Release Note Software Version 2.7.6 For AT-8800, Rapier i, AT-8700XL, AT-8600, AT-9900, AT-8900 and AT-9800 Series Switches and AR400 and AR700 Series Routers Introduction .......................................................................................................2 Upgrading to Software Version 2.7.6 .................................................................3 Overview of New Features .................................................................................
Introduction Release Note Introduction Allied Telesyn announces the release of Software Version 2.7.6 on the products in the following table. This Release Note describes the new features and enhancements.
Software Version 2.7.6 3 Upgrading to Software Version 2.7.6 Software Version 2.7.6 is available as a flash release that can be downloaded directly from the Software/Documentation area of the Allied Telesyn website: www.alliedtelesyn.com/support/software Software versions must be licenced and require a password to activate. If you upgrade to Software Version 2.7.6 from any 2.7.x version, your existing licence is valid for 2.7.6.
Overview of New Features Release Note Overview of New Features DHCP Snooping AT-9900 AT-8900 AT-9800 AT-8600 ! Support for AT-8648T/2SP Switch Enhancements to CLI Help AT-8700XL AT-8800 Rapier AR750S AR7x5 AR400 The following table lists the new features and enhancements by product series. For supported models, see “Introduction” on page 2.
Software Version 2.7.6 5 Support for AT-8648T/2SP Switch Software Release 2.7.6 supports the new AT-8648T/2SP switch. The AT-8600 Series switches are Layer 3 switches with Layer 2/3/4+ intelligence. These desktop multimedia switches bring a high level of security and traffic control to the edge of your network. The new AT-8648T/2SP is a 48-port 10BASE-T/100BASE-TX Layer 3 Fast Ethernet Switch.
Enhancements to CLI Help Release Note Enhancements to CLI Help Allied Telesyn routers and switches offer a number of methods of getting online command help: ■ pressing the Tab key, to list valid command parameters and, if possible, complete parameters. This functionality is new in Software Version 2.7.6, and also provides helpful descriptions for a number of parameters ■ pressing the ? key, to list valid command parameters. With Software Version 2.7.
Software Version 2.7.6 7 Listing commands and valid parameters You can now use either the Tab key or the ? key to find out which parameters you can type next, as summarised in the following table To... Press Tab or ? key after...
Enhancements to CLI Help Release Note Completing parameters You can now use the Tab key to complete parameters (Figure 4). You must first type enough letters to match only one parameter. Figure 4: Completing a parameter with the Tab key Manager > add ospf ra Manager > add ospf range If you press the Tab key without first typing enough letters to uniquely identify a parameter, the router or switch lists all matching parameters (Figure 5). This is the same as the existing ? key behaviour.
Software Version 2.7.6 9 DHCP Snooping In Software Release 2.7.6, DHCP snooping has been added to provide an extra layer of security via dynamic IP source filtering. Snooping filters out messages received from unknown, or “untrusted” ports, and builds and maintains a DHCP snooping binding database. DHCP snooping is disabled by default, and is user configurable. Overview Dynamic Host Configuration Protocol (DHCP) dynamically assigns IP addresses to client devices.
DHCP Snooping Lease structure Database structure Release Note Each lease in the database holds the following information: ■ the MAC address of the client device ■ the IP address that was allocated to that client ■ time until expiry ■ VLAN to which the client is attached ■ port to which the client is attached The binding database is split into three sections: ■ current valid entries ■ entries with client lease but no listener.
Software Version 2.7.6 11 DHCP Filtering DHCP filtering prevents IP addresses from being falsified or “spoofed”. This guarantees that customers cannot avoid detection by spoofing an IP address that was not actually allocated to them. The switch only allows packets to enter via a given port if they have a source IP address that matches an IP address allocated to a device connected to that port.
DHCP Snooping Release Note To disable Option 82, use the command: disable dhcpsnooping option82 Note: If both DHCP snooping and Option 82 for DHCP snooping are enabled, the BOOTP relay agent Option 82 is unavailable. For more information about Option 82, see RFC 3046, DHCP Relay Agent Information Option. DHCP Snooping ARP Security ARP security prevents ARP spoofing. ARP spoofing is when fake, or 'spoofed', ARP messages are sent to an Ethernet LAN.
Software Version 2.7.6 13 Command Change Summary The following table summarises the new and modified commands (see Command Reference Updates). Software Version 2.7.
DHCP Snooping Release Note Command Reference Updates This section describes any new commands and the changed portions of any modified commands and output screens. It uses boldface to highlight new parameters and options of existing commands, and new fields of existing output. add dhcpsnooping binding Syntax Description ADD DHCPSnooping BINDing=macaddr INTerface=vlan IP=ipadd POrt=port-number This command adds a static entry to the DHCP snooping binding database.
Software Version 2.7.6 15 create classifier Syntax: non-IPv6 traffic Description CREate CLASSifier=rule-id [MACSaddr={macadd|ANY|DHCPSnooping}] [MACDaddr={macadd|ANY}] [MACType={L2Ucast|L2Mcast|L2Bcast|ANY}] [TPID=tpid|ANY] [VLANPriority=0..7|ANY] [VLAN={vlanname|1..4094|ANY}] [INNERTpid=tpid|ANY] [INNERVLANPriority=0..7|ANY] [INNERVLANId=VLAN=1..4094|ANY] [ETHFormat={802.2-Tagged|802.
DHCP Snooping Example Release Note To create classifier 10 to match DHCP snooping entries, use any of the commands: create classifier=10 ipsa=dhcps create classifier=10 macs=dhcps create classifier=10 ipsa=dhcps macs=dhcps delete dhcpsnooping binding Syntax DELete DHCPSnooping BINDing=macaddr where: ■ Description macaddr is an Ethernet six-octet MAC address expressed as six pairs of hexadecimal digits delimited by hyphens.
Software Version 2.7.6 17 disable dhcpsnooping arpsecurity Syntax Description DISable DHCPSnooping ARPSecurity This command disables ARP security for DHCP snooping. When the switch receives ARP packets on untrusted ports, it no longer checks to ensure that the source IP in the ARP packet is consistent with the information stored in the DHCP snooping binding database. ARP security is disabled by default.
DHCP Snooping Release Note enable dhcpsnooping Syntax Description ENAble DHCPSnooping This command enables DHCP snooping on the switch. If the bindings.dsn file exists, the switch checks it, and adds any current entries to the DHCP snooping binding database. If the bindings.dsn file does not already exist, the switch creates it. When you enable DHCP snooping, and valid dynamic leases exist, the switch periodically writes the bindings.dsn file at every check interval.
Software Version 2.7.6 19 enable dhcpsnooping debug Syntax Description Example ENAble DHCPSnooping DEBug={ALL|ARPSecurity|CLASSifier|DATABase|PRocessing| FILter} This command enables debugging for DHCP snooping. Parameter Description DEBug The type of debugging to be enabled ALL Enables all DHCP snooping debugging. ARPSecurity Enables ARP security debugging. CLASSifier Enables DHCP snooping classifier debugging. DATABase Enables DHCP snooping binding database debugging.
DHCP Snooping Release Note set classifier Syntax: non-IPv6 traffic Description SET CLASSifier=rule-id [MACSaddr={macadd|ANY|DHCPSnooping}] [MACDaddr={macadd|ANY}] [MACType={L2Ucast|L2Mcast|L2Bcast|ANY}] [TPID=tpid|ANY] [VLANPriority=0..7|ANY] [VLAN={vlanname|1..4094|ANY}] [INNERTpid=tpid|ANY] [INNERVLANPriority=0..7|ANY] [INNERVLANId=VLAN=1..4094|ANY] [ETHFormat={802.2-Tagged|802.
Software Version 2.7.6 21 set dhcpsnooping checkinterval Syntax Description SET DHCPSnooping CHEckinterval=1..3600 This command sets a check interval for the DHCP snooping binding database. This determines how often dynamic database entries are checked for expiration. Static entries defined with the add dhcpsnooping binding command on page 14 are not checked. The checkinterval parameter specifies the number of seconds between checks. The default interval is 60 seconds.
DHCP Snooping Release Note set dhcpsnooping port Syntax For AT-8600, AT-8700XL, Rapier, and AT-8800 SET DHCPSnooping POrt={port-list|ALL} [MAXLeases=0..100] [SUBScriberid=subscriber-id] [TRusted={YES|NO|ON|OFF|True|False}] For AT-8900 and AT-9900 SET DHCPSnooping POrt={port-list|ALL} [MAXLeases=0..520] [SUBScriberid=subscriber-id] [TRusted={YES|NO|ON|OFF|True|False}] Description This command sets the DHCP snooping details for the specified ports.
Software Version 2.7.
DHCP Snooping Release Note show dhcpsnooping Syntax Description SHow DHCPSnooping This command displays the current DHCP snooping configuration (Figure 8, Table 1). Figure 8: Example output from the show dhcpsnooping command DHCP Snooping Information -----------------------------------------DHCP Snooping ................ Enabled Option 82 status ........... Disabled ARP security ............... Disabled Debug enabled .............. None DHCP Snooping Database: Full Leases/Max Leases .....
Software Version 2.7.6 25 show dhcpsnooping counter Syntax Description SHow DHCPSnooping COUnter This command displays current DHCP snooping counter information (Figure 9, Table 2). Figure 9: Example output from the show dhcpsnooping counter command DHCP Snooping Counters -----------------------------------------------------------DHCP Snooping InPackets ...................... 1412 InBootpRequests ................ 725 InBootpReplies ................. 687 InDiscards .....................
DHCP Snooping Release Note show dhcpsnooping database Syntax Description SHow DHCPSnooping DATABase This command displays the information currently stored in the DHCP snooping database (Figure 10, Table 3). Figure 10: Example output from the show dhcpsnooping database command DHCP Snooping Binding Database -----------------------------------------Full Leases/Max Leases ... 3/52 Check Interval ........... 60 seconds Database Listeners .......
Software Version 2.7.6 27 Table 3: Parameters in output of the show dhcpsnooping database command (cont.) Parameter Meaning Entries with no client lease This section lists DHCP snooped leases that have no valid and no listeners listener (the Classifier module), and for which the DHCP ACK was not forwarded to the client. This can occur if there is an error in the DHCP information. When the DHCP ACK is not forwarded to the client, the client continues to request a DHCP lease.
DHCP Snooping Release Note show dhcpsnooping filter Syntax Description SHow DHCPSnooping FILter[=ALL] This command displays the current DHCP snooping filter information (Figure 11, Table 4). If all is specified, all DHCP snooping filter entries are shown, even if they are currently unallocated. If all is not specified, only allocated entries are displayed.
Software Version 2.7.6 29 show dhcpsnooping port Syntax SHow DHCPSnooping POrt[={port-list|ALL}] where: ■ Description port-list is a port number, range (specified as n-m), or comma-separated list of numbers and/or ranges. Port numbers start at 1 and end at m, where m is the highest numbered Ethernet switch port. This command displays information about DHCP snooping for the specified ports (Figure 12, Table 5).
Deleting Dynamic ARP Entries Release Note Deleting Dynamic ARP Entries Address Resolution Protocol (ARP) is used by the router or switch to dynamically learn the location of devices in its networks. When the router or switch receives a packet with an unknown destination address, it broadcasts an ARP request to determine where to send that packet.
Software Version 2.7.6 31 Command Reference Updates This section describes any new commands and the changed portions of any modified commands and output screens. It uses boldface to highlight new parameters and options of existing commands, and new fields of existing output. delete ip arp Syntax DELete IP ARP={ipadd|ALLDynamic} where ipadd is an IP address in dotted decimal notation Description Software Version 2.7.
Redistributing BGP Routes into RIP Release Note Redistributing BGP Routes into RIP Software Release 2.7.6 enables you to configure RIP to redistribute BGP routes. You can redistribute up to 500 BGP routes as RIP routes, by using the command: add ip rip redistribute protocol=bgp [limit=1..500] [metric=0..
Software Version 2.7.6 33 Creating Route Maps A route map consists of multiple entries, which are in effect individual filters. Each entry specifies both what it matches on, in a match clause, and what is done to matching traffic, in the entry’s action and any set clauses it has. The set clauses modify the characteristics of matching routes. If you want to change the characteristics of all candidate routes, configure an entry with no match clause. Such an entry matches all routes.
Redistributing BGP Routes into RIP Release Note Overview of Filtering for RIP Routes When the router or switch runs RIP, it receives routing information from neighbouring routers, and can advertise RIP, BGP, statically-configured and interface routes to neighbouring routers. You can filter routing information at the processing points shown in the following figure.
Software Version 2.7.6 35 Command Reference Updates This section describes any new commands and the changed portions of any modified commands and output screens. It uses boldface to highlight new parameters and options of existing commands, and new fields of existing output. add ip rip redistribute Syntax ADD IP RIP REDistribute PROTocol=BGP [LIMit=1..500] [METric=0..
Redistributing BGP Routes into RIP Release Note delete ip rip redistribute Syntax Description Example DELete IP RIP REDistribute PROTocol=BGP This command stops RIP redistributing BGP routes, by deleting the redistribution entry. To stop RIP from importing BGP routes, use the command: del ip rip red prot=bgp set ip rip redistribute Syntax SET IP RIP REDistribute PROTocol=BGP [LIMit=1..500] [METric=0..
Software Version 2.7.6 37 show ip rip redistribute Syntax Description SHow IP RIP REDistribute This command displays information about importing routes from BGP into RIP (Figure 13, Table 6).
Redistributing BGP Routes into RIP Release Note add ip routemap Syntax for an empty entry ADD IP ROUTEMap=routemap ENTry=1..4294967295 [ACtion={INCLude|EXCLude}] Syntax for a match clause ADD IP ROUTEMap=routemap ENTry=1..4294967295 [ACtion={INCLude|EXCLude}] MAtch ASPath=1..99 ADD IP ROUTEMap=routemap ENTry=1..4294967295 [ACtion={INCLude|EXCLude}] MAtch COMmunity=1..99 [EXAct={NO|YES}] ADD IP ROUTEMap=routemap ENTry=1..4294967295 [ACtion=INCLude] MAtch MED=0..
Software Version 2.7.6 39 set ip routemap Syntax for an empty entry SET IP ROUTEMap=routemap ENTry=1..4294967295 [ACtion={INCLude|EXCLude}] Syntax for a match clause SET IP ROUTEMap=routemap ENTry=1..4294967295 [ACtion={INCLude|EXCLude}] MAtch ASPath=1..99 SET IP ROUTEMap=routemap ENTry=1..4294967295 [ACtion={INCLude|EXCLude}] MAtch COMmunity=1..99 [EXAct={NO|YES}] SET IP ROUTEMap=routemap ENTry=1..4294967295 [ACtion=INCLude] MAtch MED=0..4294967295 SET IP ROUTEMap=routemap ENTry=1..
Classifying On Layer 4 Port Range Release Note Classifying On Layer 4 Port Range Software Version 2.7.6 makes it easy to create a classifier that matches a range of source or destination TCP or UDP ports. In previous software versions, you could specify a port range by entering a port number and a mask. With Software Version 2.7.6, you can simply enter the first and last numbers in the range, separated by a hyphen.
Software Version 2.7.6 41 Command Reference Updates This section describes any new commands and the changed portions of any modified commands and output screens. It uses boldface to highlight new parameters and options of existing commands, and new fields of existing output. create classifier Syntax: non-IPv6 traffic For non-IPv6 traffic: CREate CLASSifier=rule-id [MACSaddr={macadd|ANY}] [MACDaddr={macadd|ANY}] [MACType={L2Ucast|L2Mcast|L2Bcast|ANY}] [TPID=tpid|ANY] [VLANPriority=0..
Classifying On Layer 4 Port Range Syntax: accelerated IPv6 traffic at Layer 3 processor Release Note For accelerated IPv6 traffic, when applied on the Layer 3 processor of the accelerator on AT-8948 and AT-9924T/4SP switches: CREate CLASSifier=rule-id [ETHFormat={ETHII-Tagged|ANY}] [PROTocol=IPV6] [IPDScp={0..
Software Version 2.7.6 43 set classifier Syntax: non-IPv6 traffic For non-IPv6 traffic: SET CLASSifier=rule-id [MACSaddr={macadd|ANY}] [MACDaddr={macadd|ANY}] [MACType={L2Ucast|L2Mcast|L2Bcast|ANY}] [TPID=tpid|ANY] [VLANPriority=0..7|ANY] [VLAN={vlanname|1..4094|ANY}] [INNERTpid=tpid|ANY] [INNERVLANPriority=0..7|ANY] [INNERVLANId=VLAN=1..4094|ANY] [ETHFormat={802.2-Tagged|802.
Classifying On Layer 4 Port Range Syntax: accelerated IPv6 traffic at Layer 3 processor Release Note For accelerated IPv6 traffic, when applied on the Layer 3 processor of the accelerator on AT-8948 and AT-9924T/4SP switches: SET CLASSifier=rule-id [ETHFormat={ETHII-Tagged|ANY}] [PROTocol=IPV6] [IPDScp={0..
Software Version 2.7.6 45 show classifier SHow CLASSifier[={rule-id|ALL}] Description If a classifier specifies a range, the range is displayed in the command output, as shown in the following example. Figure 14: Example output from the show classifier command Classifier Rules -----------------------------------------------------------Rule .................. 10 D-MAC Address ........ ANY S-MAC Address ........ ANY M-Type ............... ANY S-VLAN ............... ANY E-Format ............. ANY Protocol .
Firewall Enhancements Release Note Firewall Enhancements Software Version 2.7.6 includes the following enhancements to the firewall: ■ Session Monitoring ■ Enhanced Network Address and Port Translation (ENAPT) This section describes each enhancement, then the new and modified commands in Command Reference Updates. Session Monitoring Firewall session monitoring enables the firewall to copy all traffic that goes to and from specified IP addresses and send the copies to a packet capturing device.
Software Version 2.7.6 47 Configuring Session Monitoring Monitoring is disabled by default. To configure it, you need to set up a packet capturing device to collect the packet copies, create a monitor, and enable monitoring. The following table lists the commands to use on the router or switch. Step Command Action 1 — Connect a device to capture the copies, such as a PC running packet capturing software, to an Eth port or a switch port.
Firewall Enhancements Multiple monitors Release Note There is no limit on the number of devices you can monitor, although you should consider the performance impact of monitoring a high proportion of traffic. The firewall determines which monitor to use on traffic by checking the monitor’s IP address against all IP address fields for the session. These session fields appear in the output of the show firewall session command, and are summarised in the following table.
Software Version 2.7.6 49 Command Change Summary The following table summarises the new commands (see Command Reference Updates). Software Version 2.7.
Firewall Enhancements Release Note Enhanced Network Address and Port Translation (ENAPT) Software Version 2.7.6 supports Enhanced Network Address and Port Translation (ENAPT). With ENAPT, the firewall translates private IP addresses and ports to a public IP address and ports. It remembers the private to public mapping and applies the same mapping for all simultaneous sessions that involve the same private IP address and port.
Software Version 2.7.
Firewall Enhancements Release Note Command Change Summary The following table summarises the modified commands (see Command Reference Updates). Command Change add firewall policy nat New enapt option for nat parameter add firewall policy rule New enapt option for nattype parameter set firewall policy New icmpunreachabletimeout parameter show firewall The ICMP unreachable timeout is displayed. If a policy uses ENAPT, “enapt” is displayed in the NAT field.
Software Version 2.7.6 53 Command Reference Updates This section describes any new commands and the changed portions of any modified commands and output screens. It uses boldface to highlight new parameters and options of existing commands, and new fields of existing output.
Firewall Enhancements Release Note Therefore, sessions are monitored whether the device: ■ sends the packets ■ receives the packets ■ initiates the session ■ responds to a session initiated by another device The copyto parameter specifies the Eth interface or VLAN to which the firewall sends the copies of monitored packets. Packets are sent as Layer 2 broadcasts to this interface.
Software Version 2.7.6 55 add firewall policy nat Syntax Description ADD FIREwall POLIcy=policy-name NAT={ENAPt|ENHanced|STAndard} INTerface=interface [IP=ipadd[-ipadd]] GBLINterface=interface [GBLIP=ipadd[-ipadd]] The new enapt option for the nat parameter specifies that the firewall performs Enhanced NAPT, which is a port restricted cone NAT. With ENAPT, the firewall translates all private IP addresses to one global IP address, and also translates TCP or UDP ports.
Firewall Enhancements Release Note add firewall policy rule Syntax Description IP and port parameters in policy rules ADD FIREwall POLIcy=policy-name RUle=rule-id ACtion={ALLOw|DENY|NAT|NONat} INTerface=interface PROTocol={protocol|ALL|EGP|GRE|ICmp|OSPF|SA|TCP|UDP} [AFTer=hh:mm] [BEFore=hh:mm] [DAYs={ALL|MON|TUE|WED|THU|FRI|SAT|SUN|WEEKDay|WEEKEnd} [,...
Software Version 2.7.6 Example 57 In this example, the host with private IP address 192.168.1.1 wishes to play Xbox Live, through the firewall policy called “zone1”, over the private interface vlan1. The router’s public IP address is 192.0.2.1. You want to limit the rule so that it only translates Xbox Live traffic, which has a source port of 3074. To configure this, use the commands: add fire poli=zone1 ru=1 ac=nat natt=enap int=vlan1 prot=udp ip=192.168.1.1 gblip=192.0.2.
Firewall Enhancements Release Note set firewall monitor Syntax SET FIREwall MOnitor=monitor-id [IP=ipadd] [COPyto=ip-interface] [APPlyto={PRIVate|PUBlic|BOTH}] where: Description ■ monitor-id is an integer from 1 to 65535 ■ ipadd is an IPv4 address in dotted decimal notation ■ ip-interface is a VLAN or Eth interface such as vlan2 or eth0. The interface can be a logical interface such as vlan2-1 or eth0-1 This command modifies a session monitor.
Software Version 2.7.6 59 The applyto parameter specifies where the monitoring for this device applies. If you specify private, the firewall copies packets at the private interface. This is before firewall processing for outgoing packets and after firewall processing for incoming packets. If you specify public, the firewall copies packets at the public interface. This is before firewall processing for incoming packets and after firewall processing for outgoing packets.
Firewall Enhancements Release Note show firewall Syntax Description SHow FIREwall This command displays firewall settings, including a summary of each policy (Figure 15, Table 7). Figure 15: Example output from the show firewall command for a policy that uses interface-based ENAPT Firewall Configuration Status .................... disabled Enabled Notify Options .... manager SIP ALG enabled ........... FALSE Maximum Packet Fragments .. 20 Policy : example TCP Timeout (s) ...................
Software Version 2.7.6 61 show firewall policy Syntax Description SHow FIREwall POLIcy[=policy-name] [COUnter] [SUMmary] This command displays firewall policy settings (Figure 16, Table 8). Figure 16: Example output from the show firewall policy command for a policy that uses interface-based ENAPT Policy : example TCP Timeout (s) ................... UDP Timeout (s) ................... Other Timeout (s) ................. ICMP Unreachable Timeout (s) ...... TCP Handshake Timeout Mode ........
Firewall Enhancements Release Note show firewall monitor Syntax Description SHow FIREwall MOnitor This command displays information about session monitoring (Figure 17, Table 9). Figure 17: Example output from the show firewall monitor command Firewall Monitoring Status .................... enabled Monitor IP Apply to Copy to In(pkts) Out(pkts) -------------------------------------------------------------------------------1 192.168.1.1 PRIVATE VLAN2 0 0 2 192.168.1.
Software Version 2.7.6 63 Reverse Telnet Without Authentication Reverse Telnet allows you to connect a device such as a modem to an asynchronous port, and then to control that device by telneting from your PC to the router or switch. Reverse Telnet is described in RFC 2217, Telnet Com Port Control Option.
Reverse Telnet Without Authentication Release Note Command Reference Updates This section describes any new commands and the changed portions of any modified commands and output screens. It uses boldface to highlight new parameters and options of existing commands, and new fields of existing output.
