance can contain any number of VLANs.
Chapter 21: Multiple Spanning Tree Protocol Ports in Multiple MSTIs A port can be a member of more than one MSTI at a time if it is a tagged member of one or more VLANs assigned to different MSTI’s. In this circumstance, a port might be have to operate in different spanning tree states simultaneously, depending on the requirements of the MSTIs.
AT-S63 Management Software Features Guide Multiple Spanning Tree Regions Another important concept of MSTP is regions. A MSTP region is defined as a group of bridges that share exactly the same MSTI characteristics. Those characteristics are: Configuration name Revision number VLANs VLAN to MSTI ID associations A configuration name is a name assigned to a region to identify it. You must assign each bridge in a region exactly the same name; even the same upper and lowercase lettering.
Chapter 21: Multiple Spanning Tree Protocol Figure 28 illustrates the concept of regions. It shows one MSTP region consisting of two AT-9400 Switches. Each switch in the region has the same configuration name and revision level. The switches also have the same five VLANs and the VLANs are associated with the same MSTIs.
AT-S63 Management Software Features Guide The same is true for any ports connected to bridges running the singleinstance spanning tree STP or RSTP. Those ports are also considered as part of another region. Each MSTI functions as an independent spanning tree within a region. Consequently, each MSTI must have a root bridge to locate physical loops within the spanning tree instance. An MSTI’s root bridge is called a regional root.
Chapter 21: Multiple Spanning Tree Protocol Common and Internal Spanning Tree (CIST) MSTP has a default spanning tree instance called the Common and Internal Spanning Tree (CIST). This instance has an MSTI ID of 0. This instance has unique features and functions that make it different from the MSTIs that you create yourself. Firstly, you cannot delete this instance and you cannot change its MSTI ID.
AT-S63 Management Software Features Guide Summary of Guidelines Careful planning is essential for the successful implementation of MSTP. This section reviews all the rules and guidelines mentioned in earlier sections, and contains a few new ones: Section V: Spanning Tree Protocols The AT-9400 Switch can support up to 16 spanning tree instances, including the CIST, at a time. A MSTI can contain any number of VLANs. A VLAN can belong to only one MSTI at a time.
Chapter 21: Multiple Spanning Tree Protocol Note The AT-S63 MSTP implementation complies fully with the new IEEE 802.1s standard. Any other vendor’s fully compliant 802.1s implementation is interoperable with the AT-S63 implementation.
AT-S63 Management Software Features Guide Associating VLANs to MSTIs Allied Telesis recommends that you assign all VLANs on a switch to an MSTI. You should not leave a VLAN assigned to just the CIST, including the Default_VLAN. This is to prevent the blocking of a port that should be in the forwarding state. The reason for this guideline is explained below. An MSTP BPDU contains the instance to which the port transmitting the packet belongs. By default, all ports belong to the CIST instance.
Chapter 21: Multiple Spanning Tree Protocol BPDU Packet Instances: CIST 0 and MSTI 10 Port 1 Switch A Port 15 1 3 5 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT L/A D/C 1000 LINK / ACT 10/100 LINK / HDX / FDX 5 7 9 11 13 15 17 19 21 23R 2 4 6 8 10 12 14 16 18 20 22 24R TERMINAL PORT SFP SFP 23 24 ACT L/A L/A 6 8 10 12 14 16 18 20 22 24R 3 5 7 9 11 13 15 17 23 19 21 23R 2 4 6 8 10 12 14 16 18 20 22
AT-S63 Management Software Features Guide Connecting VLANs Across Different Regions Special consideration needs to be taken into account when you connect different MSTP regions or an MSTP region and a single-instance STP or RSTP region. Unless planned properly, VLAN fragmentation can occur between the VLANS of your network. As mentioned previously, only the CIST can span regions. A MSTI cannot.
Chapter 21: Multiple Spanning Tree Protocol Another approach is to group those VLANs that need to span regions into the same MSTI. Those VLANs that do not span regions can be assigned to other MSTIs. Here is an example.
Section VI Virtual LANs The chapters in this section discuss the various types of virtual LANs supported by the AT-9400 Switch.
Section VI: Virtual LANs
Chapter 22 Port-based and Tagged VLANs This chapter contains overview information about port-based and tagged virtual LANs (VLANs).
Chapter 22: Port-based and Tagged VLANs Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Supported This feature can be managed from all three management interfaces: 248 Command line interface Menus interface Web browser int
AT-S63 Management Software Features Guide Overview A VLAN is a group of ports on an Ethernet switch that form a logical Ethernet segment. The ports of a VLAN form an independent traffic domain where the traffic generated by the nodes of a VLAN remains within the VLAN. With VLANs, you can segment your network through the switch’s AT-S63 Management Software and so be able to group nodes with related functions into their own separate, logical LAN segments.
Chapter 22: Port-based and Tagged VLANs Management Software. You can change the VLAN memberships through the management software without moving the workstations physically, or changing group memberships by moving cables from one switch port to another. In addition, a virtual LAN can span more than one switch. This means that the end nodes of a VLAN do not need to be connected to the same switch and so are not restricted to being in the same physical location.
AT-S63 Management Software Features Guide Port-based VLAN Overview As explained in “Overview” on page 249, a VLAN consists of a group of ports on one or more Ethernet switches that form an independent traffic domain. Traffic generated by the end nodes of a VLAN remains within the VLAN and does not cross over to the end nodes of other VLANs unless there is an interconnection device, such as a router or Layer 3 switch.
Chapter 22: Port-based and Tagged VLANs three AT-9400 Switches, you would assign the Marketing VLAN on each switch the same VID. You can assign this number manually or allow the AT-S63 Management Software to do it automatically. If you allow the management software to do it automatically, it selects the next available VID. This is acceptable when you are creating a new, unique VLAN.
AT-S63 Management Software Features Guide Guidelines to Creating a Portbased VLAN Drawbacks of Port-based VLANs Section VI: Virtual LANs Below are the guidelines to creating a port-based VLAN. Each port-based VLAN must be assigned a unique VID. If a particular VLAN spans multiples switches, each part of the VLAN on the different switches should be assigned the same VID. A port can be an untagged member of only one port-based VLAN at a time.
Chapter 22: Port-based and Tagged VLANs Port-based Example 1 Figure 32 illustrates an example of one AT-9424T/SP Gigabit Ethernet Switch with three port-based VLANs. (For purposes of the following examples, the Default_VLAN is not shown.) Engineering VLAN (VID 3) Production VLAN (VID 4) Sales VLAN (VID 2) 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 AT-9424T/SP Gigabit Ethernet Switch WAN Router Figure 32.
AT-S63 Management Software Features Guide In the example, each VLAN has one port connected to the router. The router interconnects the various VLANs and functions as a gateway to the WAN. Port-based Example 2 Figure 33 illustrates more port-based VLANs. In this example, two VLANs, Sales and Engineering, span two AT-9400 Switches Gigabit Ethernet switches.
Chapter 22: Port-based and Tagged VLANs The table below lists the port assignments for the Sales, Engineering, and Production VLANs on the switches: Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) AT-9424T/SP Switch (top) Ports 1 - 6 (PVID 2) Ports 9 - 13 (PVID 3) Ports 17, 19 - 21 (PVID 4) AT-9424T/GB Switch (bottom) Ports 2 - 4, 6, 8 (PVID 2) Ports 16, 18-20, 22 (PVID 3) none Sales VLAN - This VLAN spans both switches.
AT-S63 Management Software Features Guide Tagged VLAN Overview The second type of VLAN supported by the AT-S63 Management Software is the tagged VLAN. VLAN membership in a tagged VLAN is determined by information within the frames that are received on a port. This differs from a port-based VLAN, where the PVIDs assigned to the ports determine VLAN membership. The VLAN information within an Ethernet frame is referred to as a tag or tagged header.
Chapter 22: Port-based and Tagged VLANs Port VLAN Identifier Note For explanations of VLAN name and VLAN identifier, refer back to “VLAN Name” on page 251 and “VLAN Identifier” on page 251. Tagged and Untagged Ports You need to specify which ports will be members of the VLAN. In the case of a tagged VLAN, it is usually a combination of both untagged ports and tagged ports. You specify which ports are tagged and which untagged when you create the VLAN.
AT-S63 Management Software Features Guide Tagged VLAN Example Figure 34 illustrates how tagged ports can be used to interconnect IEEE 802.1Q-based products. Engineering VLAN (VID 3) Sales VLAN (VID 2) Production VLAN (VID 4) Legacy Server 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 AT-9424T/SP Gigabit Ethernet Switch IEEE 802.
Chapter 22: Port-based and Tagged VLANs The port assignments for the VLANs are as follows: Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) Untagged Ports Tagged Ports Untagged Ports Tagged Ports Untagged Ports Tagged Ports AT-9424T/ SP Switch (top) 1, 3 to 5 (PVID 2) 2, 10 9, 11 to 13 (PVID 3) 2, 10 17, 19 to 21 (PVID 4) 2 AT-9424T/ GB Switch (bottom) 2, 4, 6, 8 (PVID 2) 9 16, 18, 20, 22 (PVID 3) 9 none none This example is nearly identical to the “Port-based Exam
Chapter 23 GARP VLAN Registration Protocol This chapter describes the GARP VLAN Registration Protocol (GVRP) and contains the following sections: Section VI: Virtual LANs “Supported Platforms” on page 262 “Overview” on page 263 “Guidelines” on page 266 “GVRP and Network Security” on page 267 “GVRP-inactive Intermediate Switches” on page 268 “Generic Attribute Registration Protocol (GARP) Overview” on page 269 261
Chapter 23: GARP VLAN Registration Protocol Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from all three management interfaces: 262 Command line interface Menus interface Web bro
AT-S63 Management Software Features Guide Overview The GARP VLAN Registration Protocol (GVRP) allows network devices to share VLAN information. The main purpose of GVRP is to allow switches to automatically discover some of the VLAN information that would otherwise need to be manually configured in each switch. This is helpful in networks where VLANs span more than one switch.
Chapter 23: GARP VLAN Registration Protocol Figure 35 provides an example of how GVRP works.
AT-S63 Management Software Features Guide as an tagged dynamic GVRP port. If the port is already a member of the VLAN, then no change is made. 5. Switch #3 sends a PDU out port 4 to switch #2. 6. Switch #2 receives the PDU on port 3 and then adds the port as a tagged dynamic GVRP port to the dynamic GVRP_VLAN_11 VLAN. There is now a communications path for the end nodes of the Sales VLAN on switches #1 and #3.
Chapter 23: GARP VLAN Registration Protocol Guidelines Following are guidelines to observe when using this feature: 266 GVRP is supported with STP and RSTP, or without spanning tree. GVRP is not supported with MSTP. GVRP is supported when the switch is operating in the tagged VLAN mode, which is the VLAN mode for creating your own tagged and portbased VLANs. GVRP is not supported when the switch is operating in either of the multiple VLAN modes.
AT-S63 Management Software Features Guide GVRP and Network Security GVRP should be used with caution because it can expose your network to unauthorized access. A network intruder can access to restricted parts of the network by connecting to a switch port running GVRP and transmitting a bogus GVRP PDU containing VIDs of restricted VLANs. GVRP would make the switch port a member of the VLANs and that could give the intruder access to restricted areas of your network.
Chapter 23: GARP VLAN Registration Protocol GVRP-inactive Intermediate Switches If two GVRP-active devices are separated by a GVRP-inactive switch, the GVRP-active devices may not be able to share VLAN information. There are two issues involved. The first is whether the intermediate switch forwards the GVRP PDUs that it receives from the GVRP-active switches. GVRP PDUs are management frames, intended for a switch’s CPU.
AT-S63 Management Software Features Guide Generic Attribute Registration Protocol (GARP) Overview The following is a technical overview of GARP. An understanding of GARP may prove helpful when you use GVRP. The purpose of the Generic Attribute Registration Protocol (GARP) is to provide a generic framework whereby devices in a bridged LAN, for example end stations and switches, can register and deregister attribute values, such as VLAN Identifiers, with each other.
Chapter 23: GARP VLAN Registration Protocol GARP architecture is shown in Figure 36. Switch GARP Participant GARP Participant GARP Application GARP Application GIP MAC Layer: Port 1 GARP PDUs GID LLC GARP PDUs LLC GARP PDUs GARP PDUs GID MAC Layer: Port 2 Figure 36.
AT-S63 Management Software Features Guide GID Attribute ... state: Attribute C state: Attribute B state: Attribute A state: Applicant State Registrar State Figure 37. GID Architecture GARP registers and deregisters attribute values through GARP messages sent at the GID level. A GARP participant that wishes to make a declaration (an applicant registering an attribute value) sends a JoinIn or JoinEmpty message.
Chapter 23: GARP VLAN Registration Protocol To control the applicant state machine, an applicant administrative control parameter is provided. This parameter determines whether or not the applicant state machine participates in GARP protocol exchanges. The default value has the applicant participating in the exchanges. To control the registrar state machine, a registrar administrative control parameter is provided.
Chapter 24 Multiple VLAN Modes This chapter describes the multiple VLAN modes. This chapter contains the following sections: Section VI: Virtual LANs “Supported Platforms” on page 274 “Overview” on page 275 “802.1Q- Compliant Multiple VLAN Mode” on page 276 “Non-802.
Chapter 24: Multiple VLAN Modes Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from all three management interfaces: 274 Command line interface Menus interface Web browser interfa
AT-S63 Management Software Features Guide Overview The multiple VLAN modes are designed to simplify the task of configuring the switch in network environments that require a high degree of network segmentation. In a multiple VLAN mode, the ports on a switch are prohibited from forwarding traffic to each other and are only allowed to forward traffic to a user-designated uplink port. These configurations isolate the traffic on each port from all other ports, while providing access to the uplink port.
Chapter 24: Multiple VLAN Modes 802.1Q- Compliant Multiple VLAN Mode In this mode, each port is placed into a separate VLAN as an untagged port. The VLAN names and VID numbers are based on the port numbers. For example, the VLAN for port 4 is named Client_VLAN_4 and is given the VID of 4, the VLAN for port 5 is named Client_VLAN_5 and has a VID of 5, and so on. The VLAN configuration is accomplished automatically by the switch. After you select the mode and an uplink port, the switch forms the VLANs.
AT-S63 Management Software Features Guide Table 20. 802.
Chapter 24: Multiple VLAN Modes Non-802.1Q Compliant Multiple VLAN Mode Unlike the 802.1Q-compliant VLAN mode, which isolates port traffic by placing each port in a separate VLAN, this mode forms one VLAN with a VID of 1 that encompasses all ports. To establish traffic isolation, it uses port mapping. The result, however, is the same. Ports are permitted to forward traffic only to the designated uplink port and to no other port, even when they receive a broadcast packet.
Chapter 25 Protected Ports VLANs This chapter explains protected ports VLANs.
Chapter 25: Protected Ports VLANs Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from the following management interfaces: 280 Command line interface Menus interface Section VI: Virt
AT-S63 Management Software Features Guide Overview The purpose of a protected ports VLAN is to allow multiple ports on the switch to share the same uplink port but not share traffic with each other. This feature has some of the same characteristics as the multiple VLAN modes described in the previous chapter, but it offers several advantages. One is that it provides more flexibility. With the multiple VLAN modes, you can select only one uplink port which is shared by all the other ports.
Chapter 25: Protected Ports VLANs To create a protected ports VLAN, you perform many of the same steps that you do when you create a new port-based or tagged VLAN. You give it a name and a unique VID, and you indicate which of the ports will be tagged and untagged. What makes creating this type of VLAN different is that you must assign the ports of the VLAN to their respective groups. Following is an example of a protected ports VLAN.
AT-S63 Management Software Features Guide Guidelines Following are the guidelines for implementing protected ports VLANS: Section VI: Virtual LANs A protected ports VLAN should contain a minimum of two groups. A protected ports VLAN of only one group can be replaced with a portbased or tagged VLAN instead. A protected ports VLAN can contain any number of groups. A group can contain any number of ports. The ports of a group can be tagged or untagged.
Chapter 25: Protected Ports VLANs 284 Section VI: Virtual LANs
Chapter 26 MAC Address-based VLANs This chapter contains overview information about MAC address-based VLANs.
Chapter 26: MAC Address-based VLANs Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models Not supported.
AT-S63 Management Software Features Guide Overview As explained in “Overview” on page 249, VLANs are a means for creating independent LAN segments within a network and are typically employed to improve network performance and security. The AT-S63 Management Software offers several different types of VLANs, including port-based, tagged, and protected ports.
Chapter 26: MAC Address-based VLANs Egress Ports Implementing a MAC address-based VLAN involves more than entering the MAC addresses of the end nodes that are members of the VLAN. You must also designate the egress ports on the switch for the packets from the nodes. The egress ports define the limits of flooding of packets when a port receives a unicast packet with an unknown destination address (that is, an address that has not been learned by the MAC address table).
AT-S63 Management Software Features Guide The community characteristic of egress ports relieves you from having to map each address to its corresponding egress port. You only need to be sure that all egress ports in a MAC address-based VLAN are represented at least once by being assigned to at least one address. It is also important to note that a MAC address must be assigned at least one egress port to be considered a member of a MAC address-based VLAN.
Chapter 26: MAC Address-based VLANs If security is a major concern for your network, you might not want to assign a port as an egress port to more than one VLAN when planning your MAC address-based VLANs.
AT-S63 Management Software Features Guide VLANs That Span Switches To create a MAC address-based VLAN that spans switches, you must replicate the MAC addresses of the VLAN nodes on all the switches where the VLAN exists. The same MAC address-based VLAN on different switches must have the same list of MAC addresses. Figure 38 illustrates an example of a MAC address-based VLAN that spans two AT-9400 Switches. The VLAN consists of three nodes on each switch.
Chapter 26: MAC Address-based VLANs Table 23.
AT-S63 Management Software Features Guide VLAN Hierarchy The switch’s management software employs a VLAN hierarchy when handling untagged packets that arrive on a port that is an egress port of a MAC address-based VLAN as well as an untagged port of a port-based VLAN. (A port can be a member of both types of VLANs at the same time.) The rule is that a MAC address-based VLAN takes precedence over that of a port-based VLAN.
Chapter 26: MAC Address-based VLANs Steps to Creating a MAC Address-based VLAN Here are the three main steps to creating a MAC address-based VLAN: 1. Assign the VLAN a name and a VID. You must also set the VLAN type to MAC Based. 2. Assign the MAC addresses to the VLAN. 3. Add the egress ports to the MAC addresses. The steps must be performed in this order.
AT-S63 Management Software Features Guide Guidelines Follow these guidelines when implementing a MAC address-based VLAN: Section VI: Virtual LANs MAC address-based VLANs are not supported on the AT-9408LC/SP, AT-9424T/GB and AT-9424T/SP switches. The switch can support up to a total of 4094 port-based, tagged, protected ports, and MAC address-based VLANs. The source nodes of this type of VLAN must send only untagged packets. A MAC address-based VLAN does not support tagged packets.
Chapter 26: MAC Address-based VLANs 296 Egress ports cannot be part of a static or LACP trunk. Since this type of VLAN does not support tagged packets, it is not suitable in environments where a network device, such as a network server, needs to be shared between multiple VLANs. Ports 49 and 50 on the AT-9448Ts/XP switch cannot be designated as egress ports of a MAC address-based VLAN.
Section VII Routing This section has the following chapters: Section VII: Internet Protocol Routing Chapter 27, “Internet Protocol Version 4 Packet Routing” on page 299 Chapter 28, “BOOTP Relay Agent” on page 331 Chapter 29, “Virtual Router Redundancy Protocol” on page 337 297
Section VII: Internet Protocol Routing
Chapter 27 Internet Protocol Version 4 Packet Routing This chapter describes Internet Protocol version 4 (IPv4) packet routing on the AT-9400 Basic Layer 3 Switches. The chapter covers routing interfaces, static routes, and the Routing Information Protocol (RIP) versions 1 and 2.
Chapter 27: Internet Protocol Version 4 Packet Routing Supported Platforms This feature is supported on the following switches: Layer 2+ Models – Not supported Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported Note You can create one routing interface on the Layer 2+ models and a stack of Basic Layer 3 switches to serve as the IP configuration for the device.
AT-S63 Management Software Features Guide Overview This section contains an overview of the IPv4 routing feature on the AT-9400 Switch. It begins with an explanation of the following available routing methods: Routing interfaces Static routes RIP version 1 and 2 A routing interface is a logical connection to a local network or subnet for the purpose of routing IPv4 packets.
Chapter 27: Internet Protocol Version 4 Packet Routing At the end of this overview are two examples that illustrate the sequence of commands to implementing the features described in this chapter. You can refer there to see how the commands are used in practice. The sections are “Routing Command Example” on page 324 and “Non-routing Command Example” on page 328.
AT-S63 Management Software Features Guide Routing Interfaces The IPv4 packet routing feature on the switch is built on the foundation of the routing interface. An interface functions as a logical connection to a subnet that allows the egress and ingress of IPv4 packets to the subnet from other local and remote networks, subnets, and nodes. Interfaces are an independent routing function. They are not dependent on static routes or RIP to pass IPv4 traffic among themselves on a switch.
Chapter 27: Internet Protocol Version 4 Packet Routing Note Routing interfaces can be configured from either the command line interface or the menus interface. The following subsections describe the three main components of a routing interface: VLAN ID (VID) VLAN ID (VID) Interface number IP address and subnet mask An interface must be assigned to the VLAN on the switch where its network or subnet resides. The VLAN is identified by its VLAN identification (VID) number or VLAN name.
AT-S63 Management Software Features Guide the other interfaces in the same VLAN must be assigned manually. For example, if there are four interfaces and each of their respective subnets resided in a separate VLAN, then each interface can obtain its IP address and subnet mask from a DHCP or BOOTP server. However, if the four subnets share the same VLAN, only one interface can obtain its IP address from a DHCP or BOOTP server. The other three must be configured manually.
Chapter 27: Internet Protocol Version 4 Packet Routing Interface Names Many of the IPv4 routing commands have a parameter for an interface name. An interface name consists of a VLAN and an interface number, separated by a dash. The VLAN is designated by “vlan” followed by the VLAN identification number (VID) or the VLAN name. Here are several examples.
AT-S63 Management Software Features Guide Static Routes In order for the switch to route an IPv4 packet to a remote network or subnet, there must be a route to the destination in the routing table of the switch. The route must consist of the IP address of the remote destination and the IP address of the next hop to reaching the destination. One type of route to a remote destination is referred to as a static route. You create static routes by manually entering them into the routing table.
Chapter 27: Internet Protocol Version 4 Packet Routing destination. The range for the preference parameter is 0 to 65535. The lower the value, the higher the preference. The default value for a static route is 60. The commands for managing static routes are ADD IP ROUTE, DELETE IP ROUTE, and SET IP ROUTE. Note The command line interface is the only management interface in the AT-S63 Management Software that supports static routes. Static routes are not supported from the menus and web browser interfaces.
AT-S63 Management Software Features Guide Routing Information Protocol (RIP) A switch can automatically learn routes to remote destinations by sharing the contents of its routing table with its neighboring routers in the network with the Routing Information Protocol (RIP) versions 1 and 2. RIP is a fairly simple distance vector routing protocol that defines networks based in how many hops they are from the switch, just as with static routes.
Chapter 27: Internet Protocol Version 4 Packet Routing their tables. Note A RIP version 2 password is sent in plaintext. The AT-S63 Management Software does not support encrypted RIP passwords. The switch broadcasts its routing table every thirty seconds from those interfaces that have RIP. This interval is not adjustable on the switch. The entire table is sent with the following exceptions: Dynamic RIP routes that fall under the split horizon rule.
AT-S63 Management Software Features Guide Default Routes A default route is used when the switch cannot find a route in its routing table for a packet that needs to be forwarded to a remote destination. Rather than discard the packet, the switch sends it to the next hop specified in the default route. A default route has an destination IP address of 0.0.0.0 and no subnet mask. A default route can be enter manually in the form of a static route or learned dynamically through RIP.
Chapter 27: Internet Protocol Version 4 Packet Routing Equal-cost Multi-path (ECMP) Routing The routing table uses ECMP to store multiple routes to a remote destination so that the switch can distribute the traffic load over several routes. This can improve network performance by increasing the available bandwidth for traffic flows. It can also provide route redundancy. The routing table permits up to 32 routes to the same remote destination, with up to eight of the routes as active at one time.
AT-S63 Management Software Features Guide ECMP also applies to default routes. This enables the switch to store up to 32 default routes with up to eight of the routes active at one time. The ECMP feature can be enabled and disabled on the switch. The operating status of ECMP does not affect the switch’s ability to store multiple routes to the same destination in its routing table. Rather, it controls how many of the available routes the switch uses to route packets to the same remote destination.
Chapter 27: Internet Protocol Version 4 Packet Routing Routing Table The switch maintains its routing information in a table of routes that tells the switch how to find a local or remote destination. Each route is uniquely identified in the table by its IP address, network mask, next hop, protocol, and routing interface.
AT-S63 Management Software Features Guide Address Resolution Protocol (ARP) Table The switch maintains an ARP table of IP addresses and the matching Ethernet MAC addresses. It refers to the table when routing packets to determine the destination MAC addresses of the nodes, as well as interfaces and ports from where the nodes are reached. The ARP table can store both static and dynamic entries. Static entries are entries you add yourself.
Chapter 27: Internet Protocol Version 4 Packet Routing Internet Control Message Protocol (ICMP) ICMP allows routers to send error and control messages to other routers or hosts. It provides the communication between IP software on one system and IP software on another. The switch implements the nonobsolete ICMP functions listed in Table 24. Table 24.
AT-S63 Management Software Features Guide Table 24. ICMP Messages Implemented on the AT-9400 Switch ICMP Packet (Type) Time to Live Exceeded (11) Section VII: Routing Switch Response If the TTL field in a packet falls to zero the switch will send a “Time to live exceeded” packet. This could occur if a route was excessively long or if too many hops were in the path.
Chapter 27: Internet Protocol Version 4 Packet Routing Routing Interfaces and Management Features Routing interfaces are primary intended for the IPv4 packet routing feature. There are, however, a number of management functions that rely on the presence of at least one routing interface on the switch to operate properly. The switch uses the IP address of an interface as its source address when performing the management function.
AT-S63 Management Software Features Guide As an example, assume you decided not to implement the IPv4 routing feature on a switch that had four local subnets, but you wanted the switch to send its events to a syslog server and have access to a RADIUS authentication server. Assume also that you wanted to use a TFTP server to upload and download files to the device.
Chapter 27: Internet Protocol Version 4 Packet Routing Pinging a Remote Device DHCP or BOOTP Server 320 This function is used to validate the existence of an active path between the switch and another network node. The switch can ping a device if there is a routing interface on the local subnet from where it reaches the device. In previous versions of the AT-S63 Management Software the device to be pinged had to be reached through the management VLAN of the switch. This restriction no longer applies.
AT-S63 Management Software Features Guide Local Interface The local interface is used with the enhanced stacking feature. It is also used with remote management of a switch with a Telnet or SSH client, or a web browser. The local interface does the following: With an enhanced stack, it designates on the master switch the common VLAN and subnet that interconnects the switches of the stack.
Chapter 27: Internet Protocol Version 4 Packet Routing AT-9408LC/SP AT-9424T/GB, and AT-9424T/SP Switches The AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP Switches do not support the IPv4 packet routing feature. They do, however, support a limited version of some of the features. Local Interface You can create one routing interface to provide support for those management features that require the switch to have an IP address.
AT-S63 Management Software Features Guide Note The AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP Switches do not use the ARP table to move packets through the switching matrix. They refer to the table only when they perform a management function requiring them to communicate with another network node. Default Gateway The default gateway specifies the IP address of an interface on a neighboring router.
Chapter 27: Internet Protocol Version 4 Packet Routing Routing Command Example This section contains an example of the IPv4 routing feature. It illustrates the sequence of commands to implementing the feature. To make the example easier to explain, some of the command options are not mentioned and the default values are used instead. For information on all of the available options of a command, refer to the appropriate section in this chapter.
AT-S63 Management Software Features Guide Creating the VLANs The first step is to create the VLANs for the local subnets on the switch. The VLANs must be created before the routing interfaces.
Chapter 27: Internet Protocol Version 4 Packet Routing command. Adding a Static Route and Default Route Building on our example, assume you decided to manually enter a route to a remote subnet as a static route. The command for creating a static route is ADD IP ROUTE. Here is the basic information for defining a static route: The IP address of the remote destination. The subnet mask of the remote destination. The IP address of the next hop.
AT-S63 Management Software Features Guide Adding RIP Rather than adding the static routes to remote destinations, or perhaps to augment them, you decide that the switch should learn routes by exchanging its route table with its routing neighbors using RIP. To implement RIP, you add it to the routing interfaces where routing neighbors are located. The command for adding RIP to an interface is ADD IP RIP.
Chapter 27: Internet Protocol Version 4 Packet Routing Non-routing Command Example This example illustrates how to assign an IP address to a switch by creating just one interface. This example is appropriate in cases where you want to implement the management functions described in “Routing Interfaces and Management Features” on page 318 but without IPv4 packet routing. This section is also appropriate for the AT-9400 Layer 2+ Switches, which do not support packet routing.
AT-S63 Management Software Features Guide The following command creates a default route for the example and specifies the next hop as 149.44.55.6: add ip route=0.0.0.0 nexthop=149.44.55.
Chapter 27: Internet Protocol Version 4 Packet Routing Upgrading from AT-S63 Version 1.3.0 or Earlier When the AT-9400 Switch running AT-S63 version 1.3.0 or earlier is upgraded to the latest version of the management software, the switch automatically creates a routing interface that preserves the previous IP configuration of the unit. If the switch had a static address, the interface is assigned the same address.
Chapter 28 BOOTP Relay Agent This chapter has the following sections: “Supported Platforms” on page 332 “Overview” on page 333 “Guidelines” on page 335 331
Chapter 28: BOOTP Relay Agent Supported Platforms This feature is supported on the following switches: Layer 2+ Models – Not supported Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature must be configured from the command line interface.
AT-S63 Management Software Features Guide Overview The AT-S63 Management Software comes with a BOOTP relay agent for relaying BOOTP messages between clients and DHCP or BOOTP servers. When a client sends a BOOTP request to a DHCP or BOOTP server for an IP configuration, it transmits the request as a broadcast packet because it does not know the IP address of the server. This can present a problem when a client and server reside on different subnets, because broadcast packets do not cross subnet boundaries.
Chapter 28: BOOTP Relay Agent A routing interface that receives a BOOTP reply from a server inspects the broadcast flag field in the packet to determine whether the client, in its original request to the server, set this flag to signal that the response must be sent as a broadcast datagram. Some older nodes have this dependency. If the flag is not set, the routing interface forwards the packet to the originating client as a unicast packet.
AT-S63 Management Software Features Guide Guidelines These guidelines apply to the BOOTP relay agent: Section VII: Routing A routing interface functions as the BOOTP relay agent for the local clients in its subnet. You can specify up to eight DHCP or BOOTP servers. The hop count for BOOTP requests is preset on the AT-9400 Switch to 4. It cannot be changed. Routing interfaces discard BOOTP requests with hop counts of 4 or more.
Chapter 28: BOOTP Relay Agent 336 Section VII: Routing
Chapter 29 Virtual Router Redundancy Protocol The chapter has the following sections: “Supported Platforms” on page 338 “Overview” on page 339 “Master Switch” on page 340 “Backup Switches” on page 341 “Interface Monitoring” on page 342 “Port Monitoring” on page 343 “VRRP on the Switch” on page 344 337
Chapter 29: Virtual Router Redundancy Protocol Supported Platforms This feature is supported on the following switches: Layer 2+ Models – Not supported Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature must be configured from the command line interface.
AT-S63 Management Software Features Guide Overview This chapter describes the Virtual Router Redundancy Protocol (VRRP) support provided by the switch. One of the functions performed by switches is to act as a gateway to the WAN for hosts on a LAN. On larger LANs, two or more switches may act as the gateway, and hosts use a dynamic routing protocol, such as RIP or OSPF, to determine the gateway switch to use as the next hop in order to reach a specific IP destination.
Chapter 29: Virtual Router Redundancy Protocol Master Switch The virtual router has a virtual MAC address known by all the switches participating in the virtual router. The virtual MAC address is derived from the virtual router identifier, which is a user-defined value from 1 to 255. All hosts on the LAN are configured with an IP address to use as the first hop. This IP address is typically owned by the preferred switch in the group of switches that constitute the virtual router.
AT-S63 Management Software Features Guide Backup Switches All the other switches participating in the virtual router are designated as backup switches. A switch can be part of several different virtual routers on one LAN, provided that all the virtual routers have different virtual router identifiers.
Chapter 29: Virtual Router Redundancy Protocol Interface Monitoring The virtual router can monitor certain interfaces to change the priority of switches if the master switch loses its connection to the outside world. This is known as interface monitoring. Interface monitoring reduces the priority of the switch when an important interface connection is lost. The reduction in priority causes a backup switch with a higher priority to take over as the master switch and restore connectivity.
AT-S63 Management Software Features Guide Port Monitoring Port monitoring is the process of detecting the failure of ports that are part of a VLAN that a virtual router is running over. If a port fails or is disabled, the VRRP priority is reduced by the stepvalue or by an amount that reflects the proportion of the VLAN’s ports that are out of service. If the switch is the master and a backup switch has a higher priority, the backup switch preempts the master and becomes the new master.
Chapter 29: Virtual Router Redundancy Protocol VRRP on the Switch VRRP is disabled by default. When a virtual router is created on the switch, it is enabled by default, but the VRRP module must be enabled before it is operational. The VRRP module or a specific virtual router can be enabled or disabled afterwards by using the ENABLE VRRP and DISABLE VRRP commands. A virtual router must be created on at least two switches before it operates correctly.
AT-S63 Management Software Features Guide prevents a switch from inadvertently backing up another switch. The authentication type and, in the case of plaintext authentication, the password, must be the same for all switches in the virtual router. By default, the virtual router has no authentication. Authentication is set with the AUTHENTICATION and PASSWORD parameters in the CREATE VRRP and SET VRRP commands.
Chapter 29: Virtual Router Redundancy Protocol 346 Section VII: Routing
Section VIII Port Security The chapters in this section contain overview information on the port security features of the AT-9400 Switch. The chapters include: Section VIII: Port Security Chapter 30, “MAC Address-based Port Security” on page 349 Chapter 31, “802.
Section VIII: Port Security
Chapter 30 MAC Address-based Port Security The sections in this chapter include: Section VIII: Port Security “Supported Platforms” on page 350 “Overview” on page 351 “Invalid Frames and Intrusion Actions” on page 353 “Guidelines” on page 354 349
Chapter 30: MAC Address-based Port Security Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported Note This port security feature is not supported on GBIC, SFP, or XFP modules.
AT-S63 Management Software Features Guide Overview You can use this feature to enhance the security of your network by controlling which end nodes can forward frames through the switch, and so prevent unauthorized individuals from accessing your network. It uses a frame’s source MAC address to determine whether the switch should forward a frame or discard it. The source address is the MAC address of the end node that sent the frame.
Chapter 30: MAC Address-based Port Security Secured This security level uses only static MAC addresses assigned to a port to forward frames. Consequently, only those end nodes whose MAC addresses are entered as static addresses are able to forward frames through a port. Dynamic MAC addresses already learned on a port are discarded from the MAC table and no new dynamic addresses are added. Any ingress frames having a source MAC address not entered as a static address on a port are discarded.
AT-S63 Management Software Features Guide Invalid Frames and Intrusion Actions When a port receives an invalid frame, it has to select an intrusion action, which defines the port’s response to the packet. But before defining the intrusion actions, it helps to understand what constitutes an invalid frame.
Chapter 30: MAC Address-based Port Security Guidelines The following guidelines apply to MAC address-based port security: 354 The filtering of a packet occurs on the ingress port, not on the egress port. You cannot use MAC address port security and 802.1x port-based access control on the same port. To configure a port as an Authenticator or Supplicant in 802.1x port-based access control, you must set its MAC address security level to Automatic, which is the default setting.
Chapter 31 802.
Chapter 31: 802.
AT-S63 Management Software Features Guide Overview The AT-S63 Management Software has several different methods for protecting your network and its resources from unauthorized access. For instance, Chapter 30, “MAC Address-based Port Security” on page 349, explains how you can restrict network access using the MAC addresses of the end nodes of your network. This chapter explains yet another way. This method, referred to as 802.
Chapter 31: 802.1x Port-based Network Access Control Authentication server - The authentication server is the network device that has the RADIUS server software. This is the device that does the actual authenticating of the supplicants. The AT-9400 Switch does not authenticate any of the supplicants connected to its ports. It’s function is to act as an intermediary between a supplicant and the authentication server during the authentication process.
AT-S63 Management Software Features Guide Authentication Process Below is a brief overview of the authentication process that occurs between a supplicant, authenticator, and authentication server. For further details, refer to the IEEE 802.1x standard. Section VIII: Port Security Either the authenticator (that is, a switch port) or the supplicant initiates an authentication message exchange.
Chapter 31: 802.1x Port-based Network Access Control Port Roles Part of the task of implementing this feature is specifying the roles of the ports on the switch. A port can have one of three roles: None Role None Authenticator Supplicant A switch port in the None role does not participate in port-based access control. Any device can connect to the port and send traffic through it and receive traffic from it without being validated.
AT-S63 Management Software Features Guide Assigning unique username and password combinations to your network users and requiring the users to provide the information when they initially send traffic through the switch can enhance network security by limiting network access to only those supplicants who have been assigned valid combinations. Another advantage is that the authentication is not tied to any specific computer or node.
Chapter 31: 802.1x Port-based Network Access Control Note A supplicant connected to an authenticator port set to forceauthorized must have 802.1x client software if the port’s authenticator mode is 802.1x. Though the force-authorized setting prevents an authentication exchange, the supplicant must still have the client software to forward traffic through the port. Force-unauthorized - Causes the port to remain in the unauthorized state, ignoring all attempts by the supplicant to authenticate.
AT-S63 Management Software Features Guide Authenticator Ports with Single and Multiple Supplicants An authenticator port has two operating modes. The modes relate to the number of clients using the port and, in situations where an authenticator port is supporting more than one client, whether just one client or all the clients must log on to use the switch port. The operating modes are: Single Operating Mode Single Multiple The Single operating mode is used in two situations.
Chapter 31: 802.
AT-S63 Management Software Features Guide 1 3 5 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT AT-9400 Switch L/A D/C 1000 LINK / ACT 10/100 LINK / HDX / FDX 1 3 5 7 9 11 15 17 19 TERMINAL PORT 21 23R 1000 LINK / ACT L/A L/A 23 24 6 8 10 12 14 16 18 20 22 24R 23 24 MASTER RPS POWER D/C 4 STATUS FAULT SFP SFP D/C 2 Gigabit Ethernet Switch ACT COL 13 L/A SFP 2 4 6 8 10 12 14 16 18 20 22 24R RADIUS Authenticatio
Chapter 31: 802.1x Port-based Network Access Control If the clients are connected to an 802.1x-compliant device, such as another AT-9400 Switch, you can automate the initial log on and reauthentications by configuring one of the switch ports as a supplicant. In this manner, the log on and reauthentications are performed automatically, eliminating the need for relying on an individual to perform the task. This scenario is illustrated in Figure 42.
AT-S63 Management Software Features Guide 1 3 5 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT AT-9400 Switch (A) L/A D/C 1000 LINK / ACT 10/100 LINK / HDX / FDX 1 SFP 3 5 7 9 11 15 17 19 TERMINAL PORT 21 23R SFP 1000 LINK / 23 MASTER RPS 24 POWER D/C 4 6 8 10 12 14 16 18 20 22 24R 23 2 24 Port 6: Role: None or Role: Authenticator Operating Mode: Single Piggy-back Mode: Enabled STATUS FAULT ACT L/A L/A 2 Gigabit Ethernet S
Chapter 31: 802.1x Port-based Network Access Control An example of this authenticator operating mode is illustrated in Figure 44. The clients are connected to a hub or non-802.1x-compliant switch which is connected to an authenticator port on the AT-9400 Switch. If the authenticator port is set to the 802.1x authentication method, the clients must provide their username and password combinations before they can forward traffic through the AT-9400 Switch.
AT-S63 Management Software Features Guide none, port 6 on switch A will discard the packets because switch B would not be logged on to the port. Also notice that the ports where the clients are connected on switch B are set to the none role. This is because a client can log on only once. If, in this example, you were to make a client’s port an authenticator, the client would have to log on twice when trying to access switch A, once on its port on switch B as well as the authenticator port on switch A.
Chapter 31: 802.1x Port-based Network Access Control Supplicant and VLAN Associations One of the challenges to managing a network is accommodating end users that roam. These are individuals whose work requires that they access the network resources from different points at different times. The difficulty arises in providing them with access to the same network resources and, conversely, restricting them from unauthorized areas, regardless of the workstation from where they access the network.
AT-S63 Management Software Features Guide Single Operating Mode Multiple Operating Mode Here are the operating characteristics for the switch when an authenticator port is set to the Single operating mode: If the switch receives a valid VLAN ID or VLAN name from the RADIUS server, it moves the authenticator port to the designated VLAN and changes the port to the authorized state. If the piggy-back mode is disabled, only the authenticated supplicant is allowed to use the port.
Chapter 31: 802.1x Port-based Network Access Control Guest VLAN An authenticator port in the unauthorized state typically accepts and transmits only 802.1x packets while waiting to authenticate a supplicant. However, you can configure an authenticator port to be a member of a Guest VLAN when no supplicant is logged on. Any client using the port is not required to log on and has full access to the resources of the Guest VLAN. If the switch receives 802.
AT-S63 Management Software Features Guide RADIUS Accounting The AT-S63 Management Software supports RADIUS accounting for switch ports set to the Authenticator role. This feature sends information to the RADIUS server about the status of its supplicants. You can view this information on the RADIUS server to monitor network activity and use.
Chapter 31: 802.1x Port-based Network Access Control General Steps Here are the general steps to implementing 802.1x Port-based Network Access Control and RADIUS accounting on the switch: 1. You must install a RADIUS server on one or more of your network servers or management stations. Authentication protocol server software is not available from Allied Telesis. Funk Software SteelBelted Radius and Free Radius have been verified as fully compatible with the AT-S63 Management Software.
AT-S63 Management Software Features Guide Guidelines The following are general guidelines to using this feature: Ports operating under port-based access control do not support dynamic MAC address learning. The appropriate port role for a port on the AT-9400 Switch connected to a RADIUS authentication server is None. The authentication method of an authenticator port can be either 802.1x username and password combination or MAC address-based, but not both. A supplicant must have 802.
Chapter 31: 802.1x Port-based Network Access Control An authenticator port cannot be part of a static port trunk, LACP port trunk, or port mirror. If a switch port set to the supplicant role is connected to a port on another switch that is not set to the authenticator role, the port, after a timeout period, assumes that it can send traffic without having to log on. GVRP must be disabled on an authenticator port. When 802.
AT-S63 Management Software Features Guide Here are guidelines for adding VLAN assignments to supplicant accounts on a RADIUS server: Section VIII: Port Security The VLAN can be either port-based or tagged. The VLAN must already exist on the switch. A client can have only one VLAN associated with it on the RADIUS server. When a supplicant logs on, the switch port is moved as an untagged port to the designated VLAN.
Chapter 31: 802.
Section IX Management Security The chapters in this section describe the management security features of the AT-9400 Switch.
Section IX: Management Security
Chapter 32 Web Server The sections in this chapter are: Section IX: Management Security “Supported Platforms” on page 382 “Overview” on page 383 “Configuring the Web Server for HTTP” on page 384 “Configuring the Web Server for HTTPS” on page 385 381
Chapter 32: Web Server Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from the following management interfaces: 382 Command line interface Menus interface Section IX: Management Secu
AT-S63 Management Software Features Guide Overview The AT-S63 Management Software has a web server and a special web browser interface that provide the ability to remotely manage the switch from a management workstation on your network using a web browser. (For instructions on the switch’s web browser interface, refer to the AT-S63 Management Software Web Browser Interface User’s Guide.) The web server on the switch can operate in HTTP or HTTPS mode.
Chapter 32: Web Server Configuring the Web Server for HTTP The following steps configure the web server for non-secure HTTP operation. The steps reference only the command line commands, but the web server can be configured from the menus interface, too. 1. Disable the web server with the DISABLE HTTP SERVER command. 2. Activate HTTP in the web server with the SET HTTP SERVER command. 3. Enable the web server with the ENABLE HTTP SERVER command.
AT-S63 Management Software Features Guide Configuring the Web Server for HTTPS The following sections outline the steps for configuring the web server on the switch for HTTPS operation with a self-signed or CA certificate. The steps reference only the command line commands, but the web server can be configured from the menus interface, too. General Steps for a Self-signed Certificate These steps configure the web server with a self-signed certificate: 1. Set the switch’s date and time.
Chapter 32: Web Server 6. After receiving the certificates from the CA, download them into the switch’s file system using the LOAD METHOD=TFTP or LOAD METHOD=XMODEM command. 7. Add the certificates to the certificate database with the ADD PKI CERTIFICATE command. 8. Disable the web server with the DISABLE HTTP SERVER command. 9. Activate HTTPS in the web server with the SET HTTP SERVER command. 10. Enable the web server with the ENABLE HTTP SERVER command.
Chapter 33 Encryption Keys The sections in this chapter are: “Supported Platforms” on page 388 “Overview” on page 389 “Encryption Key Length” on page 390 “Encryption Key Guidelines” on page 391 “Technical Overview” on page 392 For an overview of the procedures to configuring the switch’s web server for encryption, refer to “Configuring the Web Server for HTTPS” on page 385.
Chapter 33: Encryption Keys Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from the following management interfaces: Command line interface Menus interface You can view but not create
AT-S63 Management Software Features Guide Overview Protecting your managed switches from unauthorized management access is an important role for a network manager. Network operations and security can be severely compromised if an intruder gains access to critical switch information, such as a manager’s login username and password, and uses that information to alter a switch’s configuration settings.
Chapter 33: Encryption Keys Encryption Key Length When you create a key pair, you have to specify its length in bits. The range is 512, the default, to 1,536 bits, in increments of 256 bits. The longer the key, the more difficult it is for someone to decipher. If you are particularly concerned about the safety of your management sessions, you might want to use a longer key length than the default, though the default is likely to be sufficient in most situations.
AT-S63 Management Software Features Guide Encryption Key Guidelines Observe the following guidelines when creating an encryption key pair: Section IX: Management Security Web browser encryption requires only one key pair. SSH encryption requires two key pairs. The keys must be of different lengths of at least one increment (256 bits) apart. The recommended size for the server key is 768 bits and the recommended size for the host key is 1024 bits.
Chapter 33: Encryption Keys Technical Overview The encryption feature provides the following data security services: Data Encryption Data encryption Data authentication Key exchange algorithms Key creation and storage Data encryption for switches is driven by the need for organizations to keep sensitive data private and secure. Data encryption operates by applying an encryption algorithm and key to the original data (the plaintext) to convert it into an encrypted form (the ciphertext).
AT-S63 Management Software Features Guide algorithm and key. For a given input block of plaintext ECB always produces the same block of ciphertext. Cipher Block Chaining (CBC) is the most popular form of DES encryption. CBC also operates on 64-bit blocks of data, but includes a feedback step which chains consecutive blocks so that repetitive plaintext data, such as ASCII blanks, does not yield identical ciphertext.
Chapter 33: Encryption Keys secret. Only the decryption, or private key, needs to be kept secret. The other name for this type of algorithm is public key encryption. The public and private key pair cannot be randomly assigned, but must be generated together. In a typical scenario, a decryption station generates a key pair and then distributes the public key to encrypting stations.
AT-S63 Management Software Features Guide It is very hard to find another message and key which give the same hash The two most commonly used one-way hash algorithms are MD5 (Message Digest 5, defined in RFC 1321) and SHA-1 (Secure Hash Algorithm, defined in FIPS-180-1). MD5 returns a 128-bit hash and SHA-1 returns a 160-bit hash. MD5 is faster in software than SHA-1, but SHA-1 is generally regarded to be slightly more secure.
Chapter 33: Encryption Keys A Diffie-Hellman algorithm requires more processing overhead than RSAbased key exchange schemes, but it does not need the initial exchange of public keys. Instead, it uses published and well tested public key values. The security of the Diffie-Hellman algorithm depends on these values. Public key values less than 768 bits in length are considered to be insecure. A Diffie-Hellman exchange starts with both parties generating a large random number.
Chapter 34 PKI Certificates and SSL The sections in this chapter are: Section IX: Management Security “Supported Platforms” on page 398 “Overview” on page 399 “Types of Certificates” on page 399 “Distinguished Names” on page 401 “SSL and Enhanced Stacking” on page 403 “Guidelines” on page 404 “Technical Overview” on page 405 397
Chapter 34: PKI Certificates and SSL Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from the following management interfaces: Command line interface Menus interface You can view the PK
AT-S63 Management Software Features Guide Overview This chapter describes the second part of the encryption feature of the AT-S63 Management Software—PKI certificates. The first part is explained in Chapter 33, “Encryption Keys” on page 387.
Chapter 34: PKI Certificates and SSL network equipment. With private CAs, companies can keep track of the certificates and control access to various network devices. If your company is large enough, it might have a private CA and you might want the group to issue the certificate for the AT-9400 Switch so that you are in compliance with company policy. The first step to creating a CA certificate is to create a key pair.
AT-S63 Management Software Features Guide Distinguished Names Part of the task to creating a self-signed certificate or enrollment request is selecting a distinguished name. A distinguished name is integrated into a certificate along with the key and can have up to five parts. The parts are: cn - common name This can be the name of the person who will use the certificate. ou - organizational unit This is the name of a department, such as Network Support or IT.
Chapter 34: PKI Certificates and SSL If your network has a Domain Name System and you mapped a name to the IP address of a switch, you can specify the switch’s name instead of the IP address as the distinguished name. For those switches that do not have an IP address, such as slave switches of an enhanced stack, you could assign their certificates a distinguished name using the IP address of the master switch of the enhanced stack.
AT-S63 Management Software Features Guide SSL and Enhanced Stacking Secure Sockets Layer (SSL) is supported in an enhanced stack, but only when all switches in the stack are using the feature. When a switch’s web server is operating in HTTP, management packets are transmitted in plaintext. When it operates in HTTPS, management packets are encrypted. The web server on the AT-9400 Switch operate in either mode.
Chapter 34: PKI Certificates and SSL Guidelines The guidelines for creating certificates are: 404 A certificate can have only one key. A switch can use only those certificates that contain a key that was generated on the switch. You can create multiple certificates on a switch, but the device uses the certificate whose key pair has been designated as the active key pair for the switch’s web server. Most web browsers support both unsecured (plaintext) and secured (encrypted) operation.
AT-S63 Management Software Features Guide Technical Overview This section describes the Secure Sockets Layer (SSL) feature, a security protocol that provides a secure and private TCP connection between a client and server. SSL can be used with many higher layer protocols including HTTP, File Transfer Protocol (FTP) and Net News Transfer Protocol (NNTP). Most web browsers and servers support SSL, and its most common deployment is for secure connections between a client and server over the Internet.
Chapter 34: PKI Certificates and SSL SSL uses asymmetrical (Public Key) encryption to establish a connection between client and server, and symmetrical (Secret Key) encryption for the data transfer phase. User Verification An SSL connection has two phases: handshake and data transfer. The handshake initiates the SSL session, during which data is securely transmitted between a client and server. During the handshake, the following occurs: The client and server establish the SSL version they are to use.
AT-S63 Management Software Features Guide To verify the authenticity of a server, the server has a public and private key. The public key is given to the user. SSL uses certificates for authentication. A certificate binds a public key to a server name. A certification authority (CA) issues certificates after checking that a public key belongs to its claimed owner. There are several agencies that are trusted to issue certificates. Individual browsers have approved Root CAs that are built in to the browser.
Chapter 34: PKI Certificates and SSL this, and other attacks, PKI provides a means for secure transfer of public keys by linking an identity and that identity’s public key in a secure certificate. Caution Although a certificate binds a public key to a subject to ensure the public key’s security, it does not guarantee that the security of the associated private key has not been breached.
AT-S63 Management Software Features Guide Elements of a Public Key Infrastructure A public key infrastructure is a set of applications which manage the creation, retrieval, validation and storage of certificates. A PKI consists of the following key elements: At least one certification authority (CA), which issues and revokes certificates. At least one publicly accessible repository, which stores certificates and Certificate Revocation Lists.
Chapter 34: PKI Certificates and SSL Certificate Validation To validate a certificate, the end entity verifies the signature in the certificate, using the public key of the CA who issued the certificate. CA Hierarchies and Certificate Chains It may not be practical for every individual certificate in an organization to be signed by one certification authority. A certification hierarchy may be formed, in which one CA (for example, national headquarters) is declared to be the root CA.
AT-S63 Management Software Features Guide PKI Implementation The following sections discuss the implementation of PKI on the AT-9400 Switch.
Chapter 34: PKI Certificates and SSL 412 Section IX: Management Security
Chapter 35 Secure Shell (SSH) The sections in this chapter are: Section IX: Management Security “Supported Platforms” on page 414 “Overview” on page 415 “Support for SSH” on page 416 “SSH Server” on page 417 “SSH Clients” on page 418 “SSH and Enhanced Stacking” on page 419 “SSH Configuration Guidelines” on page 421 “General Steps to Configuring SSH” on page 422 413
Chapter 35: Secure Shell (SSH) Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from all three management interfaces: 414 Command line interface Menus interface Web browser interfac
AT-S63 Management Software Features Guide Overview Secure management is increasingly important in modern networks, as the ability to easily and effectively manage switches and the requirement for security are two universal requirements. Switches are often remotely managed using remote sessions via the Telnet protocol. This method, however, has a serious security problem—it is only protected by plaintext usernames and passwords which are vulnerable to wiretapping and password guessing.
Chapter 35: Secure Shell (SSH) Support for SSH The AT-S63 implementation of the SSH protocol is compliant with the SSH protocol versions 1.3, 1.5, and 2.0. In addition, the following SSH options and features are supported: Inbound SSH connections (server mode) is supported. The following security algorithms are supported: – 128-bit Advanced Encryption Standard (AES), 192-bit AES, and 256-bit AES – Arcfour (RC4) security algorithm is supported.
AT-S63 Management Software Features Guide SSH Server When the SSH server is enabled, connections from SSH clients are accepted. When the SSH server is disabled, connections from SSH clients are rejected by the switch. Within the switch, the AT-S63 Management Software uses well-known port 22 as the SSH default port. Note If your switch is in a network that is protected by a firewall, you may need to configure the firewall to permit SSH connections.
Chapter 35: Secure Shell (SSH) SSH Clients The SSH protocol provides a secure connection between the switch and SSH clients. After you have configured the SSH server, you need to install SSH client software on your management PC. The AT-S63 Management Software supports both SSH1 and SSH2 clients. You can download client software from the Internet. Two popular SSH clients are PuTTY and CYGWIN. To install SSH client software, follow the directions from the vendor.
AT-S63 Management Software Features Guide SSH and Enhanced Stacking The AT-S63 Management Software allows for encrypted SSH management sessions between a management station and a master switch of an enhanced stack, but not with slave switches, as explained in this section. When you remotely manage a slave switch, all management communications are conducted through the master switch using the enhanced stacking feature.
Chapter 35: Secure Shell (SSH) Because enhanced stacking does not allow for SSH encrypted management sessions between a management station and a slave switch, you configure SSH only on the master switch of a stack. Activating SSH on a slave switch has no affect.
AT-S63 Management Software Features Guide SSH Configuration Guidelines Here are the guidelines to configuring SSH: Section IX: Management Security SSH requires two encryption key pairs. One key pair functions as the host key and the other as the server key. The two encryption key pairs must be of different lengths of at least one increment (256 bits) apart. The recommended bit size for a server key is 768 bits. The recommended size for the host key is 1024 bits.
Chapter 35: Secure Shell (SSH) General Steps to Configuring SSH Configuring the SSH server involves the following procedures: 1. Create two encryption key pairs on the switch. One pair will function as the host key and the other the server key. 2. Configure and activate the Secure Shell server on the switch by specifying the two encryption keys in the server software. 3. Install SSH client software on your management station. Follow the directions provided with the client software.
Chapter 36 TACACS+ and RADIUS Protocols This chapter describes the two authentication protocols TACACS+ and RADIUS.
Chapter 36: TACACS+ and RADIUS Protocols Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from all three management interfaces: 424 Command line interface Menus interface Web browse
AT-S63 Management Software Features Guide Overview TACACS+ and RADIUS are authentication protocols that can enhance the security of your network. In general terms, these authentication protocols transfer the task of authenticating network access from a network device to an authentication protocol server. The AT-S62 software comes with TACACS+ and RADIUS client software. You can use the client software to add two security features to the switch.
Chapter 36: TACACS+ and RADIUS Protocols When a network manager logs in to a switch to manage the device, the switch passes the username and password entered by the manager to the authentication protocol server. The server checks to see if the username and password are valid. This is referred to as authentication. If the combination is valid, the authentication protocol server notifies the switch and the switch completes the login process, allowing the manager to manage the switch.
AT-S63 Management Software Features Guide Guidelines Here are the main steps to using the TACACS+ or RADIUS client on the switch. 1. Install a TACACS+ or RADIUS server on one or more of your network servers or management stations. Authentication protocol server software is not available from Allied Telesis. 2. Configure the TACACS+ or RADIUS authentication server.
Chapter 36: TACACS+ and RADIUS Protocols maximum length for a password is 16 alphanumeric characters and spaces. – To create an account for a supplicant connected to an authenticator port set to the MAC address-based authentication mode, enter the MAC address of the node used by the supplicant as both its username and password. When entering the MAC address, do not use spaces or colons (:).
AT-S63 Management Software Features Guide Note If no authentication server responds or if no servers have been defined, the AT-S63 Management Software defaults to the standard manager and operator accounts. Note For more information on TACACS+, refer to the RFC 1492 standard. For more information on RADIUS, refer to the RFC 2865 standard.
Chapter 36: TACACS+ and RADIUS Protocols 430 Section IX: Management Security
Chapter 37 Management Access Control List This chapter explains how to restrict Telnet and web browser management access to the switch with the management access control list (ACL).
Chapter 37: Management Access Control List Supported Platforms This feature is supported on the following AT-9400 Switches: Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module – Not supported This feature can be managed from all three management interfaces: 432 Command line interface Menus interface Web brow
AT-S63 Management Software Features Guide Overview This chapter explains how to restrict remote management access of a switch by creating a management access control list (management ACL). This feature controls which management stations can remotely manage the device using the Telnet application protocol or a web browser. The switch uses the management ACL to filter the management packets that it receives.
Chapter 37: Management Access Control List Parts of a Management ACE An ACE has the following three parts: IP Address 434 IP address Subnet mask Application You can specify the IP address of a specific management station or a subnet. Mask The mask indicates the parts of the IP address the switch should filter on. A binary “1” indicates the switch should filter on the corresponding bit of the address, while a “0” indicates that it should not.
AT-S63 Management Software Features Guide Guidelines Below are guidelines for the management ACL: Section IX: Management Security The default setting for this feature is disabled. A switch can have only one management ACL. A management ACL can have up to 256 ACEs. An ACE must have an IP address and mask. All management ACEs are implicit “permit” statements. A management packet that meets the criteria of an ACE is accepted by the switch.
Chapter 37: Management Access Control List Examples Following are several examples of ACEs. This ACE allows the management station with the IP address 149.11.11.11 to remotely manage the switch using either the Telnet application protocol or a web browser, and to ping the device: IP Address: Mask: Application Type: 149.11.11.11 255.255.255.255 All If the management ACL had only this ACE, remote management of the switch would be restricted to just that management station.
AT-S63 Management Software Features Guide The two ACEs in this management ACL permit remote management from the management station with the IP address 149.11.11.11 and all management stations in the subnet 149.22.22.0: ACE #1 IP Address: Mask: Application Type: 149.11.11.11 255.255.255.255 All ACE #2 IP Address: Mask: Application Type: 149.22.22.0 255.255.255.0 All This example allows the switch to be pinged, but not managed, by the management station with the IP address 149.11.11.
Chapter 37: Management Access Control List 438 Section IX: Management Security
Appendix A AT-S63 Management Software Default Settings This appendix lists the factory default settings for the AT-S63 Management Software. It contains the following sections in alphabetical order: “Address Resolution Protocol Cache” on page 441 “Boot Configuration File” on page 442 “BOOTP Relay Agent” on page 443 “Class of Service” on page 444 “Denial of Service Defenses” on page 445 “802.
Appendix A: AT-S63 Management Software Default Settings 440 “Telnet Server” on page 471 “Virtual Router Redundancy Protocol” on page 472 “VLANs” on page 473 “Web Server” on page 474
AT-S63 Management Software Features Guide Address Resolution Protocol Cache The following table lists the ARP cache default setting.
Appendix A: AT-S63 Management Software Default Settings Boot Configuration File The following table lists the names of the default configuration files. Boot Configuration File 442 Default Stand-alone Switch boot.cfg Stack of AT-9400 Basic Layer 3 Switches and the AT-StackXG Stacking Module stack.
AT-S63 Management Software Features Guide BOOTP Relay Agent The following table lists the default setting for the BOOTP relay agent. BOOTP Relay Agent Setting Default Status Disabled Hop Count1 4 1. Hop count is not adjustable.
Appendix A: AT-S63 Management Software Default Settings Class of Service The following table lists the default mappings of IEEE 802.1p priority levels to egress port priority queues. IEEE 802.
AT-S63 Management Software Features Guide Denial of Service Defenses The following table lists the default settings for the Denial of Service prevention feature. Denial of Service Prevention Setting Default IP Address 0.0.0.0 Subnet Mask 0.0.0.
Appendix A: AT-S63 Management Software Default Settings 802.1x Port-Based Network Access Control The following table describes the 802.1x Port-based Network Access Control default settings. 802.1x Port-based Network Access Control Settings Default Port Access Control Disabled Authentication Method RADIUS EAP Port Role None The following table lists the default settings for RADIUS accounting.
AT-S63 Management Software Features Guide Authenticator Port Setting Default VLAN Assignment Enabled Secure VLAN On Control Direction Both Piggyback Mode Disabled Guest VLAN None The following table lists the default settings for a supplicant port.
Appendix A: AT-S63 Management Software Default Settings Enhanced Stacking The following table lists the enhanced stacking default setting.
AT-S63 Management Software Features Guide Ethernet Protection Switching Ring (EPSR) Snooping The following table lists the EPSR default setting.
Appendix A: AT-S63 Management Software Default Settings Event Logs The following table lists the default settings for both the permanent and temporary event logs.
AT-S63 Management Software Features Guide GVRP This section provides the default settings for GVRP.
Appendix A: AT-S63 Management Software Default Settings IGMP Snooping The following table lists the IGMP Snooping default settings.
AT-S63 Management Software Features Guide Internet Protocol Version 4 Packet Routing The following table lists the IPv4 packet routing default settings. Packet Routing Setting Default Equal Cost Multi-path (ECMP) Enabled Default Route None Update Timer 30 seconds Invalid Timer 180 seconds Split Horizon Enabled Split Horizon with Poison Reverse Disabled Autosummarization of Routes Disabled Note The update and invalid timers are not adjustable.
Appendix A: AT-S63 Management Software Default Settings MAC Address-based Port Security The following table lists the MAC address-based port security default settings.
AT-S63 Management Software Features Guide MAC Address Table The following table lists the default setting for the MAC address table.
Appendix A: AT-S63 Management Software Default Settings Management Access Control List The following table lists the default setting for the management access control list.
AT-S63 Management Software Features Guide Manager and Operator Account The following table lists the manager and operator account default settings. Manager Account Setting Default Manager Login Name manager Manager Password friend Operator Login Name operator Operator Password operator Console Disconnect Timer Interval 10 minutes Console Startup Mode CLI Note Login names and passwords are case sensitive.
Appendix A: AT-S63 Management Software Default Settings Multicast Listener Discovery Snooping The following table lists the MLD Snooping default settings.
AT-S63 Management Software Features Guide Public Key Infrastructure The following table lists the PKI default settings, including the generate enrollment request settings.
Appendix A: AT-S63 Management Software Default Settings Port Settings The following table lists the port configuration default settings.
AT-S63 Management Software Features Guide RJ-45 Serial Terminal Port The following table lists the RJ-45 serial terminal port default settings. RJ-45 Serial Terminal Port Setting Default Data Bits 8 Stop Bits 1 Parity None Flow Control None Baud Rate 9600 bps The baud rate is the only adjustable parameter on the port.
Appendix A: AT-S63 Management Software Default Settings Router Redundancy Protocol Snooping The following table lists the RRP Snooping default setting.
AT-S63 Management Software Features Guide Server-based Authentication (RADIUS and TACACS+) This section describes the server-based authentication, RADIUS, and TACACS+ client default settings. Server-based Authentication The following table describes the server-based authentication default settings. Server-based Authentication Setting RADIUS Client Default Server-based Authentication Disabled Active Authentication Method TACACS+ The following table lists the RADIUS configuration default settings.
Appendix A: AT-S63 Management Software Default Settings Simple Network Management Protocol The following table describes the SNMP default settings.
AT-S63 Management Software Features Guide Simple Network Time Protocol The following table lists the SNTP default settings. SNTP Setting Default System Time 00:00:00 on January 1, 1980 SNTP Status Disabled SNTP Server 0.0.0.
Appendix A: AT-S63 Management Software Default Settings Spanning Tree Protocols (STP, RSTP, and MSTP) This section provides the spanning tree, STP RSTP, and MSTP, default settings. Spanning Tree Switch Settings The following table describes the Spanning Tree Protocol default settings for the switch. Spanning Tree Setting Spanning Tree Protocol Default Spanning Tree Status Disabled Active Protocol Version RSTP The following table describes the STP default settings.
AT-S63 Management Software Features Guide Multiple Spanning Tree Protocol The following table lists the MSTP default settings.
Appendix A: AT-S63 Management Software Default Settings Secure Shell Server The following table lists the SSH default settings. SSH Setting Status Disabled Host Key ID Not Defined Server Key ID Not Defined Server Key Expiry Time 0 hours Login Timeout 180 seconds SSH Port Number 22 The SSH port number is not adjustable.
AT-S63 Management Software Features Guide Secure Sockets Layer The following table lists the SSL default settings.
Appendix A: AT-S63 Management Software Default Settings System Name, Administrator, and Comments Settings The following table describes the IP default settings.
AT-S63 Management Software Features Guide Telnet Server The following table lists the Telnet server default settings. Telnet Server Setting Default Telnet Server Enabled Telnet Port Number 23 NULL Character Off The Telnet port number is not adjustable.
Appendix A: AT-S63 Management Software Default Settings Virtual Router Redundancy Protocol The following table lists the VRRP default setting.
AT-S63 Management Software Features Guide VLANs This section provides the VLAN default settings.
Appendix A: AT-S63 Management Software Default Settings Web Server The following table lists the web server default settings.
Appendix B SNMPv3 Configuration Examples This appendix provides two examples of SNMPv3 configuration using the SNMPv3 Table menus and a worksheet to use as an aid when configuring the SNMPv3 protocol.
Appendix B: SNMPv3 Configuration Examples SNMPv3 Configuration Examples This appendix provides SNMPv3 configuration examples for the following types of users: Manager Operator In addition an SNMPv3 Configuration Table is provided to record your SNMPv3 configuration. For more information about the SNMPv3 protocol, see Chapter 19, “SNMPv3” on page 197. SNMPv3 Manager Configuration This section provides a sample configuration for a Manager with a User Name of systemadmin24.
AT-S63 Management Software Features Guide Configure SNMPv3 SecurityToGroup Table User Name:systemadmin24 Security Model:v3 Group Name: Managers Storage Type: NonVolatile Configure SNMPv3 Notify Table Notify Name: sysadminTrap Notify Tag: sysadminTag Notify Type: Trap Storage Type: NonVolatile Configure SNMPv3 Target Address Table Target Address Name: host451 Target IP Address: 198.35.11.
Appendix B: SNMPv3 Configuration Examples Configure SNMPv3 View Table Menu View Name: internet View Subtree OID: 1.3.6.1 (or internet) Subtree Mask: View Type: Included Storage Type: NonVolatile Configure SNMPv3 Access Table Group Name: Operators Security Model: SNMPv3 Security Level: Authentication Read View Name: internet Write View Name: Notify View Name: SNMPv3 Worksheet This section supplies a table that you can use a worksheet when configuring SNMPv3.
AT-S63 Management Software Features Guide SNMPv3 Parameters (Continued) Security Model Security Level Read View Name Write View Name Notify View Name Storage Type SNMPv3 SecurityToGroup Table User Name Security Model Group Name Storage Type SNMPv3 Notify Table Notify Name Notify Tag Notify Type Storage Type SNMPv3 Target Address Table Target Address Name Target IP Address UDP Port Timeout Retries Tag List Target Parms Name Storage Type SNMPv3 Target Parameters Table Target Parameters Name User (Security) N
Appendix B: SNMPv3 Configuration Examples SNMPv3 Parameters (Continued) Security Model Security Level Storage Type 480
Appendix C Features and Standards This appendix lists the features and standards of the AT-9400 Switch.
Appendix C: Features and Standards 10/100/1000Base-T Twisted Pair Ports IEEE 802.1d Bridging IEEE 802.3 10Base-T IEEE 802.3u 100Base-TX IEEE 802.3ab 1000Base-T IEEE 802.3u Auto-Negotiation IEEE 802.3x 10/100 Mbps Flow Control / Backpressure IEEE 802.
AT-S63 Management Software Features Guide Fiber Optic Ports (AT-9408LC/SP Switch) IEEE 802.1d Bridging IEEE 802.3z 1000Base-SX — Head of Line Blocking — Eight Egress Queues Per Port — 8 megabyte storage capacity File System DHCP and BOOTP Clients RFC 2131 DHCP client RFC 951, 1542 BOOTP client Internet Protocol Multicasting RFC 1112 IGMP Snooping (Ver. 1.0) RFC 2236 IGMP Snooping (Ver. 2.0) RFC 3376 IGMP Snooping (Ver. 3.0) RFC 2710 MLD Snooping (Ver. 1.
Appendix C: Features and Standards RFC 826 Address Resolution Protocol — Equal Cost Multi-path — Split Horizon and Split Horizon with Poison Reverse — Autosummarization of Routes RFC 1542 BOOTP Relay MAC Address Table — Storage capacity of 16K entries Management Access and Security 484 RFC 1157 SNMPv1 RFC 1901 SNMPv2 RFC 3411 SNMPv3 RFC 1492 TACACS+ Client RFC 2865 RADIUS Client RFC 2068 HTTP RFC 2616 HTTPS RFC 1866 HTML RFC 854 Telnet Server — Secure Sockets Layer (SSL) R
AT-S63 Management Software Features Guide Management Access Methods Enhanced Stacking™ Out-of-band management (serial port) In-band management (over the network) using Telnet, SSH, web browser, and SNMP Management Interfaces Menus Command Line Web Browser SNMP v1, v2, & v3 Management MIBs RFC 1213 MIB-II RFC 1215 TRAP MIB RFC 1493 Bridge MIB RFC 2863 Interface Group MIB RFC 2933 IGMP RFC 1643 Ethernet-like MIB RFC 2674 IEEE 802.
Appendix C: Features and Standards Port Security IEEE 802.1x Port-based Network Access Control: Supports multiple supplicants per port and the following authentication methods: EAP-MD5 EAP-TLS EAP-TTLS PEAP RFC 2865 RADIUS Client RFC 2866 RADIUS Accounting — MAC Address-based security Port Trunking and Mirroring IEEE 802.3ad Link Aggregation Control Protocol (LACP) — Static Port Trunking — Port Mirroring Spanning Tree Protocols IEEE 802.1D Spanning Tree Protocol IEEE 802.
AT-S63 Management Software Features Guide RFC 1757 RMON Groups 1, 2, 3, and 9 RFC 2386 Quality of Service featuring: Traffic Control — Layer 2, 3, and 4 criteria — Flow Groups, Traffic Classes, and Policies — DSCP Replacement — 802.1q Priority Replacement — Type of Service Replacement — Type of Service to 802.1q Priority Replacement — 802.1q Priority to Type of Service Replacement — Maximum Bandwidth Control — Burst Size Control — Support for Ingress and Egress Ports IEEE 802.
Appendix C: Features and Standards — MAC Address-based VLANs (Not supported on the AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP switches.) IEEE 802.3ac VLAN Tag Frame Extension IEEE 802.
Appendix D MIB Objects This appendix lists the SNMP MIB objects in the private Allied Telesis MIBs that apply to the AT-S63 Management Software and the AT-9400 Switch.
Appendix D: MIB Objects Access Control Lists Table 31. Access Control Lists (AtiStackSwitch MIB) Object Name atiStkSwACLConfigTable atiStkSwACLConfigEntry 490 OID 1.3.6.1.4.1.207.8.17.9.1 1.3.6.1.4.1.207.8.17.9.1.1 atiStkSwACLModuleId 1.3.6.1.4.1.207.8.17.9.1.1.1 atiStkSwACLId 1.3.6.1.4.1.207.8.17.9.1.1.2 atiStkSwACLDescription 1.3.6.1.4.1.207.8.17.9.1.1.3 atiStkSwACLAction 1.3.6.1.4.1.207.8.17.9.1.1.4 atiStkSwACLClassifierList 1.3.6.1.4.1.207.8.17.9.1.1.5 atiStkSwACLPortList 1.3.6.1.4.1.207.
AT-S63 Management Software Features Guide Class of Service Table 32. CoS Scheduling (AtiStackSwitch MIB) Object Name atiSwQoSGroup OID 1.3.6.1.4.1.207.8.17.7 atiStkSwQoSGroupNumberOfQueues 1.3.6.1.4.1.207.8.17.7.1 atiStkSwQoSGroupSchedulingMode 1.3.6.1.4.1.207.8.17.7.2 Table 33. CoS Priority to Egress Queue Mappings (AtiStackSwitch MIB) Object Name atiStkSwQoSGroupCoSToQueueTable atiStkSwQoSGroupCoSToQueueEntry OID 1.3.6.1.4.1.207.8.17.7.3 1.3.6.1.4.1.207.8.17.7.3.1 atiStkSwQoSGroupCoSPriority 1.
Appendix D: MIB Objects Date, Time, and SNTP Client Table 36. Date, Time, and SNTP Client (AtiStackSwitch MIB) Object Name atiStkSysSystemTimeConfig 492 OID 1.3.6.1.4.1.207.8.17.1.5 atiStkSwSysCurrentTime 1.3.6.1.4.1.207.8.17.1.5.1 atiStkSwSysCurrentDate 1.3.6.1.4.1.207.8.17.1.5.2 atiStkSwSysSNTPStatus 1.3.6.1.4.1.207.8.17.1.5.3 atiStkSwSysSNTPServerIPAddress 1.3.6.1.4.1.207.8.17.1.5.4 atiStkSwSysSNTPUTCOffset 1.3.6.1.4.1.207.8.17.1.5.5 atiStkSwSysSNTPDSTStatus 1.3.6.1.4.1.207.8.17.1.5.
AT-S63 Management Software Features Guide Denial of Service Defenses Table 37. LAN Address and Subnet Mask (AtiStackSwitch MIB) Object Name atiStkDOSConfig OID 1.3.6.1.4.1.207.8.17.2.6 atiStkDOSConfigLANIpAddress 1.3.6.1.4.1.207.8.17.2.6.1 atiStkDOSConfigLANSubnetMask 1.3.6.1.4.1.207.8.17.2.6.2 Table 38. Denial of Service Defenses (AtiStackSwitch MIB) Object Name atiStkPortDOSAttackConfigTable atiStkPortDOSAttackConfigEntry OID 1.3.6.1.4.1.207.8.17.2.6.3 1.3.6.1.4.1.207.8.17.2.6.3.
Appendix D: MIB Objects Enhanced Stacking Table 39. Switch Mode and Discovery (AtiStackInfo MIB) Object Name atiswitchEnhancedStackingInfo OID 1.3.6.1.4.1.207.8.16.1 atiswitchEnhStackMode 1.3.6.1.4.1.207.8.16.1.1 atiswitchEnhStackDiscover 1.3.6.1.4.1.207.8.16.1.2 atiswitchEnhStackRemoteNumber 1.3.6.1.4.1.207.8.16.1.3 Table 40. Switches of an Enhanced Stack (AtiStackInfo MIB) Object Name atiswitchEnhStackTable atiswitchEnhStackEntry 494 OID 1.3.6.1.4.1.207.8.16.1.4 1.3.6.1.4.1.207.8.16.1.4.
AT-S63 Management Software Features Guide GVRP Table 41. GVFP Switch Configuration (AtiStackSwitch MIB) Object Name atiStkSwGVRPConfig OID 1.3.6.1.4.1.207.8.17.3.6 atiStkSwGVRPStatus 1.3.6.1.4.1.207.8.17.3.6.1 atiStkSwGVRPGIPStatus 1.3.6.1.4.1.207.8.17.3.6.2 atiStkSwGVRPJoinTimer 1.3.6.1.4.1.207.8.17.3.6.3 atiStkSwGVRPLeaveTimer 1.3.6.1.4.1.207.8.17.3.6.4 atiStkSwGVRPLeaveAllTimer 1.3.6.1.4.1.207.8.17.3.6.5 Table 42.
Appendix D: MIB Objects Table 43. GVRP Counters (AtiStackSwitch MIB) Object Name 496 OID atiStkSwGVRPCountersPortNotListening 1.3.6.1.4.1.207.8.17.3.8.1.8 atiStkSwGVRPCountersInvalidPort 1.3.6.1.4.1.207.8.17.3.8.1.9 atiStkSwGVRPCountersInvalidProtocol 1.3.6.1.4.1.207.8.17.3.8.1.10 atiStkSwGVRPCountersInvalidFormat 1.3.6.1.4.1.207.8.17.3.8.1.11 atiStkSwGVRPCountersDatabaseFull 1.3.6.1.4.1.207.8.17.3.8.1.12 atiStkSwGVRPCountersRxMsgLeaveAll 1.3.6.1.4.1.207.8.17.3.8.1.
AT-S63 Management Software Features Guide MAC Address Table Table 44. MAC Address Table (AtiStackSwitch MIB) Object Name atiStkSwMacAddr2VlanTable atiStkSwMacAddr2VlanEntry OID 1.3.6.1.4.1.207.8.17.3.3 1.3.6.1.4.1.207.8.17.3.3.1 atiStkSwMacAddress 1.3.6.1.4.1.207.8.17.3.3.1.1 atiStkSwMacAddrVlanId 1.3.6.1.4.1.207.8.17.3.3.1.2 atiStkSwMacAddrVlanName 1.3.6.1.4.1.207.8.17.3.3.1.3 atiStkSwMacAddrModuleId 1.3.6.1.4.1.207.8.17.3.3.1.4 atiStkSwMacAddrPortId 1.3.6.1.4.1.207.8.17.3.3.1.
Appendix D: MIB Objects Management Access Control List Table 46. Management Access Control List Status (AtiStackSwitch MIB) Object Name atiStkSwSysMgmtACLGroup atiStkSwSysMgmtACLStatus OID 1.3.6.1.4.1.207.8.17.1.7 1.3.6.1.4.1.207.8.17.1.7.1 Table 47. Management Access Control List Entries (AtiStackSwitch MIB) Object Name atiStkSwSysMgmtACLConfigTable atiStkSwSysMgmtACLConfigEntry 498 OID 1.3.6.1.4.1.207.8.17.1.7.2 1.3.6.1.4.1.207.8.17.1.7.2.1 atiStkSwSysMgmtACLConfigModuleId 1.3.6.1.4.1.207.8.17.1.7.
AT-S63 Management Software Features Guide Miscellaneous Table 48. System Reset (AtiStackSwitch MIB) Object Name atiStkSwSysGroup OID 1.3.6.1.4.1.207.8.17.1 atiStkSwSysConfig atiStkSwSysReset 1.3.6.1.4.1.207.8.17.1.1 1.3.6.1.4.1.207.8.17.1.1.1 Table 49. Local Interface (AtiStackSwitch MIB) Object Name atiStkSwSysGroup OID 1.3.6.1.4.1.207.8.17.1 atiStkSwSysConfig 1.3.6.1.4.1.207.8.17.1.1 atiStkSwSysIpAddress 1.3.6.1.4.1.207.8.17.1.1.2 atiStkSwSysSubnetMask 1.3.6.1.4.1.207.8.17.1.1.
Appendix D: MIB Objects Port Mirroring Table 51. Port Mirroring (AtiStackSwitch MIB) Object Name atiStkSwPortMirroringConfig 500 OID 1.3.6.1.4.1.207.8.17.2.2 atiStkSwPortMirroringState 1.3.6.1.4.1.207.8.17.2.2.1 atiStkSwPortMirroringDestinationModuleId 1.3.6.1.4.1.207.8.17.2.2.4 atiStkSwPortMirroringDestinationPortId 1.3.6.1.4.1.207.8.17.2.2.5 atiStkSwPortMirroringSourceRxList 1.3.6.1.4.1.207.8.17.2.2.6 atiStkSwPortMirroringSourceTxList 1.3.6.1.4.1.207.8.17.2.2.
AT-S63 Management Software Features Guide Quality of Service Table 52. Flow Groups (AtiStackSwitch MIB) Object Name atiStkSwQosFlowGrpTable atiStkSwQosFlowGrpEntry OID 1.3.6.1.4.1.207.8.17.7.5 1.3.6.1.4.1.207.8.17.7.5.1 atiStkSwQosFlowGrpModuleId 1.3.6.1.4.1.207.8.17.7.5.1.1 atiStkSwQosFlowGrpId 1.3.6.1.4.1.207.8.17.7.5.1.2 atiStkSwQosFlowGrpDescription 1.3.6.1.4.1.207.8.17.7.5.1.3 atiStkSwQosFlowGrpDSCPValue 1.3.6.1.4.1.207.8.17.7.5.1.4 atiStkSwQosFlowGrpPriority 1.3.6.1.4.1.207.8.17.7.5.1.
Appendix D: MIB Objects Table 53. Traffic Classes (AtiStackSwitch MIB) Object Name OID atiStkSwQosTrafficClassClassPriority 1.3.6.1.4.1.207.8.17.7.6.1.9 atiStkSwQosTrafficClassRemarkPriority 1.3.6.1.4.1.207.8.17.7.6.1.10 atiStkSwQosTrafficClassToS 1.3.6.1.4.1.207.8.17.7.6.1.11 atiStkSwQosTrafficClassMoveToSToPriority 1.3.6.1.4.1.207.8.17.7.6.1.12 atiStkSwQosTrafficClassMovePriorityToToS 1.3.6.1.4.1.207.8.17.7.6.1.13 atiStkSwQosTrafficClassFlowGroupList 1.3.6.1.4.1.207.8.17.7.6.1.
AT-S63 Management Software Features Guide Port Configuration and Status Table 55. Port Configuration and Status (AtiStackSwitch MIB) Object Name atiStkSwPortConfigTable atiStkPortConfigEntry OID 1.3.6.1.4.1.207.8.17.2.1 1.3.6.1.4.1.207.8.17.2.1.1 atiStkSwModuleId 1.3.6.1.4.1.207.8.17.2.1.1.1 atiStkSwPortId 1.3.6.1.4.1.207.8.17.2.1.1.2 atiStkSwPortName 1.3.6.1.4.1.207.8.17.2.1.1.3 atiStkSwPortState 1.3.6.1.4.1.207.8.17.2.1.1.4 atiStkSwPortLinkState 1.3.6.1.4.1.207.8.17.2.1.1.
Appendix D: MIB Objects Spanning Tree Table 56. Spanning Tree (AtiStackSwitch MIB) Object Name atiStkSwSysConfig 504 OID 1.3.6.1.4.1.207.8.17.1.1 atiStkSwSysSpanningTreeStatus 1.3.6.1.4.1.207.8.17.1.1.9 atiStkSwSysSpanningTreeVersion 1.3.6.1.4.1.207.8.17.1.1.
AT-S63 Management Software Features Guide Static Port Trunk Table 57. Static Port Trunks (AtiStackSwitch MIB) Object Name atiStkSwStaticTrunkTable atiStkSwStaticTrunkEntry OID 1.3.6.1.4.1.207.8.17.8.1 1.3.6.1.4.1.207.8.17.8.1.1 atiStkSwStaticTrunkModuleId 1.3.6.1.4.1.207.8.17.8.1.1.1 atiStkSwStaticTrunkIndex 1.3.6.1.4.1.207.8.17.8.1.1.2 atiStkSwStaticTrunkId 1.3.6.1.4.1.207.8.17.8.1.1.3 atiStkSwStaticTrunkName 1.3.6.1.4.1.207.8.17.8.1.1.4 atiStkSwStaticTrunkMethod 1.3.6.1.4.1.207.8.17.8.1.1.
Appendix D: MIB Objects VLANs The objects in Table 58 display the specifications of the Default_VLAN. Table 58. VLAN Table (AtiStackSwitch MIB) Object Name atiStkSwVlanConfigTable atiStkSwVlanConfigEntry OID 1.3.6.1.4.1.207.8.17.3.1 1.3.6.1.4.1.207.8.17.3.1.1 atiStkSwVlanId 1.3.6.1.4.1.207.8.17.3.1.1.1 atiStkSwVlanName 1.3.6.1.4.1.207.8.17.3.1.1.2 atiStkSwVlanTaggedPortListModule1 1.3.6.1.4.1.207.8.17.3.1.1.3 atiStkSwVlanUntaggedPortListModule1 1.3.6.1.4.1.207.8.17.3.1.1.
AT-S63 Management Software Features Guide Table 61. PVID Table (AtiStackSwitch MIB) Object Name atiStkSwPort2VlanTable atiStkSwPort2VlanEntry OID 1.3.6.1.4.1.207.8.17.3.2 1.3.6.1.4.1.207.8.17.3.2.1 atiStkSwPortVlanId 1.3.6.1.4.1.207.8.17.3.2.1.1 atiStkSwPortVlanName 1.3.6.1.4.1.207.8.17.3.2.1.
Appendix D: MIB Objects 508
Index Numerics B 802.1p priority level in classifiers 113 802.1Q-compliant VLAN mode 276 802.
Index TCP source and destination ports 117 UDP source and destination ports 117 VLAN ID 114 Common and Internal Spanning Tree (CIST) defined 238 priority 238 common VLAN 59 community names SNMPv1 and SNMPv2c 68 configuration files. See boot configuration files configuration name 235 control messages, Ethernet Protection Switching Ring (EPSR) snooping 189 191 CoS. See Class of Service (CoS) CRL.
AT-S63 Management Software Features Guide interface monitoring 342 Internet Group Management Protocol (IGMP) snooping default settings 452 described 177 supported platforms 176 Internet Protocol version 4 routing see also routing interfaces, Routing Information Protocol (RIP), static routes default settings 453 described 301 examples 324, 328 supported platforms 300 intrusion actions 353 See also MAC address-based port security IP configuration 46 IP destination addresses in classifiers 116 IP DSCP in clas
Index O operator accounts, default settings 457 P password, default 43 path cost 217 permit access control lists 121 ping of death attack 169 PKI. See Public Key Infrastructure (PKI) Platforms 180 point-to-point ports 221 policies described 146 guidelines 147 port cost 217 port mirror described 95 guidelines 95 supported platforms 94 port monitoring in Virtual Router Redundancy Protocol (VRRP) 343 port priority 218 port priority in aggregate trunks 88 port security. See 802.
AT-S63 Management Software Features Guide encryption keys 416 management sessions 41 server 41, 417 supported platforms 414 Secure Sockets Layer (SSL) See also certificates, encryption key and enhanced stacking 403 default settings 469 described 399 encryption 405 supported platforms 398 technical overview 405 secured port security mode 352 self-signed certificate 399 server-based authentication.
Index Triple DES (3DES) encryption algorithms 393 U UDP destination ports 117 UDP destination ports in classifiers 117 UDP source ports 117 UDP source ports in classifiers 117 untagged ports 252 User-based Security Model (USM) authentication 199 username, default 43 V Virtual LAN.
