Owner manual

ManualsBrandsAllied Telesis ManualsComputer HardwareAT-S60

AT-S60

Management

Software

AT-S60

◆

User’s Guide

AT-8400 SERIES SWITCH

VERSION 2.0.0

PN 613-50400-00 Rev B

Summary of content (615 pages)

PAGE 1
AT-S60 Management Software ® AT-S60 ◆ User’s Guide AT-8400 SERIES SWITCH VERSION 2.0.
PAGE 2
Copyright © 2003 Allied Telesyn, Inc. 960 Stewart Drive Suite B, Sunnyvale, CA 94085 USA All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesyn, Inc. Microsoft is a registered trademark of Microsoft Corporation, Netscape Navigator is a registered trademark of Netscape Communications Corporation.
PAGE 3
Table of Contents List of Figures ......................................................................................................................................................................................................12 Preface ....................................................................................................................................................................................................................17 How This Guide is Organized .........................
PAGE 4
Table of Contents Starting a Telnet Management Session ............................................................................................................................................. 40 Quitting from a Telnet Management Interface ............................................................................................................................... 40 Chapter 3 Basic Switch Parameters ......................................................................................................
PAGE 5
Locked ......................................................................................................................................................................................................... 103 Security Violations and Intrusion Actions ....................................................................................................................................... 104 Configuring Port Security ...........................................................................................
PAGE 6
Table of Contents Chapter 12 STP, RSTP, and MSTP .....................................................................................................................................................................................184 STP and RSTP Overview ...................................................................................................................................................................................185 Bridge Priority and the Root Bridge ....................................
PAGE 7
Selecting a VLAN Mode ................................................................................................................................................................................... 279 Changing the Uplink Port .............................................................................................................................................................................. 281 Displaying VLAN Information ..........................................................................
PAGE 8
Table of Contents Symmetrical Encryption ........................................................................................................................................................................ 342 Asymmetrical (Public Key) Encryption ............................................................................................................................................. 343 Data Authentication ..............................................................................................
PAGE 9
Chapter 25 802.1x Port-Based Network Access Control ...................................................................................................................................... 404 Port-Based Access Network Control Overview ...................................................................................................................................... 405 802.1x Port-Based Network Access Control ..................................................................................................
PAGE 10
Table of Contents Displaying Port Status ............................................................................................................................................................................ 471 Displaying Port Statistics ....................................................................................................................................................................... 474 Chapter 30 Port Security .....................................................................
PAGE 11
Deleting MAC Addresses ................................................................................................................................................................................ 546 Changing the Aging Time .............................................................................................................................................................................. 547 Chapter 37 IGMP Snooping ................................................................................
PAGE 12
Table of Contents VLAN and GARP Default Settings ................................................................................................................................................................601 VLAN Default Settings ............................................................................................................................................................................ 601 GARP and GVRP Default Settings ....................................................................
PAGE 13
List of Figures Figure 5: Main Menu .......................................................................................................................................................................................... 32 Figure 6: Connecting a Terminal or PC to the RS-232 Terminal Port ................................................................................................ 36 Figure 7: Main Menu ...................................................................................................
PAGE 14
Figure 42: Port Mirroring Menu ................................................................................................................................................................... Figure 43: Modify Mirror Menu ................................................................................................................................................................... Figure 44: File Menu ......................................................................................................
PAGE 15
List of Figures Figure 97: Display Port Based VLAN Menu .............................................................................................................................................. 258 Figure 98: Configure VLAN Menu ............................................................................................................................................................... 260 Figure 99: Configure Port Based VLAN Menu .......................................................................
PAGE 16
Figure 152: Configure Supplicant Menu .................................................................................................................................................. Figure 153: Configure Supplicant Port Access Parameters Menu .................................................................................................. Figure 154: Display Port Access Status Menu ...........................................................................................................................
PAGE 17
List of Figures Figure 207: GVRP Counters Page ................................................................................................................................................................ 537 Figure 208: Configuration Layer 2 Page, MAC Address Tab .............................................................................................................. 541 Figure 209: MAC Address Table Page .............................................................................................
PAGE 18
Preface This guide contains instructions on how to configure an AT-8400 Series Switch using the AT-S60 management software. Within this manual, the AT-8400 Series Switch is often abbreviated to switch. How This Guide is Organized This manual is divided into three sections. Section I: Overview This section contains just one chapter. It reviews the different ways that you can access the AT-S60 management software on a switch. In addition, it describes how to specify ports.
PAGE 19
Preface Section III: Security Features The chapters in this section describe how to configure the authentication and advanced security features. The authentication features, 802.1x Port Based Access Control as well as TACACS+ and RADIUS protocols appear in both the AT-S60 version 2.0.0 NE and 2.0.0 software. The Encryption Services, Public Key Infrastructure (PKI), Secure Socket Layer (SSL), and Secure Shell (SSH) features only appear in the AT-S60 version 2.0.0 software.
PAGE 20
AT-S60 Management Software User’s Guide Document Conventions This document uses the following conventions: Note Notes provide additional information. Warning Warnings inform you that performing or omitting a specific action may result in bodily injury. Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data.
PAGE 21
Preface Where to Find Web-based Guides The installation and user guides for all Allied Telesyn products are available in Portable Document Format (PDF) from on our web site at www.alliedtelesyn.com. You can view the documents on-line or download them onto a local workstation or server.
PAGE 22
AT-S60 Management Software User’s Guide Contacting Allied Telesyn This section provides Allied Telesyn contact information for technical support as well as sales or corporate information. Online Support You can request technical support online by accessing the Allied Telesyn Knowledge Base from the following web site: kb.alliedtelesyn.com. You can use the Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions.
PAGE 23
Preface Obtaining Management Software Updates New releases of management software for our managed products can be downloaded from either of the following Internet sites: • • the Allied Telesyn web site: http://www.alliedtelesyn.com the Allied Telesyn FTP server: ftp://ftp.alliedtelesyn.com To use the FTP server, go to the above web site. Then login to the FTP server by entering “anonymous” for the user name and your email address for the password.
PAGE 24
Section I Overview The chapter in Section I provides a brief overview of the AT-S60 management software. It explains the functions that you can perform with the management software and reviews the different methods for accessing the AT-S60 software on an AT-8400 switch.
PAGE 25
Chapter 1 AT-S60 Overview This chapter describes the AT-S60 software functions, the types of sessions you can use to access the software, and the management access levels.
PAGE 26
AT-S60 Management Software User’s Guide Overview The AT-S60 management software is intended for the AT-8400 Series switch. The software is used to monitor and adjust a switch’s operating parameters.
PAGE 27
Chapter 1: AT-S60 Overview The following sections in this chapter briefly describe each type of management session. In addition, the following sections are provided: ❑ Management Access Levels on page 30 ❑ Specifying Ports on page 31 ❑ Specifying Time and Date on page 32 Local Management Session To establish a local management session with an AT-8400 switch, connect a terminal (or a PC) with a terminal emulator program to the RS-232 Terminal port on the switch.
PAGE 28
AT-S60 Management Software User’s Guide Telnet Management Session Any management workstation on your network that has the Telnet application protocol can be used to manage an AT-8400 switch. In this guide, this type of management session is referred to as a remote management session because you do not have to be in the same wiring closet as the switch you are managing. Instead, you can manage the switch from any workstation on the network that has the application protocol.
PAGE 29
Chapter 1: AT-S60 Overview Web Browser Management Session You can also use a web browser to manage a switch. Using a web browser management session is also referred to as remote management, just like a Telnet management session. You can manage a switch from any workstation on your network that has a web browser. Note For instructions on starting this type of management session, refer to Starting a Web Browser Management Session on page 429.
PAGE 30
AT-S60 Management Software User’s Guide SNMP Management Session Another way to remotely manage the switch is with an SNMP management program. A familiarity with Management Information Base (MIB) objects is necessary for this type of management.
PAGE 31
Chapter 1: AT-S60 Overview Management Access Levels There are two levels of management access on an AT-8400 switch: Manager and Operator. When you log in as a Manager, you can view and configure all of a switch’s operating parameters. When you log in as an Operator, you can only view the operating parameters. As an Operator, you cannot change any values. To log in, you enter a login id of Manager or Operator and the appropriate password when you start an AT-S60 management session.
PAGE 32
AT-S60 Management Software User’s Guide Specifying Ports Many of the commands and parameters, in this manual involve specifying the port(s) on the switch. Port numbers are specified in the following format: slot.port Slot is the number of the slot in the switch that contains the line card. There are twelve line card slots in the AT-8400 chassis. Port is the port number on the line card. For example, to indicate port 4 on the line card in Slot 8, enter: 8.4 In many commands, you can specify a list of ports.
PAGE 33
Chapter 1: AT-S60 Overview Specifying Time and Date The Simple Network Time Protocol (SNTP) feature places the time and date on the local and telnet interfaces. The time and date appear in the upper right hand corner of the menu. See Figure 1. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 34
Section II Local and Telnet Management The chapters in Section II explain how to manage an AT-8400 switch from a local or Telnet management session.
PAGE 35
Chapter 2 Starting a Local or Telnet Management Session This chapter contains the procedure for starting a local or Telnet management session on an AT-8400 Series switch.
PAGE 36
AT-S60 Management Software User’s Guide Local Management Session To establish a local management session using the AT-S60 management software, connect an RS-232 straight-through cable to the RS-232 terminal port on the AT-8400 chassis. Connect the other end of the cable to a terminal or a PC with a terminal emulator program. A local management session is so named because you must be physically close to the switch, usually within a few meters, to start this type of management session.
PAGE 37
Chapter 2: Starting a Local or Telnet Mangement Session Starting a Local Management Session To start a local management session, perform the following procedure: 1. Connect one end of a straight-through RS-232 cable with a DB-9 connector to the RS-232 terminal port. See Figure 2. 5 6 M AT-8 40 RS TER -232 MIN POR AL T 1 7 8 PWR MGN FLT FAN A MST R T WAIT REM / OV FAN B E RES ET Figure 2 Connecting a Terminal or PC to the RS-232 Terminal Port 2.
PAGE 38
AT-S60 Management Software User’s Guide When prompted for the user name and password, enter one of the following options. ❑ For Manager access, type manager as the login id. The default password is “friend.” Then press Return. ❑ For Operator access, type operator as the login id. The default password is “operator.” Then press Return. Note The user names cannot be changed. The passwords are case sensitive.
PAGE 39
Chapter 2: Starting a Local or Telnet Mangement Session Please note the following: ❑ The Command Line Interface selection in the Main Menu is not described in this manual. For instructions on this option, refer to the AT-S60 Management Software Command Line Interface User’s Guide (PN 613-50401-00). ❑ If a pound sign (#) or dollar sign ($) is displayed instead of the Main Menu, the local interface has been configured for a command line prompt when a management session is started.
PAGE 40
AT-S60 Management Software User’s Guide Telnet Management Session You can use the Telnet application protocol from a workstation on your network to manage an AT-8400 switch. This type of management is referred to as remote management because you can be physically far from the switch when you start the session. (In contrast to a local management session, which requires that you connect a terminal directly to the switch.
PAGE 41
Chapter 2: Starting a Local or Telnet Mangement Session Starting a Telnet Management Session To start a Telnet management interface, specify the IP address of the Master switch of the stack in the Telnet application protocol. When prompted for the user name and password, enter one of the following options. ❑ For Manager access, type manager as the user name. The default password is “friend.” ❑ For Operator access, type operator as the user name. The default password is “operator.
PAGE 42
Chapter 3 Basic Switch Parameters This chapter contains a variety of information about basic switch parameters and procedures for using them with a local or Telnet management session.
PAGE 43
Chapter 3:Basic Switch Parameters Assigning an IP Address to a Switch When building or expanding your network, you need to decide which managed switches need an unique IP addresses. The rule used to be that a managed switch needed a IP address if you wanted to manage it remotely, such as with the Telnet application protocol. However, if a network contained a lot of managed switches, assigning each one an IP address was often cumbersome and time consuming.
PAGE 44
AT-S60 Management Software User’s Guide How Do You Assign an IP Address? Once you have decided which, if any, switches on your network need an IP address, you have to access the AT-S60 software on the switches and assign the address or addresses. There are actually two ways in which you can assign a switch an IP address. The first method is to assign the IP configuration information manually. This method is explained in the next procedure, Configuring an IP Address and Switch Name on page 44.
PAGE 45
Chapter 3:Basic Switch Parameters Configuring an IP Address and Switch Name The procedure in this section explains how to manually assign an IP address, subnet mask, and gateway address to the switch using a local or Telnet management session. Initially, it must be done from the local management interface. (If you want the switch to obtain its IP configuration from a DHCP or BOOTP server on your network, go to the procedure Activating the BootP and DHCP Services on page 50.
PAGE 46
AT-S60 Management Software User’s Guide 2. Change the parameters as desired. The parameters in the Administrative Menu are described below: 1 - IP Address This parameter specifies the IP address of the switch. You must specify an IP address if you intend to remotely manage the switch using a web browser, a Telnet utility, or an SNMP management program, or if you want a switch to function as the Master switch of an enhanced stack. 2 - Subnet Mask This parameter specifies the subnet mask for the switch.
PAGE 47
Chapter 3:Basic Switch Parameters 9 - Set Console Baud Rate This selection allows you set the baud rate of the serial port on the AT-8401 management card. The range is 2400 to 115,200 bps. This menu selection is only available from a local management session. The default is 9600 bps. B - Reboot the switch This selection allows you to reboot the switch without affecting the saved configuration on the switch.
PAGE 48
AT-S60 Management Software User’s Guide Displaying Line Card Information This section describes how to manually configure line cards for the AT-8400 switch. The following procedures are provided: ❑ Displaying Line Card Information ❑ Displaying Line Card Statistics Displaying Line Card Information Use this procedure to display the line cards and the AT-8401 management card, installed in your AT-8400 chassis.
PAGE 49
Chapter 3:Basic Switch Parameters The Display Line Card Menu is shown in Figure 6. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 Display Line Card 1 - Display Line Card Information 2 - Display Line Card Statistics 3 - Clear Line Card Statistics R - Return to Previous Menu Enter your selection? Figure 6 Display Line Card Menu 3. From the Display Line Card menu, type 1 to select Display Line Card Information.
PAGE 50
AT-S60 Management Software User’s Guide Displaying Line Card Statistics To display the current line card statistics, perform the following procedure: 1. From the Main Menu, type 5 to select System Menu. The System Menu is displayed in Figure 5 on page 47. 2. From the System Menu, type 3 to select Display Line Card. The Line Card menu is displayed in Figure 6 on page 48. 3. From the Line Card Menu, type 2 to select Display Line Card Statistics. The following prompt appears: Enter line card-list: 4.
PAGE 51
Chapter 3:Basic Switch Parameters Activating the BootP and DHCP Services The BootP and DHCP application protocols were developed to simplify network management. They are used to automatically assign IP configuration information—such as an IP address, subnet mask, and a default gateway address—to the devices on your network. An AT-8400 switch supports these protocols and can obtain its IP configuration information from a BootP or DHCP server on your network.
PAGE 52
AT-S60 Management Software User’s Guide Note If you activate BOOTP/DHCP, the switch immediately begins to query the network for a BOOTP or DHCP server. The switch continues to query the network for its IP configuration until it receives a response. 4. After making changes, type R to return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 53
Chapter 3:Basic Switch Parameters Setting the System Time To set system time on the switch, configure the Simple Network Time Protocol (SNTP). This feature allows you to synchronize computer clocks on the Internet by specifying the difference between local time and Universal Coordinated Time (UTC). You can either set the system time manually every time you boot the switch or you can set the system time with an SNTP server. SNTP is a reduced version of the Network Time Protocol (NTP).
PAGE 54
AT-S60 Management Software User’s Guide 3. From the Configure System menu, type 1 - Configure System Software. The Configure System Software Menu is shown in Figure 10. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 Configure System Software 1 2 3 4 5 - Switch Mode ........................... Console Disconnect Timer Interval ..... MAC address aging time ................ Console Startup Mode .................. Telnet Server .......................
PAGE 55
Chapter 3:Basic Switch Parameters 5. Type 1 - System Time to manually set the time and date for the switch. To set system time with an SNTP server, go to step 8. The following prompt appears: Enter new system time [hh:mm:ss] -> 6. Enter a new time for the system. To specify time for the switch, use a 24-hour clock (or military time). Use the following format: hours, minutes, and seconds. Separate each unit of time with a colon. For example, enter 17:20:00 for 5:20 PM.
PAGE 56
AT-S60 Management Software User’s Guide 12. Type 4 - UTC Offset to specify a difference between the UTC and local time. Note If you have enabled DHCP, the switch automatically attempts to determine this value. In this case, you do not need to configure a value for the UTC Offset parameter. The following prompt is displayed: Enter UTC Offset [-12 to 12] -> 0 13. Enter a UTC Offset time. The default is 0 hours. The range is -12 to +12 hours. 14.
PAGE 57
Chapter 3:Basic Switch Parameters Rebooting a Switch To reset a switch while preserving the switch configuration, perform the following procedure: 1. From the Main Menu, type 4 to select Administrator Menu. 2. From the Administrator Menu, type B to select Reboot the switch. The following prompt is displayed: The switch is about to reboot. Do you want to proceed? [Yes/No] -> 3. Type Y to reset the switch or N to cancel this procedure. If you type Y, the following is displayed: Rebooting the Switch... . . .
PAGE 58
AT-S60 Management Software User’s Guide Configuring the AT-S60 Software Security Features The AT-S60 software has several security features that can help prevent unauthorized individuals from changing the parameter settings of an AT-8400 switch. The security features are: ❑ Manager and Operator Passwords - The management software has two standard, management login accounts: Manager and Operator.
PAGE 59
Chapter 3:Basic Switch Parameters Configuring the Management Passwords There are two levels of management access on an AT-8400 switch: Manager and Operator. When you log in as a Manager, you can view and configure all of a switch’s operating parameters. When you log in as an Operator, you can only view the operating parameters. As an Operator, you cannot change any values. Log in as a Manager or an Operator by entering the appropriate login id and password when you start an AT-S60 management session.
PAGE 60
AT-S60 Management Software User’s Guide Configuring Management Access This procedure configures the console timer. It also enables and disables Telnet access and SNMP access. To configure management access, perform the following procedure: 1. From the Main Menu, type 5 to select System Menu. The System Menu is shown in Figure 5 on page 47. 2. From the System Menu, type 1 - Configure System. The Configure System Menu is shown in Figure 9 on page 52. 3.
PAGE 61
Chapter 3:Basic Switch Parameters Displaying the AT-S60 Hardware and Software Information The procedures in this section display the following switch information: ❑ System power information ❑ Fan status ❑ AT-S60 version number ❑ Bootloader version number ❑ MAC address Displaying System Hardware Information To display the system power and fan information, do the following: 1. From the Main Menu, type 5 to select the System Menu. The System Menu is shown in Figure 5 on page 47. 2.
PAGE 62
AT-S60 Management Software User’s Guide You cannot change the information displayed in selections 1 through 3 in the Display System Hardware Information Menu. These fields are for display purposes only. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 Display System Hardware Information 1 2 3 4 5 - System 3.3V Power................ 3.3V System 5V Power.................. 5.1V System Temperature ..............
PAGE 63
Chapter 3:Basic Switch Parameters You cannot change the information displayed in selections 1 through 6 in the Display System Fan A Information menu. These fields are for display purposes only. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 Display System Fan A Information 1 2 3 4 5 6 - Fan Fan Fan Fan Fan Fan Status....................... 3.3V Power................... 12V Power.................... Temperature (Celsius)........ 1 ................
PAGE 64
AT-S60 Management Software User’s Guide You cannot change the information displayed in selections 1 through 6 in the Display System Software Information Menu. These fields are for display purposes only. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 Display System Software Information 1 2 3 4 5 6 - Application Software Version ... Application Software Build Date. Bootloader Version ............. Bootloader Build Date .......... MAC Address .......
PAGE 65
Chapter 3:Basic Switch Parameters Pinging a Remote System You can instruct the switch to ping a remote device on your network. This procedure is useful in determining whether a valid link exists between the switch and another device. To ping a network device, perform the following procedure: 1. From the Main Menu, type 4 to select Administration Menu. The Administration Menu is shown in Figure 4 on page 44. 2. From the Administration Menu, type P to select Ping a Remote System.
PAGE 66
AT-S60 Management Software User’s Guide Returning the AT-S60 Software to the Factory Default Values The procedure in this section returns all AT-S60 software parameters to their default values. This procedure also deletes any VLANs that you have created on the switch. Note The AT-S60 software default values can be found in Appendix A, AT-S60 Default Settings on page 585. To return the AT-S60 management software to its default settings, perform the following procedure: 1.
PAGE 67
Chapter 3:Basic Switch Parameters Switch is about to reboot. Do you want to proceed? [Yes/No] -> 7. Type Y to reboot the switch. The Factory Defaults take effect only after the Switch reboots. Do you want to Reboot the Switch now? [Yes/No] -> 8. Type Y to reboot the switch. The operating parameters are returned to their default values and the switch is reset. Caution The switch does not forward traffic during the brief period required to reload its operating software. Some data traffic may be lost.
PAGE 68
AT-S60 Management Software User’s Guide Configuring the Console Startup Mode You can configure the AT-S60 software to display either the Main Menu or the command line interface prompt (#) when you start a local or Telnet management session. The default is the Main Menu. To change the console startup mode, perform the following procedure: 1. From the Main Menu, type 5 to select the System Menu. The System Menu is shown in Figure 5 on page 47. 2. From the System Menu, type 1 to select Configure System.
PAGE 69
Chapter 4 SNMP Community Strings The procedures in this chapter allow you to create and modify SNMP communities that have access to the switch. When you create an SNMP community, you can specify SNMP management station IP addresses as well as trap receiver IP addresses.
PAGE 70
AT-S60 Management Software User’s Guide Enabling SNMP Communities To configure SNMP, you need to enable SNMP on your switch. Then you can enable authentication failure traps. However, this is an optional step. Traps generated by the SNMP agent are forwarded to all trap receivers in all of the SNMP communities. (For information about configuring the trap host receiver IP addresses and the SNMP management stations, see Configuring SNMP Communities on page 71.
PAGE 71
Chapter 4: SNMP Community Strings 4. From the Configure System Software Menu, type 8 to select Configure SNMP. The Configure SNMP Menu is shown in Figure 17. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 Configure SNMP 1 2 3 4 - SNMP Status ........................... Disabled Authentication Failure Trap Status.....
PAGE 72
AT-S60 Management Software User’s Guide Configuring SNMP Communities Use this procedure to configure the SNMP community strings for the switch. You can assign SNMP community names. In addition, you can assign up to eight IP addresses of management stations and up to eight IP addresses of trap receivers. Use the following procedure to configure SNMP. 1. From the Main Menu, type 5 to select System Menu. The System Menu in shown in Figure 5 on page 47. 2.
PAGE 73
Chapter 4: SNMP Community Strings 6. Select 1 - Create SNMP Community to configure SNMP parameters. The following prompt appears: Enter SNMP Community Name: 7. Enter a SNMP community name of up to 15 alphanumeric characters and press Return. This parameter is case sensitive. Note Community names act as passwords for the SNMP protocol. Allied Telesyn recommends that you select SNMP community names carefully to ensure these names are known only to authorized personnel.
PAGE 74
AT-S60 Management Software User’s Guide The following prompt appears: Enter Trap Receiver IP Addr: 11. Enter an IP address to receive trap messages. Press Return. Use the following format for an IP address: XXX.XXX.XXX.XXX The display at the top of the Configure SNMP Community menu is updated to reflect your changes. 12. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Changes to the SNMP parameters are immediately activated on the switch.
PAGE 75
Chapter 4: SNMP Community Strings Deleting a SNMP Community Use the following procedure to delete a SNMP community. 1. From the Main Menu, type 5 to select System Menu. The System Menu is shown in Figure 5 on page 47. 2. From the System Menu, type 1 to select Configure System. The Configure System Menu is shown in Figure 9 on page 52. 3. From the Configure System Menu, type 1 - Configure System Software. The Configure System Menu is shown in Figure 10 on page 53. 4.
PAGE 76
AT-S60 Management Software User’s Guide Modifying a SNMP Community Use this procedure to change the attributes of a SNMP community. 1. From the Main Menu, type 5 to select System Menu. The System Menu is shown in Figure 5 on page 47. 2. From the System Menu, type 1 to select Configure System. The Configure System Menu is shown in Figure 9 on page 52. 3. From the Configure System Menu, type 1 to select Configure System Software. The Configure System Software Menu is shown in Figure 10 on page 53. 4.
PAGE 77
Chapter 4: SNMP Community Strings 7. Select 1 - Add Attributes to Community to add SNMP manager and Trap Receiver IP addresses. You can add up to eight IP addresses for SNMP Managers. Additionally, you can add up to eight Trap Receiver IP Addresses. The following prompt is displayed: Enter SNMP Community Name: 8. Enter a SNMP community name from the list at the top of the menu and press Return. The SNMP community names are case sensitive. The following prompt is displayed: Enter SNMP Manager IP Addr: 9.
PAGE 78
AT-S60 Management Software User’s Guide Do you want to delete Trap Receiver IP Address? 14. Enter Y to delete the IP address of the Trap Receiver. Enter N to retain the IP address of the Trap Receiver. Press Return. 15. Select 3 - Set Community Access Mode to change the access mode from read only to read/write or vice versa. Follow the prompts. 16. Select 4 - Set Community Status to enable or disable the current community. Follow the prompts. 17.
PAGE 79
Chapter 4: SNMP Community Strings Displaying a SNMP Community Use the following procedure to display the attributes of a SNMP community. 1. From the Main Menu, type 5 to select System Menu. The System Menu is shown in Figure 5 on page 47. 2. From the System Menu, type 1 to select Configure System. The Configure System Menu is shown in Figure 9 on page 52. 3. From the Configure System menu, type 1 to select Configure System Software. The Configure System Software Menu is shown in Figure 10 on page 53. 4.
PAGE 80
Chapter 5 Enhanced Stacking This chapter explains the enhanced stacking feature and provides procedures for using this feature with a local or Telnet management session.
PAGE 81
Chapter 5: Enhanced Stacking Enhanced Stacking Overview The enhanced stacking feature can make it easier for you to manage an AT-8400 and any other ATI switches in your network that feature enhanced stacking. It offers the following benefits: ❑ From one local or remote management session, you can manage up to 24 switches. This eliminates having to initiate a separate management session for each switch in your network.
PAGE 82
AT-S60 Management Software User’s Guide There are three basic steps to implementing this feature on your network: 1. You must select a switch in your network to function as the master switch of the stack. You can select an AT-8400, or any other ATI switch that is capable of enhanced stacking, to act as the master switch of an enhanced stack. For networks that consist of more than one subnet, there must be at least one master switch in each subnet.
PAGE 83
Chapter 5: Enhanced Stacking This is explained in the procedure Setting a Switch’s Enhanced Stacking Status on page 83. Example For an example of the enhanced stacking feature, see Figure 21. This example shows a mixture of AT-8400 and AT-8000 Series switches. With this configuration, starting a local or remote management sessions on either AT-8400 Series master switch, provides management access to the AT-8000 Series switches as well. Master 1 IP Address 149.32.11.22 Master 2 IP Address 149.32.11.
PAGE 84
AT-S60 Management Software User’s Guide Setting a Switch’s Enhanced Stacking Status The enhanced stacking status of the switch can be master switch, slave switch, or unavailable. Each status is described below: ❑ Master switch - A master switch of a stack can be used to manage all the other switches in a subnet. You can assign the master status to either an AT-8400, or any other ATI switch that features enhanced stacking, which can then be used to manage a mixture of AT-8400 and AT-8000 Series switches.
PAGE 85
Chapter 5: Enhanced Stacking Configuring Enhanced Stacking To adjust a switch’s enhanced stacking status, perform the following procedure: 1. From the Main Menu, type 8 to select Enhanced Stacking. The Enhanced Stacking menu is shown in Figure 22. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 Enhanced Stacking 1 - Switch State-(M)aster/(S)lave/(U)navailable....
PAGE 86
AT-S60 Management Software User’s Guide Selecting a Switch in an Enhanced Stack Before performing a procedure on a switch, check that you are accessing the correct switch. If you assigned system names to your switches, this is a simple check. The name of the switch you are currently managing is displayed at the top of every management menu. For example, in Figure 23, the name of the switch is Sales Switch 591.
PAGE 87
Chapter 5: Enhanced Stacking 3. Type 1 to select Get/Refresh List of Switches. The Master switch polls the network for all slave and Master switches in the subnet and displays a list of the switches in the Stacking Services menu. The updated Stacking Services menu is shown in Figure 24. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 88
AT-S60 Management Software User’s Guide 6. Enter a username. The usernames are “manager” to view and change the switch settings and “operator” to just view the settings. Press Return. A password prompt is displayed. 7. Enter the switch’s password and press Return. The default password for Manager access on an AT-8400 switch is “friend.” The default password for Operator access is “operator.” The passwords are case-sensitive. The Main Menu of the selected switch is displayed. You now can manage the switch.
PAGE 89
Chapter 6 Port Parameters The chapter contains procedures for viewing and changing the parameter settings for the individual ports on a switch with a local or Telnet management session.
PAGE 90
AT-S60 Management Software User’s Guide Displaying Port Status This section provides a procedure to display the status of a port. To display port statistics, see Displaying Port Statistics on page 98. To display the status of the ports on the switch, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 25. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 91
Chapter 6: Port Parameters The information in this menu is for viewing purposes only. The columns in the menu are described below: Port Indicates the port number in the following format: slot number. port number See Specifying Ports on page 31. Status Indicates the administrative status, enabled or disabled, of the port. Enabled -Indicates the port is able to send and receive Ethernet frames. This is the default setting for all ports on the switch. Disabled - Indicates the port has been manually disabled.
PAGE 92
AT-S60 Management Software User’s Guide Speed The operating speed of the port. Possible values are: 0010 - Indicates 10 Mbps. 0100 - Indicates 100 Mbps. 1000 - Indicates 1000 Mbps. Duplex The duplex mode of the port. Possible values are half-duplex and full-duplex. PVID The port VLAN identifier currently assigned to the port. Flow Ctl The flow control setting for the port.
PAGE 93
Chapter 6: Port Parameters Low - Indicates low priority has been assigned to the port. As a result, all tagged and untagged frames are sent to the low priority queue. High - Indicates high priority has been assigned to the port. As a result, all tagged and untagged frames are sent to the high priority queue. For more information, see Class of Service Overview on page 320.
PAGE 94
AT-S60 Management Software User’s Guide Configuring Port Parameters To configure the parameter settings for a port on the switch, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 25 on page 89. 2. From the Port Menu, type 1 to select Port Configuration. The following prompt is displayed: Enter port-list: 3. Enter the number of the port you want to configure and press Return. See Specifying Ports on page 31.
PAGE 95
Chapter 6: Port Parameters 4. Adjust the port parameters as desired. You adjust a parameter by typing its number. This toggles the parameter through its possible settings. The parameters are described below. 0 - Port Name This parameter appears only if you are configuring a single port. You can use this selection to assign a name to a port. The name can be up to fifteen alphanumeric characters. Spaces are allowed. 1 - Status You use this selection to change the administrative status of a port.
PAGE 96
AT-S60 Management Software User’s Guide High Priority - Indicates high priority has been assigned to the port. All ingress tagged and untagged frames received on the port are forwarded to the egress port’s high priority queue. 4 - HOL Blocking You use this selection to prevent a frame from being forwarded to a blocking or blocked port. For example, a blocking or blocked port can be one that is receiving too many frames.
PAGE 97
Chapter 6: Port Parameters Disabled - Indicates that no flow control occurs on the port. Enabled - Indicates that flow control occurs on the port. 7 - Negotiation You use this selection to configure a port for Auto-Negotiation or to manually set a port’s speed and duplex mode. Press 7 to toggle between the following settings: Auto - Select Auto (for Auto-Negotiation) to set both speed and duplex mode for the port automatically.
PAGE 98
AT-S60 Management Software User’s Guide The possible settings for 9 - Duplex are: Full - Indicates full-duplex mode Half - Indicates half-duplex mode Table 2 Port-Duplex Settings on Line Cards Line Card Port Duplex AT-8411 TX Full and half AT-8412/SC FX AT-8412/MTFX Full only AT-8413 GB/T copper port Full only AT-8413 GB/T fiber port Full only AT-8414/ST AT-8414/SC Full and half Possible settings for A - MDI/MDIX Crossover are MDI - Indicates the MDI setting MDI/X - Indicates the MDI-X setting
PAGE 99
Chapter 6: Port Parameters Displaying Port Statistics To display Ethernet port statistics, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 25 on page 89. 2. From the Port Menu, type 3 to select Port Statistics. The Port Statistics menu is shown in Figure 28. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 100
AT-S60 Management Software User’s Guide The Display Port Statistics Menu is shown in Figure 29. User: Manager Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 00:14:33 15-Jan-2003 Display Port Statistics Port 6.1 Bytes Received ............... Frames Received .............. Broadcast Frames Received..... Multicast Frames Received .... Total Bytes Received ......... Total Frames Received ........ Frames 64 Bytes .............. Frames 65-127 Bytes .......... Frames 128-255 Bytes........
PAGE 101
Chapter 6: Port Parameters Total Bytes Received Number of bytes received by the port. Jabber Number of occurrences of corrupted data or useless signals appearing on the port. Total Frames Received Number of frames received by the port. CRC Error Number of frames with a cyclic redundancy check (CRC) error but with the proper length (64-1518 bytes) received on the port.
PAGE 102
Chapter 7 Port Security This chapter describes port security and provides the procedures for setting port security with a local or Telnet management session.
PAGE 103
Chapter 7: Port Security Port Security Overview The port security feature can enhance the security of your network. You can use the feature to control which end nodes can forward frames through the switch. Note The port security feature cannot be used on a port that is configured as a supplicant or an authenticator of the port-based network access feature, described in 802.1x Port-Based Network Access Control on page 406.
PAGE 104
AT-S60 Management Software User’s Guide A dynamic MAC address learned on a port operating in the Limited security mode is never timed out from the MAC address table, even when the corresponding end node is inactive. Once the port has learned its maximum number of addresses, it does not learn any new addresses, even when end nodes are inactive. Static MAC addresses are retained by the port and are not included in the count of maximum dynamic addresses.
PAGE 105
Chapter 7: Port Security Security Violations and Intrusion Actions When you set a port’s security level, you can also set the action a port performs in the event it receives an invalid frame. This is referred to as intrusion (intruder) action. Before defining the intrusion actions, it can help to understand first what constitutes an invalid frame.
PAGE 106
AT-S60 Management Software User’s Guide Configuring Port Security To configure port security, do the following: To set a switch’s port security level, perform the following procedure: 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 30. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 107
Chapter 7: Port Security 3. Type 1 to select Configure Port Security. The following prompt is shown: Enter port-list: 4. Enter the port(s) you want to configure. Then press Return. For information about how to specify ports, see Specifying Ports on page 31. The Configure Port Security Menu is shown in Figure 32. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 Configure Port Security Configuring Port Security 3.1-2 1 - Security Mode ................
PAGE 108
AT-S60 Management Software User’s Guide If you selected one of the other security levels, several new menu options are added to the Configure Port Security menu, as shown in Figure 33. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 Configure Port Security 3.1-2 1 2 3 4 - Security Mode ..................... Intrusion Action .................. Port Participating ................ MAC Limit .........................
PAGE 109
Chapter 7: Port Security 9. If you selected the Limited security mode for the port, do the following to specify the maximum number of dynamic MAC addresses you want the port to be able to learn: a. Type 4 to select MAC Limit. The following prompt appears: Enter port security threshold: [1 to 256] -> 100 b. Enter the maximum number of dynamic MAC addresses you want the port to learn. The range is 1 to 256. The default is 100.
PAGE 110
Chapter 8 Port Trunking This chapter describes port trunking and contains the procedures for creating, deleting, and modifying port trunks with a local or Telnet management session.
PAGE 111
Chapter 8: Port Trunking Port Trunking Overview Port trunking is an economical way for you to increase the bandwidth between two Ethernet switches. For the AT-8400 Series switch, a port trunk can consists of up to eight ports that have been grouped together to function as one logical path. A port trunk increases the bandwidth between switches and is useful in situations where a single physical data link between switches is insufficient to handle the traffic load.
PAGE 112
AT-S60 Management Software User’s Guide The example in Figure 35 illustrates a 10/100 port trunk with 8 data links between two AT-8400 switches. AT Figure 35 Port Trunk Example with 10/100 Mbps Ports In addition, you can create a port trunk between an AT-8400 switch and other switches that support trunking. Port Trunking Guidelines When creating a port trunk, you need to follow a set of guidelines.
PAGE 113
Chapter 8: Port Trunking ❑ For 10/100 port trunks, such as those on an AT-8411 TX line card, all ports included in the trunk must reside on the same line card. See Figure 35 on page 111 for an illustration of a 10/100 Mbps port trunk. ❑ For 1,000 Mbps port trunks, such as those on an AT-8413 line card, all ports included in the trunk must reside on different line cards. Generally, there is one 1,000 Mbps port per line card as with the AT-8413 line card.
PAGE 114
AT-S60 Management Software User’s Guide Before Creating Port Trunks As mentioned in the above guidelines for creating port trunks, you need to ensure the settings on your ports are identical before adding them to a port trunk. To display your current port settings, see Displaying Port Status on page 89. Then, to update the port configuration so all of the ports in the trunk have the same configuration, see Configuring Port Parameters on page 93.
PAGE 115
Chapter 8: Port Trunking Creating a Port Trunk This section contains the procedure for creating a port trunk on the switch. You must configure all the ports in your port trunk with the same settings. For more details, review the guidelines in Port Trunking Overview on page 110 before performing the procedure. Caution Connect the cables to the trunk ports on the switches after you have configured the trunk with the management software.
PAGE 116
AT-S60 Management Software User’s Guide 3. Type 1 to select Create Trunk. The following prompt is displayed. Enter Trunk Name: -> 4. Enter an alphanumeric name that identifies the trunk, such as universitytrunk7. Press Return. You can select a name with a maximum of 16 alphanumeric characters. In addition, the trunk name must contain one alphabetic character. Trunk names must be unique. You cannot enter a port name for this parameter.
PAGE 117
Chapter 8: Port Trunking Deleting a Port Trunk Use this procedure to delete an existing port trunk, including the trunk ID, name, and ports associated with the port trunk. Caution Before performing the following procedure, disconnect the cables from the port trunk on the switch. Deleting a port trunk with the cables attached can create loops in your network topology. Data loops can result in broadcast storms and poor network performance.
PAGE 118
AT-S60 Management Software User’s Guide Modifying a Port Trunk Use this procedure to modify an existing port trunk. See the Port Trunking Guidelines on page 111 for information specific to 10/100 Mbps and 1000 Mbps port trunks.
PAGE 119
Chapter 8: Port Trunking The Modify Trunk menu is shown in Figure 37. Notice the two current port trunks, called highschool and elementary, included in this figure. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 Modify Trunk ID Name Type Ports ----------------------------------------------------------1 2 1 2 3 4 5 highschool elementary - 10/100MB 10/100MB 4.1-4 4.
PAGE 120
AT-S60 Management Software User’s Guide Changing the Name of the Port Trunk Use this procedure to change the name of an port trunk. To change the name of an port trunk, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 25 on page 89. 2. From the Port Menu, type 4 to select Port Trunking. The Trunk Configuration menu is shown in Figure 36 on page 114. 3. Type 3 to modify a trunk. The Modify Trunk menu is shown in Figure 37 on page 118. 4.
PAGE 121
Chapter 8: Port Trunking 2. From the Port Menu, type 4 to select Port Trunking. The Trunk Configuration menu is shown in Figure 36 on page 114. 3. Type 3 to modify a trunk. The Modify Trunk menu is shown in Figure 37 on page 118. 4. Select 2 - Add ports to Trunk to add ports to an existing trunk. The following prompt appears: Enter Trunk ID: [1 to 22] -> 1 5. Enter the trunk ID number of the trunk you want to modify and press Return. A list of the current trunk IDs appears in the Modify Trunk menu.
PAGE 122
AT-S60 Management Software User’s Guide Deleting Ports from a Port Trunk Use this procedure to delete ports from an existing port trunk. If you want to delete all the ports from an existing port trunk and replace them with a new set of ports, see Replacing Ports in a Trunk on page 122 and Clearing Ports in a Port Trunk on page 123. To delete a port from a port trunk, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 25 on page 89. 2.
PAGE 123
Chapter 8: Port Trunking Replacing Ports in a Trunk Use this procedure to overwrite, or replace, the current ports in a port trunk with a new list of ports. To add ports to an existing port trunk while retaining the current ports, see Adding Ports to an Existing Port Trunk on page 119. To overwrite the current ports in a port trunk with a new list of ports, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 25 on page 89. 2.
PAGE 124
AT-S60 Management Software User’s Guide Clearing Ports in a Port Trunk Use this procedure to clear, or delete, all of the current ports in a port trunk while leaving the port trunk ID, name, and type. To delete individual ports, see Deleting Ports from a Port Trunk on page 121. To clear or delete all the ports on a port trunk, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 25 on page 89. 2.
PAGE 125
Chapter 9 Port Mirroring This chapter describes port mirroring and provides the procedures for creating and deleting a port mirror using a local or Telnet management session.
PAGE 126
AT-S60 Management Software User’s Guide Port Mirroring Overview The port mirroring feature allows you to monitor the traffic on one or more ports by copying the traffic to another port which is called the destination mirror port. Using port mirroring, you can connect a network analyzer to the mirror port to monitor both traffic received and transmitted from one or more ports (which are called source mirror ports).
PAGE 127
Chapter 9: Port Mirroring Creating a Port Mirror Use the following procedure to create a port mirror. For information about how to specify a port, see Specifying Ports on page 31. To create a port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 25 on page 89. 2. From the Port Menu, type 5 to select Port Mirroring. The Port Mirroring menu is shown in Figure 38. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 128
AT-S60 Management Software User’s Guide Note You cannot assign a range of ports on the same line card as source mirror ports. The source mirror port (or ports) is displayed at the top of the screen. 7. After making changes, Type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Your changes are saved. The port mirror is now functional.
PAGE 129
Chapter 9: Port Mirroring Modifying a Source Port Mirror Use the following procedure to add, delete, set (overwrite), or clear a source port mirror. For information about how to specify a port, see Specifying Ports on page 31. To modify a source port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 25 on page 89. 2. From the Port Menu, type 5 to select Port Mirroring. The Port Mirroring menu is shown in Figure 38 on page 126. 3.
PAGE 130
AT-S60 Management Software User’s Guide The following prompt appears: Enter Source Port(s) [port-list]: 6. Enter the source mirror port (s) or port list and press Return. Note You cannot assign a range of ports as source mirror ports. The display at the top of the Port Mirroring menu is updated. 7. To delete a source port mirror, enter 2. The following prompt appears: Enter Destination Port: 8. Enter the destination port from the list at the top of the screen and press Return.
PAGE 131
Chapter 9: Port Mirroring Deleting a Destination Port Mirror To delete a destination port mirror and its source mirror port(s), perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 25 on page 89. 2. From the Port Menu, type 5 to select Port Mirroring. The Port Mirroring menu is shown in Figure 38 on page 126. 3. Type 3 to select Delete Mirror. The following prompt is displayed. Enter Destination Port: 4.
PAGE 132
AT-S60 Management Software User’s Guide Enabling a Destination Port Mirror Use this procedure if you have previously disabled a destination port mirror (see Disabling a Destination Port Mirror on page 132) and you want to make it active again. To enable a destination port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 25 on page 89. 2. From the Port Menu, type 5 to select Port Mirroring.
PAGE 133
Chapter 9: Port Mirroring Disabling a Destination Port Mirror Use this procedure to prevent traffic from the source mirror port from being mirrored to the destination port. You may want to use this procedure to temporarily stop mirroring the source traffic while reserving the destination port for mirroring. To disable a port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 25 on page 89. 2.
PAGE 134
Chapter 10 File System Configuration The chapter describes the file system operations you can perform on configuration and system files.
PAGE 135
Chapter 10: File System Configuration File System Configuration Overview The File System Menus allow you to choose the active system configuration file, create a system configuration file, and perform basic file operations on system files. You may want to create a configuration file to perform a routine task or to ensure all your AT-8400 switches have an identical configuration. There are two ways of obtaining new configuration files.
PAGE 136
AT-S60 Management Software User’s Guide File Naming Conventions The file subsystem provides a flat file system which means directories are not supported. Files are uniquely identified by a file name in the following format: filename.ext where: ❑ filename is a descriptive name for the file, and may be one to sixteen characters in length. Valid characters are lowercase letters (a–z), uppercase letters (A–Z), digits (0–9), and the following characters: ~ ’ @ # $ % ^ & ( ) _ - { }.
PAGE 137
Chapter 10: File System Configuration Using Wildcards to Specify Groups of Files You can use the asterisk character (*) as a wildcard character in some fields to identify groups of files. In addition, a wildcard can be combined with other characters. The following are examples of valid wildcard expressions: *.cfg *.key 28*.
PAGE 138
AT-S60 Management Software User’s Guide Setting, Creating, Editing, and Displaying System Configuration Files Use the procedures in this section to load a system configuration file onto the switch, create a system configuration file, and view the contents of system configuration files.
PAGE 139
Chapter 10: File System Configuration The File Menu is shown in Figure 40. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 File Menu 1 2 3 4 5 6 7 8 - Boot Configuration File ............ boot.cfg (Exist) Current Configuration .............. boot.cfg Create Configuration File View Configuration File Display File(s) Copy File Rename File Delete File R - Return to Previous Menu Enter your selection? Figure 40 File Menu 2.
PAGE 140
AT-S60 Management Software User’s Guide Creating a System Configuration File This procedure allows you to save your system configuration to a file on the switch. You may want to save a copy of your system configuration file to download it onto another switch. Or, you may want to create a backup of your current configuration file. If the system configuration file does not reflect the current configuration on the system, the S - Save Configuration appears on the Main Menu.
PAGE 141
Chapter 10: File System Configuration Editing a System Configuration File You can edit a system configuration file on your workstation, using a text editor such as Word pad, and then upload it to one or more switches. A system configuration file contains a structured list of commands. Because the system configuration file defines so many switch operations, it is crucial to follow these guidelines when you edit the file: ❑ Follow the syntax of the CLI commands exactly.
PAGE 142
AT-S60 Management Software User’s Guide The View Configuration File Menu is shown in Figure 41. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 View Configuration File Menu Configuration File: mydefault.cfg ------------------------------------------------------------------# # Port Configuration # set set set set # switch switch switch switch port(s)=3.1 port(s)=3.2 port(s)=3.3 port(s)=3.
PAGE 143
Chapter 10: File System Configuration The second page of the View Configuration File Menu is shown in Figure 42. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 View Configuration File Menu Configuration File: boot.cfg ------------------------------------------------------------------# #Port Security Configuration # # #VLAN Configuration # create vlan=v3 vid=3 vlantype=portbased taggedports=1.2-8 untaggedport=3.
PAGE 144
AT-S60 Management Software User’s Guide Copying and Renaming System Files Use this procedure to copy and rename system files that reside on the switch. You can copy and rename certificate, certificate request, configuration, image, and key files. To display a list of system file names, see Displaying System Files on page 146. To copy and rename system files, perform the following procedure: 1. From the Main Menu, type 9 to select File Menu. The File Menu is shown in Figure 40 on page 138. 2.
PAGE 145
Chapter 10: File System Configuration Deleting System Files Use this procedure to delete a system file. You can delete any of the following file types: ❑ certificate files ❑ certificate enrollment request files ❑ configuration files ❑ image files ❑ key files If you delete a configuration file that is set as the Boot Configuration file, then (Not Exist) appears next to the configuration file name on the File Menu. See Setting a System Configuration File on page 137.
PAGE 146
AT-S60 Management Software User’s Guide 2. From the File Menu, type 8 to select Delete file to delete a system file. The following prompt is displayed: Enter File Name to be deleted: 3. Enter the name of the file you want to delete. The following message is displayed: Deleting file...
PAGE 147
Chapter 10: File System Configuration Displaying System Files Use this procedure to display a list of current system files. You can use this procedure to display certificate, configuration, image, and key files. For information about shortcuts for specifying file names, see File Naming Conventions on page 135. To display a list of current system file names, perform the following procedure: 1. From the Main Menu, type 9 to select File Menu. The File Menu is shown in Figure 40 on page 138. 2.
PAGE 148
AT-S60 Management Software User’s Guide The Display File(s) Menu is shown in Figure 43. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 Display File(s) Menu Filename Size (bytes) Created ------------------------------------------------------------------default.cfg boot.cfg newcfg.cg serverkey150.key hostkey250.key atikey350.
PAGE 149
Chapter 11 File Downloads and Uploads This chapter contains procedures for downloading and uploading files to a switch, as well as information on obtaining AT-S60 software updates.
PAGE 150
AT-S60 Management Software User’s Guide Overview Downloading and uploading are useful system features that make switch management efficient. For example, you can upload a configuration file from a switch to your management station, make changes with a text editor, and then download it onto a different switch. This can be useful in network environments that contain a number of AT-8400 chassis on different subnets that need to be configured at the same, or nearly the same time.
PAGE 151
Chapter 11: File Downloads and Uploads configuration settings, then the system configuration file contains the factory default settings. For more information, refer to Appendix A: AT-S60 Default Settings on page 585. For information about editing a system configuration file, see Editing a System Configuration File on page 140. Obtaining Management Software Updates on page 152 describes where to find management software updates. The Downloads & Uploads Menu is shown in Figure 44.
PAGE 152
AT-S60 Management Software User’s Guide The final section, Downloading the AT-S60 Image Switch to Switch on page 182, contains the procedure for downloading the image file from one switch to another. This process is particularly useful if your network contains a large number of AT-8400 chassis. You can upgrade the software on one master switch and then instruct the master switch to upgrade the software on the other switches in the same subnet.
PAGE 153
Chapter 11: File Downloads and Uploads Obtaining Management Software Updates New releases of management software for our managed products can be downloaded from either of the following Internet sites: • • the Allied Telesyn web site: http://www.alliedtelesyn.com the Allied Telesyn FTP server: ftp://ftp.alliedtelesyn.com To use the FTP server, go to the above web site. Then login to the FTP server by entering “anonymous” for the user name and your email address for the password.
PAGE 154
AT-S60 Management Software User’s Guide Downloading Files This section contains the procedures for downloading files onto a switch from a local or Telnet management session.
PAGE 155
Chapter 11: File Downloads and Uploads Downloading an Image File Using Xmodem or TFTP The following procedures describe how to download a .img file type (image file) only. To download a different file type, see Downloading a File Using Xmodem or TFTP on page 161. See Table 4 on page 149 for more information about file types. Caution The switch stops forwarding Ethernet traffic during the initialization of the AT-S60 software image.
PAGE 156
AT-S60 Management Software User’s Guide Note Menu options 2 and 4 in the menu are described in Uploading Files on page 168. Option 3 is described in Downloading a File Using Xmodem or TFTP on page 161. 4. Type 1 to download a new software image file onto the switch.
PAGE 157
Chapter 11: File Downloads and Uploads Downloading an Image File Using Xmodem To download an image file using Xmodem (this procedure shows how to use the Hilgraeve HyperTerminal program), perform the following procedure: 1. Type X at the prompt displayed in Step 4 in the procedure that begins on page 154. The following prompt is displayed: You are going to invoke the Xmodem download utility. Do you wish to continue? [Yes/No] 2. Type Y.
PAGE 158
AT-S60 Management Software User’s Guide 5. Click on the Protocol field and select as the transfer protocol either Xmodem or 1K XModem. Note The transfer protocol must be Xmodem or 1K Xmodem. The recommended transfer protocol is 1K Xmodem because it is much faster than the Xmodem protocol. For a faster download, set the console baud rate to 115200. Refer to Starting a Local Management Session on page 36 for information on setting the console baud rate. 6. Click Send.
PAGE 159
Chapter 11: File Downloads and Uploads The Downloads & Uploads Menu is displayed, as shown in Figure 45 on page 154. 8. If the new image file differs from the existing one, the following message is displayed: For a local management session: Switch is about to reboot. Do you want to proceed? [Yes/No] For a Telnet management session: Remote access will be lost. Do you want to continue? [Yes/No] 9. Type N if you do not want to activate the new image file.
PAGE 160
AT-S60 Management Software User’s Guide Downloading an Image File Using TFTP To download a file using TFTP, perform the following procedure: 1. To begin: a. If you are using a Telnet management session, the following prompt is already displayed from step 4 in the procedure that begins on page 154: Only TFTP downloads are available for a Telnet access. TFTP server IP address: b.
PAGE 161
Chapter 11: File Downloads and Uploads 5. If the new image file differs from the existing one, the following message is displayed: For the local management session: Switch is about to reboot. Do you want to proceed? [Yes/No] For the Telnet management session: Remote access will be lost. Do you want to continue? [Yes/No] 6. Type N if you do not want to activate the new image file. The Downloads & Uploads menu is displayed, as shown in Figure 45 on page 154. 7.
PAGE 162
AT-S60 Management Software User’s Guide Downloading a File Using Xmodem or TFTP The following procedures describe how to download certificate, certificate enrollment requests, configuration, and key files. See Table 4 on page 149 for a list of file types and their extensions. To download an image file, see Downloading an Image File Using Xmodem or TFTP on page 154. If you are downloading a configuration file, there are some precautions you need to take.
PAGE 163
Chapter 11: File Downloads and Uploads The Downloads & Uploads menu is shown in Figure 49. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 01-Jan-2003 Downloads & Uploads 1 - Download Application Image/BootLoader 2 - Upload Application Image/BootLoader 3 - Download a File 4 - Upload a File R - Return to Previous Menu Enter your selection? Figure 49 Downloads & Uploads Menu Note Menu options 2 and 4 in the menu are described in Uploading Files on page 168. 4.
PAGE 164
AT-S60 Management Software User’s Guide Downloading a File Using Xmodem To download certificate, certificate enrollment requests, configuration, and key files using Xmodem, perform the following procedure: 1. Type X at the prompt displayed in Step 4 in the procedure that begins on page 161. The following prompt is displayed Local file name: 2. Enter the local file name. This will be the name of the of the file after it is downloaded to the switch.
PAGE 165
Chapter 11: File Downloads and Uploads The Send File window is shown in Figure 51. Figure 51 Send File Window Note The transfer protocol must be Xmodem or 1K Xmodem. 5. In the Filename field, type the path and filename, or click the Browse button to locate and select the file to be downloaded onto the switch. 6. Click on the Protocol field and select as the transfer protocol either Xmodem or, for a faster download, 1K XModem.
PAGE 166
AT-S60 Management Software User’s Guide 7. Click Send. The file immediately begins to download onto the switch. The Xmodem File Send window in Figure 52 displays current status of the file download. Figure 52 XModem File Send Window When the download process is complete, a message is displayed that shows the file name and size.
PAGE 167
Chapter 11: File Downloads and Uploads Downloading a File Using TFTP To download a certificate, certificate enrollment requests, configuration, and key files using TFTP, perform the following procedure: 1. If you are using a Telnet management session, go to step 2. If you are using a local management session, type T at the prompt displayed in Step 4 in the procedure that begins on page 161. The following prompt is displayed: TFTP server IP address: 2. Enter the IP address of the TFTP server.
PAGE 168
AT-S60 Management Software User’s Guide Press any key. The Downloads & Uploads Menu is displayed, as shown in Figure 49 on page 162. If you specified an acceptable file name, the download begins. When the TFTP download is complete, the following message is displayed: File successfully sent! Press any key to continue... 5. Press any key. The Downloads & Uploads menu is displayed, as shown in Figure 49 on page 162.
PAGE 169
Chapter 11: File Downloads and Uploads Uploading Files This section contains procedures for uploading the following files to a management station or TFTP server using a local or Telnet management session.
PAGE 170
AT-S60 Management Software User’s Guide Uploading an Image File Using Xmodem or TFTP The following procedures describe how to upload a .img file type (image file) only. To upload other file types, see Uploading a File Using Xmodem or TFTP on page 175. See Table 4 on page 149 for a list of file types.
PAGE 171
Chapter 11: File Downloads and Uploads 4. Type 2 to upload the AT-S60 software image from the switch. If you are using a local management session, the following prompt is displayed: Upload Method/Protocol [X-Xmodem, T-TFTP]: If you are using a Telnet management session, the following prompt is displayed: Only TFTP uploads are available for a Telnet access. TFTP server IP address: To upload an image file using Xmodem, refer to Uploading an Image File Using Xmodem, which follows.
PAGE 172
AT-S60 Management Software User’s Guide Uploading an Image File Using Xmodem To upload an image file using Xmodem (this procedure shows how to use the Hilgraeve HyperTerminal program), perform the following procedure: 1. Type X at the prompt displayed in Step 4 in the procedure that begins on page 168. The following prompt is displayed: You are going to invoke the Xmodem upload utility. Do you wish to continue? [Yes/No] 2. Type Y.
PAGE 173
Chapter 11: File Downloads and Uploads 5. Click on the Protocol field and select as the transfer protocol either Xmodem or 1K XModem. Note The transfer protocol must be Xmodem or 1K Xmodem. The recommended transfer protocol is 1K Xmodem because it is much faster than the Xmodem protocol. For a faster download, set the console baud rate to 115200. Refer to Starting a Local Management Session on page 36 for information on setting the console baud rate. 6. Click Receive.
PAGE 174
AT-S60 Management Software User’s Guide The file immediately begins to upload onto the system. The Xmodem File Receive window displays the current status of the file upload. The upload time depends upon the size of the file. When the upload is complete, the following message is displayed: Xmodem File Transfer Completed Press any key to continue... 8. Press any key. The Downloads & Uploads Menu is displayed, as shown in Figure 53 on page 169.
PAGE 175
Chapter 11: File Downloads and Uploads Uploading an Image File Using TFTP To upload an image file using TFTP, perform the following procedure: 1. If you are using a Telnet management session, go to step 2. If you are using a local management session, type T at the prompt displayed in Step 4 in the procedure that begins on page 168. The following prompt is displayed: TFTP Server IP address: 2. Enter the IP address of the TFTP server. The following prompt is displayed: Remote File Name: 3.
PAGE 176
AT-S60 Management Software User’s Guide Uploading a File Using Xmodem or TFTP The following procedures describe how to upload certificate, certificate enrollment requests, configuration, and key files. See Table 4 on page 149 for a list of file types and extensions. To upload an image file, see Uploading an Image File Using Xmodem or TFTP on page 169. To upload files, perform the following procedure: 1.
PAGE 177
Chapter 11: File Downloads and Uploads 4. Type 2 to upload the AT-S60 software image from the switch. If you are using a local management session, the following prompt is displayed: Upload Method/Protocol [X-Xmodem, T-TFTP]: If you are using a Telnet management session, the following prompt is displayed: Only TFTP uploads are available for a Telnet access. TFTP server IP address: To upload a file using Xmodem, refer to Uploading a File Using Xmodem, which follows.
PAGE 178
AT-S60 Management Software User’s Guide Uploading a File Using Xmodem To upload a file using Xmodem (this procedure shows how to use the Hilgraeve HyperTerminal program), perform the following procedure: 1. Type X at the prompt displayed in Step 4 in the procedure that begins on page 168. The following prompt is displayed: Local file name: 2. Enter a name for the file to be uploaded from the switch. Note The file name must already exist on the switch.
PAGE 179
Chapter 11: File Downloads and Uploads 4. In the HyperTerminal main window, select the Transfer menu. Then select Receive File from the pull-down menu, as shown in Figure 59. Figure 59 Transfer Menu The Receive File window in Figure 60 is shown. Figure 60 Receive File Window 5. In the Place received file in the following folder field, type the path to the destination folder, or click the Browse button to locate the destination folder. 6.
PAGE 180
AT-S60 Management Software User’s Guide 8. Enter a name for storing the uploaded file. This will be the name for the file on the management station after the upload process is complete. The Xmodem file receive window opens, as shown in Figure 62 Figure 62 Xmodem File Receive Window The file immediately begins to upload onto the system. The Xmodem File Receive window displays current status of the file upload. The upload time depends upon the size of the file.
PAGE 181
Chapter 11: File Downloads and Uploads Uploading a File Using TFTP To upload a file using TFTP, perform the following procedure: 1. To begin: a. If you are using a Telnet management session, the following prompt is already displayed from step 4 in the procedure that begins on page 175: Only TFTP downloads are available for a Telnet access. TFTP server IP address: b.
PAGE 182
AT-S60 Management Software User’s Guide Note The file name must already exist on the switch. Note If you receive the following message: The specified local file name/type can not be uploaded. Press any key to continue. the file name extension is not correct or the file does not exist. See File Naming Conventions on page 135 for more information about file types. After you specify an acceptable file name, the upload begins.
PAGE 183
Chapter 11: File Downloads and Uploads Downloading the AT-S60 Image Switch to Switch This procedure explains how to download an AT-S60 software image from a master AT-8400 switch to another switch using enhanced stacking. You can update only AT-8400 Series switches. In other words, you cannot download AT-S60 management software onto an AT-8000 Series switch. Downloading an image file from one AT-8400 to another is useful in networks that contain a large number of AT-8400 chassis.
PAGE 184
AT-S60 Management Software User’s Guide Note You can update only AT-8400 Series switches. You cannot download AT-S60 management software onto an AT-8000 Series switch. The following prompt is displayed: Do you want to show remote switch burning flash -> [Yes/No] You can use this prompt to view system messages as the software image is stored to flash memory. 6. You can respond with Yes or No to this prompt. It does not affect the download.
PAGE 185
Chapter 12 STP, RSTP, and MSTP This chapter provides background information on the Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). The chapter also contains procedures on how to adjust spanning tree bridge and port parameters.
PAGE 186
AT-S60 Management Software User’s Guide STP and RSTP Overview A physical loop in a network topology can pose a significant problem to Ethernet network performance. A loop exists when two or more nodes on a network can transmit data to each other over more than one data link. The problem with physical loops is that data packets can become caught in repeating cycles, referred to as broadcast storms, that needlessly consume network bandwidth and significantly reduce network performance.
PAGE 187
Chapter 12: STP, RSTP, and MSTP Note An AT-8411 TX line card with more than four ports functioning as redundant links to other network devices can significantly retard the speed of convergence for STP and RSTP. You can avoid this problem by selecting ports on different line cards to function as redundant links. Bridge Priority and the Root Bridge The first task that bridges perform when a spanning tree protocol is activated on a network is the selection of a root bridge.
PAGE 188
AT-S60 Management Software User’s Guide Table 5 Bridge Priority Value Increments Increment Bridge Priority Increment Bridge Priority 0 0 8 32768 1 4096 9 36864 2 8192 10 40960 3 12288 11 45056 4 16384 12 49152 5 20480 13 53248 6 24576 14 57344 7 28672 15 61440 Path Costs and Port Costs Once the Root Bridge has been selected, the bridges must determine if the network contains redundant paths and, if one is found, they must select a preferred path while placing the redunda
PAGE 189
Chapter 12: STP, RSTP, and MSTP The port costs of the ports on an AT-8400 Series switch can be adjusted through the management software. For STP and RSTP, the range is 0 to 200,000,000. The default value of 0 activates auto-detection. This features sets port cost according to port speed, assigning lower costs to ports operating at higher speeds. Table 6 lists the auto-detection default values for STP and RSTP.
PAGE 190
AT-S60 Management Software User’s Guide The range for port priority is 0 to 240 in increments of 16. Just as with the bridge priority value, you specify the increment that corresponds to the desired value. Table 7 lists the port priority increments. The default value is 128, with an increment of 8.
PAGE 191
Chapter 12: STP, RSTP, and MSTP The forwarding delay value is adjustable on the AT-8400 Series switch through the management software. The appropriate value for this parameter depends on a number of variables, with the size of your network being a primary factor. For large networks, you should specify a value large enough to allow the root bridge sufficient time to propagate a topology change throughout the entire network.
PAGE 192
AT-S60 Management Software User’s Guide There are two possible selections: ❑ Point-to-point ❑ Edge port If a bridge port is operating in full-duplex mode, then the port is functioning as point-to-point. Figure 63 illustrates an AT-8400 chassis and an AT-8024 switch that have been interconnected with one data link. With the link operating in full-duplex, the ports are said to be pointto-point ports.
PAGE 193
Chapter 12: STP, RSTP, and MSTP If a port is operating in half-duplex mode and is not connected to any further bridges participating in STP or RSTP, then the port is an edge port. Figure 64 illustrates an edge port on an AT-8411 TX line card in an AT-8400 chassis. The port is connected to an Ethernet hub, which in turn is connected to a series of Ethernet workstations.
PAGE 194
AT-S60 Management Software User’s Guide A port can be both point-to-point and edge at the same time. It would operate in full-duplex and have no STP or RSTP devices connected to it. Figure 65 illustrates a port on an AT-8411 TX line card functioning both as point-to-point and edge.
PAGE 195
Chapter 12: STP, RSTP, and MSTP The single spanning tree encompasses all ports on the switch. If the ports are grouped into different VLANs, the spanning tree crosses the VLAN boundaries. This can pose a problem where multiple VLANs that span different switches are connected with untagged ports. What can occur is that spanning tree blocks a data link because it detects a physical data loop. This can cause fragmentation of your VLANs. This is illustrated in Figure 66.
PAGE 196
AT-S60 Management Software User’s Guide Another approach is to connect your VLANs with tagged ports instead of untagged ports. A tagged port can handle traffic from more than one VLAN at a time. For information on tagged and untagged ports, refer to Chapter 13, Virtual LANs on page 240. You can also place different VLANs in different spanning trees. This is accomplished using the Multiple Spanning Tree Protocol, explained in MSTP Overview on page 210.
PAGE 197
Chapter 12: STP, RSTP, and MSTP Enabling or Disabling STP, RSTP, or MSTP The AT-8400 Series switch can support STP, RSTP, and MSTP. However, only one spanning tree protocol can be active on the switch at a time. So before you can enable a spanning tree protocol, you must first select it as the active spanning tree protocol on the switch. Once you have selected it as the active protocol, you can then enable or disable it.
PAGE 198
AT-S60 Management Software User’s Guide The following prompt is displayed: Enter new value (S-STP, R-RSTP, M-MSTP): 4. Type S to select STP, R to select RSTP, or M to select MSTP. The following prompt is displayed: Do you want to enable spanning tree? (Y/N) -> If you respond with Yes to this prompt, the management software reboots the switch and enables the selected spanning tree protocol. If you respond with No, the management software reboots but does not activate spanning tree.
PAGE 199
Chapter 12: STP, RSTP, and MSTP Configuring STP This section contains the following procedures: ❑ Configuring STP Bridge Settings on page 198 ❑ Configuring STP Port Parameters on page 200 Configuring STP Bridge Settings This section contains the procedure for configuring a bridge’s STP settings. Caution The default STP parameters are adequate for most networks. Changing them without prior experience and an understanding of how STP works might have a negative effect on your network.
PAGE 200
AT-S60 Management Software User’s Guide The STP Menu is shown in Figure 68. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 STP Menu 1 2 3 4 5 - Bridge Bridge Bridge Bridge Bridge Priority ..... Hello Time ... Forwarding ... Max Age ...... Identifier ... 32768 2 15 20 00:30:84:EE:31:01 P - STP Port Parameters R - Reset STP to Defaults R - Return to Previous Menu Enter your selection?: Figure 68 STP Menu 3.
PAGE 201
Chapter 12: STP, RSTP, and MSTP topology changes. If the bridge transitions too soon, not all links may have yet adapted to the change, resulting in network loops. The range is 4 to 30 seconds. The default is 15 seconds. 4 - Bridge Max Age The length of time in seconds after which stored bridge protocol data units (BPDUs) are deleted by the bridge. All bridges in a bridged LAN use this aging time to test the age of stored configuration messages called bridge protocol data units (BPDUs).
PAGE 202
AT-S60 Management Software User’s Guide The STP Port Parameters Menu is shown in Figure 69. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 STP Port Parameters 1 - Configure STP Port Settings 2 - Display STP Port Configuration R - Return to Previous Menu Enter your selection? Figure 69 STP Port Parameters Menu 3. Type 1 to select Configure STP Port Settings. The following prompt is displayed: Enter port-list: 4. Enter the port to configure.
PAGE 203
Chapter 12: STP, RSTP, and MSTP to 240 in increments of 16. The default value is 8 (priority value 128). For a list of the increments, refer to Table 7, Port Priority Value Increments on page 189. 2 - Port Cost The spanning tree algorithm uses the cost parameter to decide which port provides the lowest cost path to the root bridge for that LAN. The range is 0 to 200,000,000. The default setting is Auto-detect, which sets port cost depending on the speed of the port.
PAGE 204
AT-S60 Management Software User’s Guide Displaying STP Port Settings To display port STP settings, perform the following procedure: 1. From the Spanning Tree Menu, type 3 to select STP Configuration. The STP Menu is shown in Figure 68 on page 199. 2. From the STP Menu, type P to select STP Port Parameters. The STP Port Parameters Menu is shown in Figure 69 on page 201. 3. From the STP Port Parameters Menu, type 2 to select Display STP Port Configuration.
PAGE 205
Chapter 12: STP, RSTP, and MSTP Configuring RSTP This section contains the following procedures: ❑ Configuring RSTP Bridge Settings on page 204 ❑ Configuring RSTP Port Parameters on page 207 Configuring RSTP Bridge Settings This section contains the procedure for configuring a bridge’s RSTP settings. Caution The default RSTP parameters are adequate for most networks. Changing them without prior experience and an understanding of how RSTP works might have a negative effect on your network.
PAGE 206
AT-S60 Management Software User’s Guide The RSTP Menu is shown in Figure 72. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 RSTP Menu 1 2 3 4 5 6 - Force Version ....... Bridge Priority ..... Bridge Hello Time ... Bridge Forwarding ... Bridge Max Age ...... Bridge Identifier ...
PAGE 207
Chapter 12: STP, RSTP, and MSTP 3 - Bridge Hello Time The time interval between generating and sending configuration messages by the bridge. This parameter can be from 1 to 10 seconds. The default is 2 seconds. 4 - Bridge Forwarding The waiting period before a bridge changes to a new state, for example, becomes the new root bridge after the topology changes. If the bridge transitions too soon, not all links may have yet adapted to the change, possibly resulting in a network loop.
PAGE 208
AT-S60 Management Software User’s Guide Configuring RSTP Port Parameters To adjust a port’s RSTP parameters, perform the following procedure: 1. From the Spanning Tree Menu, type 4 to select RSTP Configuration. The RSTP Menu is shown in Figure 72 on page 205. 2. From the RSTP Configuration menu, type P to select RSTP Port Parameters. The RSTP Port Parameters Menu is shown in Figure 73. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 209
Chapter 12: STP, RSTP, and MSTP 4. Enter the port to configure. For instructions on how to specify port numbers, refer to Specifying Ports on page 31. The Configure RSTP Port Settings Menu is shown in Figure 74. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 Configure RSTP Port Settings Configuring Ports 4.8 1 2 3 4 - Port Priority ...... Path Cost .......... Point-to-Point ..... Edge Port ..........
PAGE 210
AT-S60 Management Software User’s Guide C - Check Migration To RSTP on Selected Ports (MCHECK) This parameter resets a RSTP port, allowing it to send RSTP BPDUs. When an RSTP bridge receives STP BPDUs on an RSTP port, the port transmits STP BPDUs. The RSTP port continues to transmit STP BPDUs indefinitely. Type C to reset the RSTP port to transmit RSTP BPDUs. Each time a RSTP port is reset by receiving STP BPDUs, you need to type C to reset the RSTP port, allowing it to send RSTP BPDUs.
PAGE 211
Chapter 12: STP, RSTP, and MSTP MSTP Overview As mentioned in earlier sections in this chapter, STP and RSTP are referred to as single-instance spanning trees that search for physical loops across all VLANs in a bridged network. When loops are detected, the protocols stop the loops by placing one or more bridge ports in a blocking state.
PAGE 212
AT-S60 Management Software User’s Guide Note Due to different vendor implementations of the new IEEE 802.1s standard, compatibility issues concerning MSTP instances between the AT-8400 Series switch and switches from other vendors may exist. This can result in compatibility issues between different MSTP implementations. For this release, MSTP is compatible only with other AT-8400 Series switches.
PAGE 213
Chapter 12: STP, RSTP, and MSTP Multiple Spanning Tree Instance (MSTI) The individual spanning trees in MSTP are referred to as Multiple Spanning Tree Instances (MSTIs). A MSTI can span any number of AT-8400 Series switches, and an AT-8400 Series switch can support up to 16 MSTIs at a time. To create a MSTI, you first assign it a number, referred to as the MSTI ID. The range is 1 to 15. (The switch comes with a default MSTI with an MSTI ID of 0.
PAGE 214
AT-S60 Management Software User’s Guide If the switches were running STP or RSTP, one of the links would be blocked because the links constitute a physical loop. Which link would be blocked depends on the STP or RSTP bridge settings. In the example, the link between the two parts of the Production VLAN is blocked, resulting in a loss of communications between the two parts of the Production VLAN.
PAGE 215
Chapter 12: STP, RSTP, and MSTP Figure 76 illustrates the same two AT-8400 Series switches and the same two virtual LANs. But in this example, the two switches are running MSTP and the two VLANs have been assigned different spanning tree instances. Now that they reside in different MSTIs, both links remain active, enabling the VLANs to forward traffic over their respective direct link.
PAGE 216
AT-S60 Management Software User’s Guide A MSTI can contain more than one VLAN. This is illustrated in Figure 77 where there are two AT-8400 Series switches with four VLANs. There are two MSTIs, each containing two VLANs. MSTI 1 contains the Sales and Presales VLANs and MSTI 2 contains the Design and Engineering VLANs.
PAGE 217
Chapter 12: STP, RSTP, and MSTP This example illustrates Allied Telesyn’s implementation of MSTP. It shows that a tagged port cannot be a member of VLANs that belong to different MSTIs. That is why each MSTI in the example has its own tagged link. MSTI Guidelines Here are several guidelines to keep in mind about MSTIs: ❑ An AT-8400 Series switch can support up to 16 spanning tree instances, including the CIST, at a time. ❑ A MSTI can contain any number of VLANs.
PAGE 218
AT-S60 Management Software User’s Guide A configuration name is a name you assign to a region to help you identify it. You must assign each bridge in a region exactly the same name; even the same upper and lowercase lettering. Identifying the regions in your network is easier if you choose names that are characteristic of the functions of the nodes and bridges of the region. Examples are Sales Region and Engineering Region. The revision number is an arbitrary number you assign to a region.
PAGE 219
Chapter 12: STP, RSTP, and MSTP Figure 78 illustrates the concept of regions. It shows one MSTP region consisting of two AT-8400 Series switches. Each switch in the region has the same configuration name and revision level. The switches also have the same five VLANs and the VLANs are associated with the same MSTIs.
PAGE 220
AT-S60 Management Software User’s Guide The AT-8400 Series switch determines regional boundaries by examining the MSTP BPDUs received on the ports. A port that receives a MSTP BPDU from another bridge with regional information different from its own is considered to be a boundary port and the bridge connected to the port as belonging to another region. The same is true for any ports connected to bridges running the singleinstance spanning tree STP or RSTP.
PAGE 221
Chapter 12: STP, RSTP, and MSTP ❑ Each MSTI must have a regional root for locating loops in the instance. MSTIs can share the same regional root or have different roots. A regional root is determined by the MSTI priority value and a bridge’s MAC address. ❑ The regional root of a MSTI must be in the same region as the MSTI. Common and Internal Spanning Tree (CIST) MSTP has a default spanning tree instance called the Common and Internal Spanning Tree (CIST). This instance has an MSTI ID of 0.
PAGE 222
AT-S60 Management Software User’s Guide MSTP with STP and RSTP MSTP is fully compatible with STP and RSTP. If a port on an AT-8400 Series switch running MSTP receives STP BPDUs, the port sends only STP BPDU packets. If a port receives RSTP BPDUs, the port sends MSTP BPDUs since RSTP can process MSTP BPDUs. A port connected to a bridge running STP or RSTP is considered a boundary port of the MSTP region and the bridge as belonging to a different region. An MSTP region can be considered as a virtual bridge.
PAGE 223
Chapter 12: STP, RSTP, and MSTP ❑ All of the bridges in a region must have the same configuration name, revision level, VLANs, and VLAN to MSTI associations. ❑ An MSTI cannot span multiple regions. ❑ Each MSTI must have a regional root for locating loops in the instance. MSTIs can share the same regional root or have different roots. A regional root is determined by the MSTI priority value and a bridge’s MAC address. ❑ The regional root of a MSTI must be in the same region as the MSTI.
PAGE 224
AT-S60 Management Software User’s Guide This is illustrated in Figure 79. Port 8 on a line card in Switch A is a member of a VLAN assigned to MSTI ID 7. Port 1 on another line card in the same switch is a member of a VLAN assigned to MSTI ID 10. The BPDUs transmitted by port 8 to Switch B would indicate that the port is a member of both CIST and MSTI 7, while the BPDUs from Port 1 would indicate the port is a member of the CIST and MSTI 10.
PAGE 225
Chapter 12: STP, RSTP, and MSTP A problem can arise if you assign some VLANs to MSTIs while leaving others just to CIST. The problem is illustrated in Figure 80. The network is the same as the previous example. The only difference is that the VLAN containing Port 8 on Switch A has not been assigned to an MSTI, and belongs only to CIST with its MSTI ID 0.
PAGE 226
AT-S60 Management Software User’s Guide This is illustrated in Figure 81. The example show two switches, each residing in a different region. Port 1 on a line card in Switch A is a boundary port. It is an untagged member of the Accounting VLAN, which has been associated with MSTI 4. Port 8 on another line card is a tagged and untagged member of three different VLANs, all associated to MSTI 12.
PAGE 227
Chapter 12: STP, RSTP, and MSTP Here is an example. Let’s assume that you have two regions that contain the following VLANS: Region 1 VLANs Sales Presales Marketing Advertising Technical Support Product Management Project Management Accounting Region 2 VLANs Hardware Engineering Software Engineering Technical Support Product Management CAD Development Accounting The two regions share three VLANs: Technical Support, Product Management, and Accounting.
PAGE 228
AT-S60 Management Software User’s Guide Configuring MSTP This section contains the following procedures: ❑ Configuring MSTP Bridge Settings on page 227 ❑ Configuring the CIST Priority on page 230 ❑ Creating, Deleting, and Modifying MSTI IDs on page 231 ❑ Associating VLANs to MSTI IDs on page 233 ❑ Configuring MSTP Port Settings on page 236 ❑ Displaying MSTP Port Settings and Status on page 238 Note You cannot configure MSTP unless the protocol has been selected as the active spanning tree protocol on the s
PAGE 229
Chapter 12: STP, RSTP, and MSTP The MSTP Menu is shown in Figure 82. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 MSTP Menu 1 2 3 4 5 6 7 8 - Force Version .......... Hello Time ............. Forwarding Delay ....... Max Age ................ Max Hops ............... Configuration Name ..... Revision Level ......... Bridge Identifier ......
PAGE 230
AT-S60 Management Software User’s Guide 3 - Forwarding Delay The waiting period before a bridge changes to a new state, for example, becomes the new root bridge after the topology changes. If the bridge transitions too soon, not all links may have yet adapted to the change, possibly resulting in a network loop. The range is 4 to 30 seconds. The default is 15 seconds. This setting applies only to ports running in the STP-compatible mode.
PAGE 231
Chapter 12: STP, RSTP, and MSTP 8 - Bridge Identifier The MAC address of the bridge. The bridge identifier is used as a tie breaker in the selection of a root bridge when two or more bridges have the same bridge priority value. This value cannot be changed. 4. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Configuring the CIST Priority This procedure explains how to adjust the bridge’s CIST priority.
PAGE 232
AT-S60 Management Software User’s Guide Enter new priority [the value will be multiplied by 4096]: [0 to 15] -> 3. Enter the increment that represents the new CIST priority value. The range is 0 (zero) to 61,440 in increments of 4,096, with 0 being the highest priority. For a list of the increments, refer to Table 5, Bridge Priority Value Increments on page 187. 4. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 233
Chapter 12: STP, RSTP, and MSTP Regional Root ID Identifies the regional root for the MSTI by its MAC address. Path Cost Specifies the path cost from the bridge to the regional root. If the bridge is the regional root, the value is 0. Associated VLANs Specifies the VIDs of the VLANs that have been associated with the MSTI ID. The table does not include the CIST. The table is empty if no MSTI IDs have been created. Creating an MSTI ID To create an MSTI ID, do the following: 1. Type 1 to select Create MSTI.
PAGE 234
AT-S60 Management Software User’s Guide 2. Enter the MSTP IDs that you want to delete. The range is 1 to 15. (You cannot delete CIST, which has a value of 0.) All VLANs associated with a deleted MSTP ID are returned to CIST. 3. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an MSTI ID To change the MSTI priority value for an MSTI, do the following: 1. From the MSTI Menu, type 3 to select MSTI Configuration Menu.
PAGE 235
Chapter 12: STP, RSTP, and MSTP To add or remove a VLAN from an MSTI ID, do the following: 1. From the MSTP Menu, type V to select VLAN-MSTI Association Menu. The VLAN-MSTI Association Menu is shown in Figure 85. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 236
AT-S60 Management Software User’s Guide Enter the MSTI ID [0 to 15] -> 2. Enter the MSTI ID to which you want to associate a VLAN. A prompt similar to the following is displayed: Enter the list of VLANs: 3. Enter the VLAN ID of the virtual LAN you want to associate with the MSTI ID. You can enter more than one VLAN at a time (for example, 2,4,7). To view VIDs, refer to Displaying VLANs on page 257. The MSTI ID retains any VLANs already associated with it when new VLANs are added. 4.
PAGE 237
Chapter 12: STP, RSTP, and MSTP 3. A prompt similar to the following is displayed: Enter the list of VLANs: 4. Enter the VLAN ID of the virtual LAN that you want to associate with the MSTI ID. You can enter more than one VLAN at a time (for example, 2,4,7) (To view VIDs, refer to Displaying VLANs on page 257.) The VLANs already associated with the MSTI ID are removed when the new VLANs are added. The removed VLANs are returned to CIST. 5. After making changes, type R until you return to the Main Menu.
PAGE 238
AT-S60 Management Software User’s Guide The Configure MSTP Port Settings menu is shown in Figure 87. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 Configure MSTP Port Settings 1 2 3 4 5 - Port Priority ............... Port Internal Path Cost ..... Port External Path Cost ..... Point-to-Point .............. Edge Port ...................
PAGE 239
Chapter 12: STP, RSTP, and MSTP 5 - Edge Port This parameter defines whether the port is functioning as an edge port. For an explanation of this parameter, refer to Point-to-Point Ports and Edge Ports on page 190. C - Check Migration To RSTP on Selected Ports (MCHECK) The MCHECK parameter appears only when MSTP is enabled. This parameter resets a RSTP port, allowing it to send RSTP BPDUs. When an RSTP bridge receives STP BPDUs on an RSTP port, the port transmits STP BPDUs.
PAGE 240
AT-S60 Management Software User’s Guide ❑ Role - Indicates the MSTP role of the port. Possible roles are: root, alternate, backup, and designated. ❑ Port Cost - The port cost of the port. ❑ Version - Indicates whether the port is operating in MSTP mode or STP-compatible mode.
PAGE 241
Chapter 13 Virtual LANs This chapter contains basic information about virtual LANs (VLANs). It also contains procedures for creating, modifying, and deleting VLANs from a local or Telnet management session. There is also a procedure on how to change a switch’s VLAN operating mode.
PAGE 242
AT-S60 Management Software User’s Guide VLAN Overview A VLAN is a group of ports on an Ethernet switch that form a logical Ethernet segment. The ports of a VLAN form an independent traffic domain where the unicast, multicast, and broadcast packets generated by the nodes of a VLAN remain within the VLAN. With VLANs, you can segment your network through the switch’s management software and so be able to group nodes with related functions into their own separate, logical LAN segments.
PAGE 243
Chapter 13: Virtual LANs workstations physically, or having to change group memberships by moving cables from one switch port to another. A virtual LAN can also span more than one switch. This means that the end nodes of a VLAN do not need to be connected to the same switch and so are not restricted to being in the same physical location.
PAGE 244
AT-S60 Management Software User’s Guide Port-based VLAN Overview As explained in the VLAN Overview section, a VLAN consists of a group of ports on one or more Ethernet switches that form an independent traffic domain. The unicast, broadcast, and multicast packets generated by the end nodes of a VLAN remain within the VLAN and do not cross over to the end nodes of other VLANs unless there is an interconnecting device, such as a router or Layer 3 switch.
PAGE 245
Chapter 13: Virtual LANs If a VLAN consists only of ports located on one physical switch in your network, you would assign it a VID unique from all other VLANs in your network. If a VLAN spans multiple switches, then the VID for the VLAN on the different switches must be the same. In this manner, the switches are able to recognize and forward frames belonging to the same VLAN even though the VLAN spans multiple switches.
PAGE 246
AT-S60 Management Software User’s Guide For example, assume that you were creating a port-based VLAN on a switch and you had assigned the VLAN the VID a value of 5. Consequently, the PVID for each port in the VLAN would need to be assigned the value of 5. Some switches and switch management programs require that you assign the PVID value for each port manually. However, the AT-S60 management software performs this task automatically.
PAGE 247
Chapter 13: Virtual LANs ❑ The introduction of a router into your network could create security issues from unauthorized access to your network. ❑ A VLAN that spans several switches requires a port on each switch for the interconnection of the various parts of the VLAN. For example, a VLAN that spans three switches requires one port on each switch to interconnect the various sections of the VLAN.
PAGE 248
AT-S60 Management Software User’s Guide Port-Based Examples What follows are two examples of port-based VLANs that illustrate the basic principles discussed earlier in this chapter. Example 1 Our first example is illustrated in Figure 88. It shows two port-based VLANs on an AT-8400 switch. Sales VLAN (VID 2) Production VLAN (VID 3) Server WAN Router Figure 88 Port-Based VLAN - Example 1 The two VLANs are Sales and Production.
PAGE 249
Chapter 13: Virtual LANs The table below lists the port assignments for the Sales and Production VLANs on the AT-8400 Series switch. AT-8400 Series switch Sales VLAN (VID 2) Production VLAN (VID 3) Slot 1: AT-8411TX Ports: 1 - 4, 8 (PVID=2) Slot 4: AT-8411TX Ports: 1, 8 (PVID=3) Slot 2: AT-8411TX Ports 1 - 2 (PVID=2) Slot 5: AT-8411TX Ports 1 - 3 (PVID=3) Each VLAN also has a port connected to the router. The router interconnects the VLANs.
PAGE 250
AT-S60 Management Software User’s Guide Example 2 Figure 89 illustrates our second port-based example. The two VLANs, Sales and Production, now span two Ethernet switches, an AT-8400 and an AT-8024.
PAGE 251
Chapter 13: Virtual LANs The table below lists the port assignments for the Sales and Production VLANs on the switches: AT-8400 Series switch AT-8024 Switch Sales VLAN (VID 2) Production VLAN (VID 3) Slot 1 Ports: 1-5 (PVID= 2) Slot 4 Ports: 1, 4 (PVID= 3) Slot 2 Ports: 1-2, 5 (PVID= 2) Slot 5 Ports: 4 (PVID= 3) Ports 1-7 (PVID=2) Ports 17-21 (PVID= 3) As mentioned earlier, a VLAN that spans more than one switch requires a data link(s) to connect its different parts together.
PAGE 252
AT-S60 Management Software User’s Guide Tagged VLAN Overview The second type of VLAN supported by the AT-8400 Series switch is the tagged VLAN. Tagged VLANs use information inside tagged frames as they are received on the ports to determine VLAN membership. This contrasts with port-based VLANs, where the PVIDs assigned to the ports determine VLAN membership. The VLAN information within an Ethernet frame is referred to as a tag or tagged header.
PAGE 253
Chapter 13: Virtual LANs The parts of a tagged VLAN are much the same as those for a port-based VLAN. They are: ❑ VLAN Name ❑ VLAN Identifier ❑ Tagged and Untagged Ports ❑ Port VLAN Identifier Note For explanations of VLAN name and VLAN identifier, refer to VLAN Name and VLAN Identifier on page 243. Tagged and Untagged Ports You need to specify which ports are members of the VLAN. In the case of a tagged VLAN, it is usually a combination of both untagged ports and tagged ports.
PAGE 254
AT-S60 Management Software User’s Guide General Rules for Creating a Tagged VLAN Below is a summary of the rules to observe when creating a tagged VLAN. ❑ Each tagged VLAN must be assigned a unique VID. If a particular VLAN spans multiple switches or stacks, each part of the VLAN on the different switches or stacks must be assigned the same VID. ❑ A tagged port can be a member of multiple VLANs. ❑ An untagged port can be an untagged member of only one VLAN at a time.
PAGE 255
Chapter 13: Virtual LANs Tagged VLAN Example Figure 90 illustrates how tagged ports can be used to interconnect IEEE 802.1Q-based products. Sales VLAN Production VLAN (VID 3) (VID 2) Legacy Server AT WAN IEEE 802.
PAGE 256
AT-S60 Management Software User’s Guide This example is nearly identical to the port-based VLAN Example 2 earlier in this chapter. Tagged ports have been added to simplify network implementation and management.
PAGE 257
Chapter 13: Virtual LANs Basic VLAN Mode Overview The Fast Ethernet Switches support a special VLAN configuration referred to as the Basic VLAN Mode. When the Basic VLAN Mode is activated, frames are forwarded based solely on MAC addresses. All VLAN information, including PVIDs assigned to ports and VLAN tags in tagged frames, is ignored. Tagged frames are analyzed only for priority level. Packets are passed through the switch unchanged.
PAGE 258
AT-S60 Management Software User’s Guide Displaying VLANs This procedure displays all the port-based and tagged VLANs that currently exist on the AT-8400 Series switch. To view the VLANs, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Menu. The VLAN Menu is shown in Figure 91. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 259
Chapter 13: Virtual LANs 3. From the Display VLAN menu, type 3 to select Display VLAN. The Display Port Based VLAN menu is displayed. An example of the menu is shown in Figure 93. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 01-Jan-2003 Display Port Based VLAN VID VLAN Name VLAN Type Protocol Tagged /Untagged Ports ---------------------------------------------------------------------1 Default_VLAN Port Based U: 11.1-8, 12.8 T: 5.1, 6.
PAGE 260
AT-S60 Management Software User’s Guide If only the Protocol is GARP, then the corresponding tagged port in the menu was added by GVRP to an existing VLAN. An example of this is the Engineering VLAN in the menu Display Port Based VLAN Menu on page 258. Notice, port 11.5 was added as a dynamic port to the tagged Engineering VLAN. Tagged(T)/Untagged(U) This column lists the ports of the VLAN.
PAGE 261
Chapter 13: Virtual LANs Creating a Port-based or Tagged VLAN To create a new port-based or tagged VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Menu. The VLAN Menu is shown in Figure 91 on page 257. 2. From the VLAN Menu, type 1 to select Configure VLAN. The Configure VLAN Menu is shown in Figure 94. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 01-Jan-2003 Configure VLAN 1 2 3 4 - Set Management VLAN ID .............
PAGE 262
AT-S60 Management Software User’s Guide 3. From the Configure VLAN menu, type 4 to select Configure Port Based VLAN. The Configure Port Based VLAN menu is shown in Figure 95. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 01-Jan-2003 Configure Port Based VLAN VID VLAN Name VLAN Type Protocol Tagged /Untagged Ports ---------------------------------------------------------------------1 Default_VLAN Port Based U: 11.1-8, 12.8 T: 5.1, 6.
PAGE 263
Chapter 13: Virtual LANs If the VLAN is unique in your network, then the name should be unique as well. If the VLAN is to be part of a larger VLAN that spans multiple switches, then the name for the VLAN should be the same on each switch where nodes of the VLAN are connected. Note You must assign a name to a VLAN. After you have entered a name, the following prompt is displayed: Enter VLAN VID: [2 to 4094] 6. Enter a VID value for the new VLAN. The permitted range of the VID value is 2 to 4094.
PAGE 264
AT-S60 Management Software User’s Guide After you have entered the tagged ports of the VLAN, the following prompt is displayed: Enter Untagged Port-list: 8. Specify the ports on the switch to function as untagged ports in the VLAN. If this VLAN does not contain any untagged ports, leave this field empty. For information on entering ports, refer to Specifying Ports on page 31. After you have specified the untagged ports, the management software automatically creates the VLAN.
PAGE 265
Chapter 13: Virtual LANs Example of Creating a Port-Based VLAN The following procedure creates the Sales VLAN illustrated in PortBased Examples on page 247. This VLAN is assigned a VID of 2. It consists of seven untagged ports, Ports 1 to 4 and 8 from the AT-8411 TX line card in Slot 1 and Ports 1 and 2 from the AT-8411 TX line card in Slot 2. The VLAN does not contain any tagged ports. To create the example Sales VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Menu.
PAGE 266
AT-S60 Management Software User’s Guide Example of Creating a Tagged VLAN The following procedure creates the Production VLAN in the AT-8400 Series switch illustrated in Tagged VLAN Example on page 254. This VLAN is assigned the VID 3. It consists of five untagged ports: Port 1 from the AT-8411 TX line card in slot 5 and Ports 1 to 4 from the AT-8411 line card in Slot 6. The VLAN also consists of two tagged ports: Port 8 from Slot 1, which gives the VLAN access to an IEEE 802.
PAGE 267
Chapter 13: Virtual LANs Modifying a VLAN The section contains the procedure for adding or deleting ports from a tagged or port-based VLAN. To modify a VLAN, perform the following procedure: 1. From the Configure Port Based VLAN menu, type 3 to select Modify Port Based VLAN. The Modify Port Based VLAN menu is shown in Figure 96. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 268
AT-S60 Management Software User’s Guide Each menu selection is explained below. 1 - Add Ports to VLAN To add ports to a VLAN, do the following: a. Type 1 to select Add Ports to VLAN. The following prompt is displayed: Enter VLAN ID: [2 to 4094] -> b. Enter the VID of the VLAN you want to change. The following prompt is displayed: Enter Tagged Port-list to add: c. If you want to add one or more tagged ports to the VLAN, enter them at this prompt. If you are not adding tagged ports, press Return.
PAGE 269
Chapter 13: Virtual LANs c. If you want to remove one or more tagged ports from the VLAN, enter the ports at this prompt. If you are not removing tagged ports, press Return. For information on entering ports, refer to Specifying Ports on page 31. The following prompt is displayed: Enter Untagged Port-list to delete: d. If you want to remove one or more untagged ports from the VLAN, enter them at this prompt. If you are not removing untagged ports, press Return.
PAGE 270
AT-S60 Management Software User’s Guide 4 - Clear Ports from VLAN To remove all ports from the VLAN, do the following: a. Type 4 to select Clear Ports from VLAN. The following prompt is displayed: Enter VLAN ID: [2 to 4094] -> b. Enter the VID of the VLAN you want to change. All tagged and untagged ports are removed from the VLAN. c. After modifying a VLAN, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 271
Chapter 13: Virtual LANs Deleting a VLAN To delete a VLAN, perform the following procedure: 1. From the Configure Port Based VLAN menu, type 2 to select Delete Port Based VLAN. The following prompt is displayed: Enter VLAN ID: [2 to 4094] -> 2. Enter the VID of the VLAN you want to delete and press Return. Note You cannot delete the Default_VLAN, which has a VID of 1, or a dynamic GVRP VLAN. The following confirmation prompt is displayed: Do you want to delete this VLAN? [Yes/No] -> 3.
PAGE 272
AT-S60 Management Software User’s Guide Setting a Switch’s VLAN Mode This section contains the procedure for setting a switch’s VLAN mode. You can configure a switch to support port-based and tagged VLANs or to operate in the Basic VLAN mode. Port-based and tagged VLANs and the Basic VLAN mode are described in earlier sections in this chapter. Note Changing a switch’s VLAN mode resets the switch. The switch does not forward traffic during the brief period required to reload the AT-S60 management software.
PAGE 273
Chapter 13: Virtual LANs Specifying a Management VLAN The management VLAN is the VLAN through which an AT-8400 Series switch expects to receive management packets. This VLAN is important if you are using the enhanced stacking feature of the switch or if you are managing a switch remotely. Management packets are packets generated by a management workstation while managing a switch. The management card in the switch acts upon the packets only if they are received on the management VLAN.
PAGE 274
AT-S60 Management Software User’s Guide Now let’s assume that you decided to create a VLAN called NMS with a VID of 24 for the sole purpose of remote network management. For this, you would need to create the NMS VLAN on each AT-8400 Series switch that you want to manage remotely, being sure to assign each NMS VLAN the VID of 24. You would need to be sure that the uplink and downlink ports connecting the switches together are untagged members of the NMS VLAN.
PAGE 275
Chapter 14 Multiple VLAN Modes This chapter explains the Multiple VLAN modes and how to select a mode.
PAGE 276
AT-S60 Management Software User’s Guide Multiple VLAN Mode Overview The Multiple VLAN modes simplify the task of configuring a switch in a network environment that requires a high degree of network segmentation. These modes are useful in isolating the traffic on each port from all other ports. They are fixed VLAN configurations that cannot be changed. When a Multiple VLAN mode is activated, the switch automatically places each port in a separate VLAN as an untagged port.
PAGE 277
Chapter 14: Multiple VLAN Modes Note The Multiple VLAN modes are supported only in single switch (that is, an edge switch) environments. This means that cascading of switches while in a Multiple VLAN mode is not allowed. Activating a Multiple VLAN mode on a cascaded switch can possibly result in disconnection of network paths between switches unless the port used to link the switches is configured as the uplink port.
PAGE 278
AT-S60 Management Software User’s Guide Table 8 802.1Q-Compliant Multiple VLAN Example VLAN Name VID Untagged Port Tagged Port Client_7 7 1.7 2.2 Client_8 8 1.8 2.2 Client_9 9 2.1 2.2 Client_10 10 2.2 Client_11 11 2.3 2.2 Note In 802.1Q Multiple VLAN mode, the device connected to the uplink port must be 802.1Q-compliant and must be able to handle tagged packets. Non-802.1Q Compliant Multiple VLANs The Non-802.
PAGE 279
Chapter 14: Multiple VLAN Modes Table 9 Non-802.1Q Compliant Multiple VLAN Example VLAN Name VID Untagged Port Client_4 4 1.4, 2.2 Client_5 5 1.5, 2.2 Client_6 6 1.6, 2.2 Client_7 7 1.7, 2.2 Client_8 8 1.8, 2.2 Client_9 9 2.1, 2.2 Client_10 10 All ports Client_11 11 2.3, 2.2 Tagged Port Caution The non-802.1Q-Compliant Multiple VLAN mode does not protect the switch from VLAN leakage.
PAGE 280
AT-S60 Management Software User’s Guide Selecting a VLAN Mode The following procedure explains how to select a VLAN mode on an AT-8400 Series Switch. Note You should create a backup file of the configuration of the switch before changing the switch to a Multiple VLAN mode. Changing the VLAN mode automatically deletes any port-based or tagged VLANs that you created on the switch. 1. From the Main Menu, type 2 to select VLAN Menu. The VLAN Menu is displayed as shown in Figure 91 on page 257. 2.
PAGE 281
Chapter 14: Multiple VLAN Modes The following confirmation is displayed: Setting VLAN mode to Multiple VLAN. Please wait... The VLAN mode is changed. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 282
AT-S60 Management Software User’s Guide Changing the Uplink Port Once the switch is operating in a Multiple VLAN mode, you can always change the uplink port, if needed. You simply specify the new uplink port and the switch automatically reconfigures the VLANs. To change the uplink port, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Menu. The VLAN Menu is displayed as shown Figure 91 on page 257. 2. From the VLAN Menu, type 1 to select Configure VLAN.
PAGE 283
Chapter 14: Multiple VLAN Modes Displaying VLAN Information To view the name, VID number, and member ports of the VLANs on a switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Menu. The VLAN Menu is displayed as shown in Figure 91 on page 257. 2. From the VLAN Menu, type 2 to select Display VLAN. The Display VLAN Menu is displayed as shown in Figure 92 on page 257. 3. From the Display VLAN menu, type 3 to select Display Port Based VLAN.
PAGE 284
Chapter 15 GARP VLAN Registration Protocol This chapter describes the GARP VLAN Registration Protocol (GVRP).
PAGE 285
Chapter 15: GARP VLAN Registration Protocol GARP VLAN Registration Protocol (GVRP) Overview The GARP VLAN Registration Protocol (GVRP) allows network devices to share VLAN information. The main purpose of GVRP is to allow switches to automatically discover some of the VLAN information that would otherwise have to be manually configured in each switch. This is helpful in networks where VLANs span more than one switch.
PAGE 286
AT-S60 Management Software User’s Guide Figure 98 provides an example of how GVRP works. Port 1 Switch #2 Switch #1 Static VLAN Sales VID=11 Port 4 Port 3 Port 2 Switch #3 Static VLAN Sales VID=11 Figure 98 GVRP Example Switches #1 and #3 contain the Sales VLAN, but Switch #2 does not. Consequently, the end nodes of the two parts of the Sales VLANs are unable to communicate with each other.
PAGE 287
Chapter 15: GARP VLAN Registration Protocol it is not a member, it automatically adds the port to the VLAN as an tagged dynamic GVRP port. If the port is already a member of the VLAN, then no change is made. 5. Switch #3 sends a PDU out port 4 to Switch #2. 6. Switch #2 receives the PDU on port 3 and then adds the port as a tagged dynamic GVRP port to the dynamic GVRP_VLAN_11 VLAN. There is now a communications path for the end nodes of the Sales VLAN on Switches #1 and #3.
PAGE 288
AT-S60 Management Software User’s Guide ❑ You can convert dynamic GVRP VLANs and dynamic GVRP port assignments to static VLANs and static port assignments. The procedure for this is found in Modifying a VLAN on page 266. ❑ The default port settings on the switch for GVRP is active, meaning that the ports participate in GVRP. Allied Telesyn recommends disabling GVRP on those ports that are connected to GVRPinactive devices, meaning that they do not feature GVRP.
PAGE 289
Chapter 15: GARP VLAN Registration Protocol Generic Attribute Registration Protocol (GARP) Overview The following is a technical overview of GARP. An understanding of GARP may prove helpful when using GVRP. The purpose of the Generic Attribute Registration Protocol (GARP) is to provide a generic framework whereby devices in a bridged LAN, for example, end stations and switches, can register and de-register attribute values, such as VLAN Identifiers, with each other.
PAGE 290
AT-S60 Management Software User’s Guide The architecture of GARP is shown in Figure 99.
PAGE 291
Chapter 15: GARP VLAN Registration Protocol An instance of GID consists of the set of state machines that define the current registration and declaration state of all attribute values associated with the GARP Participant. Separate state machines exist for the Applicant and Registrar. This is shown in Figure 100. GID Attribute ...
PAGE 292
AT-S60 Management Software User’s Guide The Applicant is therefore looking after the interests of all would-be Participants. This allows the Registrar to be very simple. The job of the Registrar is to record whether an attribute is registered, in the process of being de-registered, or is not registered for an instance of GID. To control the Applicant state machine, an Applicant Administrative Control parameter is provided.
PAGE 293
Chapter 15: GARP VLAN Registration Protocol Configuring GVRP Use the following procedure to configure GVRP. The timers in the following menus are in increments of centi seconds which is a hundredth of a second. To configure GVRP, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Menu. The VLAN Menu is shown in Figure 91 on page 257. 2. From the VLAN Menu, type 3 to select Configure GARP-GVRP. The GARP-GVRP Menu is shown in Figure 101. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 294
AT-S60 Management Software User’s Guide 6. Choose one of the following: E to enable GIP. D to disable GIP. Note Do not disable GIP if you intend to use GVRP. GIP is required to propagate VLAN information among the ports of the switch. Caution The following steps change the three GVRP timers. Please note that the settings for these timers must be the same on all GVRP-active network devices. 7. Type 3 - to change the value of the Join Timer.
PAGE 295
Chapter 15: GARP VLAN Registration Protocol Enabling or Disabling GVRP on a Port This procedure enables and disables GVRP on a switch port. The default setting for GVRP on a port is enabled. Only those ports where GVRP is enabled transmit PDUs. Note Allied Telesyn recommends disabling GVRP on unused ports and those ports that are connected to GVRP-inactive devices. This is to protect against unauthorized access to restricted areas of your network.
PAGE 296
AT-S60 Management Software User’s Guide 5. Enter a port or a list of ports. For information about how to specify ports, see Specifying Ports on page 31. The Configure GVRP Port Settings Menu is shown in Figure 103. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 24-May-2003 Configure GVRP Port Settings Configuring Port 2.1-8 1 - Port Mode ............. Normal R - Return to Previous Menu Enter your selection? Figure 103 Configure GVRP Port Settings Menu 6.
PAGE 297
Chapter 15: GARP VLAN Registration Protocol 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Your changes are saved.
PAGE 298
AT-S60 Management Software User’s Guide Displaying GVRP Parameters and Statistics To display GVRP counters, database, state machine, and GIP connected ports ring, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Menu. The VLAN Menu is shown in Figure 91 on page 257. 2. From the VLAN Menu, type 3 to select Configure GARP-GVRP. The GARP-GVRP Menu is shown in Figure 101 on page 292. 3. From the GARP-GVRP Menu, select O - Other GVRP Parameters Menu.
PAGE 299
Chapter 15: GARP VLAN Registration Protocol GVRP Counters Option 1 - Display GVRP Counters in the Other GARP Port Parameters displays the GVRP Counters Menu (page 1) as shown in Figure 106. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 300
AT-S60 Management Software User’s Guide Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 301
Chapter 15: GARP VLAN Registration Protocol Table 10 GVRP Counters Section II: Local and Telnet Management Parameter Meaning Transmit Discarded: GARP Disabled Number of GARP PDUs discarded because the GARP application was disabled. This counter is incremented when ports are added to or deleted from the GARP application arising from port movements in the underlying VLAN or STP.
PAGE 302
AT-S60 Management Software User’s Guide Table 10 GVRP Counters Section II: Local and Telnet Management Parameter Meaning Transmit GARP Messages: JoinEmpty Total number of GARP JoinEmpty messages transmitted for all attributes in the GARP application. Receive GARP Messages: JoinIn Total number of GARP JoinIn messages received for all attributes in the GARP application. Transmit GARP Messages: JoinIn Total number of GARP JoinIn messages transmitted for all attributes in the GARP application.
PAGE 303
Chapter 15: GARP VLAN Registration Protocol GVRP Database Option 2 - Display GVRP Database in the Other GARP Port Parameters displays the GVRP Database Menu as shown in Figure 108. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 304
AT-S60 Management Software User’s Guide GIP Connected Ports Ring Option 3 - Display GIP Connected Ports Ring in the Other GARP Port Parameters displays the GIP Connected Ports Ring Menu as shown in Figure 109. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 24-May-2003 GIP Connected Ports Ring GARP Application: GVRP GIP Context ID: 0, STP ID: 0 ------------------------------------------------------------1.2 -> 1.8 -> 4.
PAGE 305
Chapter 15: GARP VLAN Registration Protocol GVRP State Machine Option 4 - Display GVRP State Machine in the Other GARP Port Parameters displays the GVRP State Machine Menu (page 1) as shown in Figure 110. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 306
AT-S60 Management Software User’s Guide Table 13 GVRP State Machine Parameters Parameter Meaning App Applicant state machine for the GID index on that particular port.
PAGE 307
Chapter 15: GARP VLAN Registration Protocol Table 13 GVRP State Machine Parameters Parameter Meaning App (Continued) Non-Participant Management state: “Von” Very Anxious Observer “Aon” Anxious Observer “Qon” Quiet Observer “Lon” Leaving Observer “Vpn” Very Anxious Passive Member “Apn” Anxious Passive Member “Qpn” Quiet Passive Member “Van” Very Anxious Active Member “Aan” Anxious Active Member “Qan” Quiet Active Member “Lan” Leaving Active Member The initialized state for the Appli
PAGE 308
Chapter 16 MAC Address Table This chapter provides an overview of MAC addresses. In addition, it describes the procedures for viewing the static and dynamic MAC address table using a local or Telnet management session.
PAGE 309
Chapter 16: MAC Address Table MAC Address Overview Every hardware device that you connect to your network has a unique MAC address associated with it. A MAC address is assigned to a device by the device’s manufacturer. For example, every network interface card that you use to connect your computers to your network has a MAC address assigned to it by the adapter’s manufacturer. The AT-8400 Series switch has a MAC address table.
PAGE 310
AT-S60 Management Software User’s Guide The type of MAC address described above is referred to as a dynamic MAC address. Dynamic MAC addresses are addresses that the switch learns by examining the source MAC addresses of the frames received on the ports. Dynamic MAC addresses are not stored indefinitely in the MAC address table. The switch deletes a dynamic MAC address from the table if it does not receive any frames from the node over a specified period of time.
PAGE 311
Chapter 16: MAC Address Table Displaying MAC Addresses The management software has menu selections for displaying all or parts of the MAC addresses table of the AT-8400 Series switch. To display the MAC address table, perform the following procedure: 1. From the Main Menu, type 7 to select MAC Address Tables. The MAC Address Tables Menu is shown in Figure 112. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 312
AT-S60 Management Software User’s Guide 3. Select the desired option. Each option is described below: 1 - Display All MAC Addresses This option displays the Display All MAC Addresses menu. This menu lists all the switch’s dynamic and static address, including multicast addresses. An example of the menu is shown in Figure 114. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 313
Chapter 16: MAC Address Table 2 - Display All static MAC Addresses This option displays only the static MAC addresses. The columns in the menu are the same as those in the Display All MAC Addresses Menu. For definitions of the columns, refer to Table 14 on page 311. 3 - Display MAC addresses by Port You can use this option to view the MAC addresses that have been learned on a particular port. When you select this option, the following prompt is displayed: Enter port-list: Enter the ports.
PAGE 314
AT-S60 Management Software User’s Guide 6 - Display Multicast MAC Addresses This selection displays the multicast MAC addresses. For definitions of the columns, refer to Table 14 on page 311.
PAGE 315
Chapter 16: MAC Address Table Adding Static Unicast and Multicast MAC Addresses This section contains the procedure for adding static addresses to the switch. A MAC address added to the table with this procedure remains permanently in the table, even when the source end node is inactive. You can assign up to 255 static MAC addresses per port on the AT-8400 Series switch. Note When you add a static multicast address you must assign the address to all ports on the switch that belong to the multicast group.
PAGE 316
AT-S60 Management Software User’s Guide The following prompt is displayed: Please enter MAC address -> 4. Enter the static MAC address in the following format: XXXXXX XXXXXX Once you have specified the MAC address, the following prompt is displayed: Enter port-list: 5. Enter the number of the port on the switch where you want the address assigned. The management software adds the address to the MAC address table. 6.
PAGE 317
Chapter 16: MAC Address Table Deleting MAC Addresses This section contains the procedure for deleting static and dynamic unicast and multicast MAC addresses from the MAC address table and for purging the table of all dynamic addresses. To delete MAC addresses from the table, perform the following procedure: 1. From the Main Menu, type 7 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 112 on page 310. 2. From the MAC Address Tables menu, type 1 to select Configure MAC Addresses.
PAGE 318
AT-S60 Management Software User’s Guide b. Type Y for yes to delete the dynamic MAC addresses or N for no to cancel the procedure. If you type Y for yes, all dynamic MAC addresses are deleted from the MAC address table. The switch immediately begins to relearn the addresses and to add them to the table.
PAGE 319
Chapter 16: MAC Address Table Changing the Aging Time The switch uses the aging time to delete inactive dynamic MAC addresses from the MAC address table. When the switch detects that no packets have been sent to or received from a particular MAC address in the table after the period specified by the aging time, the switch deletes the address. This prevents the table from becoming full of addresses of nodes that are no longer active. The default setting for the aging time is 300 seconds (5 minutes).
PAGE 320
Chapter 17 Class of Service (CoS) This chapter contains the procedures for configuring Class of Service (CoS).
PAGE 321
Chapter 17: Class of Service Class of Service Overview When a port on an Ethernet switch becomes oversubscribed, meaning that its egress queues contain more frames than the port can handle in an timely and orderly manner, there is the possibility that frames may be delayed in reaching their destinations. A port may be forced to delay the transmission of some frames while it handles other traffic.
PAGE 322
AT-S60 Management Software User’s Guide Each switch port has two egress queues, low and high. When a tagged frame enters a switch port, the switch responds by placing the frame into one of the two egress queues according to following assignments: IEEE 802.
PAGE 323
Chapter 17: Class of Service Configuring CoS To configure CoS for a port, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 25 on page 89. 2. From the Port Menu, type 1 to select Port Configuration. The following prompt is displayed: Enter port-list: 3. Enter the port you want to configure. For information on entering ports, refer to Specifying Ports on page 31. The Port Configuration menu for the selected port(s) is displayed.
PAGE 324
Chapter 18 IGMP Snooping This chapter provides a description of the Internet Group Management Protocol (IGMP) snooping feature. Also, it explains how to activate and configure the IGMP snooping feature on the switch using a local or Telnet management session.
PAGE 325
Chapter 18: IGMP Snooping IGMP Snooping Overview IGMP enables routers to create lists of nodes that are members of multicast groups. (A multicast group is a group of end nodes that want to receive multicast packets from a multicast application.) The router creates a multicast membership list by periodically sending out queries to the local area networks connected to its ports.
PAGE 326
AT-S60 Management Software User’s Guide Without IGMP snooping, a switch would flood multicast packets from all of its ports, except the port on which it received the packet. Such flooding of packets can negatively impact switch and network performance. The AT-8400 Series switch supports both IGMP Version 1 and Version 2.
PAGE 327
Chapter 18: IGMP Snooping Configuring IGMP Snooping To configure, enable, or disable IGMP snooping on the switch and to configure IGMP snooping parameters, perform the following procedure: 1. From the Main Menu, type 5 to select System Menu. The System Menu is shown in Figure 5 on page 47. 2. From the System Menu, type 1 to select Configure System. The Configure System Menu is shown in Figure 9 on page 52. 3. From the Configure System menu, type 1 to select Configure System Software.
PAGE 328
AT-S60 Management Software User’s Guide Options 1 through 5 are described below: 1 - IGMP Snooping Status Enables and disables IGMP snooping on the switch. After selecting this option, type E to enable or D to disable this feature. The default is disabled. 2 - Multicast Host Topology Defines whether there is one host node per switch port or multiple host nodes per port. Possible settings are SingleHost/Port (Edge) and Multi-Host/Port (Intermediate).
PAGE 329
Chapter 18: IGMP Snooping This parameter is useful with networks that contain a large number of multicast groups. You can use the parameter to prevent the switch’s MAC address table from becoming filled with multicast addresses, leaving no room for dynamic or static MAC addresses. 5 - Multicast Router Ports Mode Controls whether the detection of ports on the switch that are connected to multicast routers is made automatically or manually.
PAGE 330
AT-S60 Management Software User’s Guide Displaying a List of Host Nodes This procedure displays a list of the multicast groups on a switch, as well as the host nodes. To display the list, perform the following procedure: 1. From the IGMP Snooping Configuration Menu, type 6 to select View Multicast Hosts List. (For instructions on how to display the IGMP Snooping Configuration Menu, perform Steps 1 to 4 of Configuring IGMP Snooping on page 326.) The View Multicast Hosts List Menu is shown in Figure 118.
PAGE 331
Chapter 18: IGMP Snooping Displaying a List of Multicast Routers A multicast router is a router that is receiving multicast packets from a multicast application and transmitting the packets to host nodes. You can use the AT-S60 software to display a list of the multicast routers that are connected to the switch. To display a list of the multicast routers, perform the following procedure: 1. From the IGMP Snooping Configuration Menu, type 7 to select View Multicast Router List.
PAGE 332
AT-S60 Management Software User’s Guide If you entered the multicast router ports manually, the menu contains a single column labelled Static Router Ports and a list of the ports that you entered when you configured IGMP snooping.
PAGE 333
Section III Security Features The chapters in Section III explain how to configure an AT-8400 switch with security features. The chapters include: ❑ Chapter 19: Web Server on page 333 ❑ Chapter 20: Encryption on page 340 ❑ Chapter 21: Public Key Infrastructure (PKI) on page 357 ❑ Chapter 22: Secure Sockets Layer (SSL) on page 380 ❑ Chapter 23: Secure Shell (SSH) on page 385 ❑ Chapter 24: TACACS+ and RADIUS Protocols on page 395 ❑ Chapter 25: 802.
PAGE 334
Chapter 19 Web Server The chapter provides an overview of the web server feature. In addition, it describes how to configure the switch as a secure web server as well as how to create self-signed and Certificate Authority (CA) certificates.
PAGE 335
Chapter 19: Web Server Web Server Overview By default, the switch is configured as a non-secure web server. The web server feature allows you to configure the switch as a web server with advanced SSL security. In addition, you can use the web server feature to create self-signed and CA certificates. You create self-signed certificates for use within an organization. CA certificates are used between organizations, often over the Internet.
PAGE 336
AT-S60 Management Software User’s Guide Configuring the Web Server for Security Features This procedure allows you to enable, disable, and configure the web server feature using a local or Telnet management session. In addition, you can enable the SSL protocol on the web server using this procedure. The default configuration for the switch is as a non-secure web server. Note Before you can configure the web server, you must disable it.
PAGE 337
Chapter 19: Web Server 5. Type 1 to select Status to enable or disable the web server. To configure the web server, you need to first disable it. Toggle between the following values: Enabled - enables the web server. This is the default setting. Disabled - disables the web server. 6. Type 2 to select Mode to determine the mode of the web server.
PAGE 338
AT-S60 Management Software User’s Guide Configuring SSL Certificates The high-level configuration procedures included in this section describe: ❑ Configuring Self-Signed Certificates on page 337 ❑ Configuring CA Certificates on page 338 You configure self-signed certificates to create certificates that are used within your organization, often within your own network. You configure Certificate Authority (CA) certificates for use over the Internet.
PAGE 339
Chapter 19: Web Server Warning Using this command creates a certificate that is only suitable for secure switch management via the GUI. A pop-up message appears in the browser window warning that the certificate is not issued by a trusted authority. For details, see Chapter 21: Web Server page 333. 6. Load self-signed switch certificate to the certificate database. To load the signed switch certificate onto the switch, see Adding Certificates to the Database on page 369.
PAGE 340
AT-S60 Management Software User’s Guide 6. Use TFTP to upload an enrollment request. See Downloading Files on page 153. 7. Email enrollment request file to a Certificate Authority such as Verisign. 8. Certificate Authority issues a CA certificate for your switch. 9. Add certificate to the certificate database on the switch. See Adding Certificates to the Database on page 369. 10. Repeat steps 7 through 9 as needed, depending on the certificate chain for your switch.
PAGE 341
Chapter 20 Encryption This chapter contains a description of encryption and procedures for creating keys for encryption on a local or Telnet management session on an AT-8400 Series switch. It contains the following sections: ❑ Encryption Overview on page 341 ❑ Data Encryption on page 342 ❑ Data Authentication on page 345 ❑ Key Exchange Algorithms on page 346 ❑ Configuring Keys for Encryption on page 347 Note The Encryption feature only appears in the AT-S60 version 2.0.0 software.
PAGE 342
AT-S60 Management Software User’s Guide Encryption Overview This chapter describes the data security services available on the switch, how the services are provided, the switch network functions which use these services, and how to monitor the services. The encryption, or ENCO, feature provides encryption to other switch software modules (referred to as user modules).
PAGE 343
Chapter 20: Encryption Data Encryption Data encryption for switches is driven by the need for organizations to keep sensitive data private and secure. Data encryption operates by applying an encryption algorithm and key to the original data (the plaintext) to convert it into an encrypted form (the ciphertext). The ciphertext produced by encryption is a function of the algorithm used and the key.
PAGE 344
AT-S60 Management Software User’s Guide by a 64-bit Initialization Vector (IV). This is the DES mode used for the switch’s data encryption process. ❑ Cipher FeedBack (CFB) is an additive-stream-cipher method which uses DES to generate a pseudo-random binary stream that is combined with the plaintext to produce the ciphertext. The ciphertext is then fed back to form a portion of the next DES input block. ❑ Output FeedBack (OFB) combines the first IV with the plaintext to form ciphertext.
PAGE 345
Chapter 20: Encryption digital signature. The signature station publishes its public key, and then signs its messages by encrypting them with its private key. To verify the source of a message, the receiver decrypts the messages with the published public key. If the message that results is valid, then the signing station is authenticated as the source of the message. The most common asymmetrical encryption algorithm is RSA.
PAGE 346
AT-S60 Management Software User’s Guide Data Authentication Data authentication for switches is driven by the need for organizations to verify that sensitive data has not been altered. Data authentication operates by calculating a Message Authentication Code (MAC), commonly referred to as a hash, of the original data and appending it to the message. The MAC produced is a function of the algorithm used and the key.
PAGE 347
Chapter 20: Encryption Key Exchange Algorithms Key exchange algorithms are used by switches to securely generate and exchange encryption and authentication keys with other switches. Without key exchange algorithms, encryption and authentication session keys must be manually changed by the system administrator. Often, it is not practical to change the session keys manually. Key exchange algorithms enable switches to re-generate session keys automatically and on a frequent basis.
PAGE 348
AT-S60 Management Software User’s Guide Configuring Keys for Encryption Use the following procedures to configure, modify, export, and import keys for encryption. ❑ Configuring a Distinguished Name and Keys on page 347 ❑ Modifying and Deleting Keys on page 351 ❑ Exporting Keys on page 353 ❑ Importing Keys on page 354 For an comprehensive procedure that describes all the procedures necessary for configuring keys for encryption, see Configuring SSL Certificates on page 337.
PAGE 349
Chapter 20: Encryption The Keys/Certificate Configuration Menu is shown in Figure 121. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 30-Apr-2003 Keys/Certificate Configuration 1 - Distinguished Name ............... 2 - Key Management 3 - Public Key Infrastructure (PKI) Configuration R - Return to Previous Menu Enter your selection? Figure 121 Keys/Certificate Configuration Menu 3.
PAGE 350
AT-S60 Management Software User’s Guide The Key Management Menu is shown in Figure 122. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 351
Chapter 20: Encryption The Create Key Menu is shown in Figure 123. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 30-Apr-2003 Create Key 1 2 3 4 5 - Key ID ............. Key Type ........... Key Length ......... Key Description ....
PAGE 352
AT-S60 Management Software User’s Guide 10. Type 4 to create a key description. The following prompt is displayed: Enter new Description -> 11. Enter a description of the web server the key is used to protect, such as webserver46. You can enter up to 127 alphanumeric values including spaces. Control characters are not permitted. 12. Type 5 to generate a key. To save the data you configured in the above steps, you must generate a key. The following message is displayed: Key generation will take some time.
PAGE 353
Chapter 20: Encryption 7. To delete a key, select 2 - Delete Key from the Key Management menu. The following message is displayed: Enter Key Id to delete -> [0 to 65535] -> 0 8. Enter the Key Id that you want to delete. The following message appears: Key deletion will take some time. Please wait...
PAGE 354
AT-S60 Management Software User’s Guide Exporting Keys The following procedure allows you to export a key to a file. When you export RSA-Private keys, only the public key is output to a file. Use the following procedure to export RSA- Public keys: Note You cannot export RSA-Private keys. 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 30 on page 105. 2. From the Security menu, select the Keys/Certificate Configuration menu.
PAGE 355
Chapter 20: Encryption Note Key Type is a read-only field. You cannot change this value. 7. Type 3 to select Key File Format to specify the format of the key. 8. Chose one of the following options by pressing 3 repeatedly: HEX - Indicates an internal format for storing files. Select this value for SSL configuration. This is the default. SSH - Indicates a format for a Secure Shell (SSH) environment. Select this value for a SSH server or client. 9.
PAGE 356
AT-S60 Management Software User’s Guide The Import Key From File Menu is shown in Figure 125. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 30-Apr-2003 Import Key From File Menu 1 2 3 4 5 - Key ID ............ 0 Key Type .......... RSA-Public Key File Format ... HEX Key File Name ..... Export Key To File R - Return to Previous Menu Enter your selection? Figure 125 Import Key From File Menu 4.
PAGE 357
Chapter 20: Encryption Key Import in Progress. Please wait...Done After you receive this message, the key is added to the Key Management database. See the Key Management Menu in Figure 122 on page 349.
PAGE 358
Chapter 21 Public Key Infrastructure (PKI) This chapter describes the Public Key Infrastructure (PKI) feature and provides procedures for configuring certificates for web server security. This chapter contains the following sections: ❑ Public Key Infrastructure Overview on page 358 ❑ PKI Implementation on page 363 ❑ Configuring Certificates on page 364 ❑ Generating Enrollment Requests on page 378 Note The PKI feature only appears in the AT-S60 version 2.0.0 software.
PAGE 359
Chapter 21: Public Key Infrastructure (PKI) Public Key Infrastructure Overview This chapter describes the Public Key Infrastructure (PKI) feature, Allied Telesyn’s implementation of the feature, and how to configure PKI for web server security. The PKI feature is part of the switch’s suite of security modules, and consists of a set of tools for managing and using certificates.
PAGE 360
AT-S60 Management Software User’s Guide Message Encryption Digital Signatures One of the two main services provided by public key encryption is the exchange of encrypted messages. For example, user 1 can send a secure message to user 2 by encrypting it with user 2’s public key. Only user 2 can decrypt it, because only user 2 has access to the corresponding private key. The second main service provided by public key encryption is digital signing.
PAGE 361
Chapter 21: Public Key Infrastructure (PKI) An X.509 v3 certificate consists of: ❑ A serial number, which distinguishes the certificate from all others issued by that issuer. This serial number is used to identify the certificate in a Certificate Revocation List, if necessary. ❑ The owner’s identity details, such as name, company and address. ❑ The owner’s public key, and information about the algorithm with which it was produced. ❑ The identity details of the organization which issued the certificate.
PAGE 362
AT-S60 Management Software User’s Guide Certification Authorities A Certification Authority is an entity which issues, updates, revokes and otherwise manages public keys and their certificates. A CA receives requests for certification, validates the requester’s identity according to the CA’s requirements, and issues the certificate, signed with one of the CA’s keys.
PAGE 363
Chapter 21: Public Key Infrastructure (PKI) Root CA Certificates A root CA must sign its own certificate. The root CA is the most critical link in the certification chain, because the validity of all certificates issued by any CA in the hierarchy depends on the root CA’s validity. Therefore, every device which uses the root CA’s certificate must verify it out of band.
PAGE 364
AT-S60 Management Software User’s Guide PKI Implementation The following sections discuss Allied Telesyn’s implementation of PKI for the AT-8400 Series Switch.
PAGE 365
Chapter 21: Public Key Infrastructure (PKI) Configuring Certificates Use the procedures in this section to create a certificate, add it to a certificate database, delete a certificate, modify a certificate or view a certificate. The following procedures are provided: ❑ Creating Certificates on page 364 ❑ Adding Certificates to the Database on page 369 ❑ Deleting and Modifying Certificates on page 371 ❑ Viewing Certificates on page 374 There are two ways of obtaining certificates.
PAGE 366
AT-S60 Management Software User’s Guide The Public Key Infrastructure (PKI) Certification Menu is shown in Figure 126. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 30-Apr-2003 Public Key Infrastructure (PKI) Configuration 1 - Maximum Number of Certificates....... 256 2 - X509 Certificate Management 3 - Generate Enrollment Request R - Return to Previous Menu Enter your selection? Figure 126 Public Key Infrastructure (PKI) Configuration Menu 4.
PAGE 367
Chapter 21: Public Key Infrastructure (PKI) The X509 Certificate Management Menu is shown in Figure 127. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 368
AT-S60 Management Software User’s Guide The Create Self-Signed Certificate Menu is shown in Figure 128. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 30-Apr-2003 Create Self-Signed Certificate 1 2 3 4 5 6 - Certificate Name............. Key Pair ID.................. 0 Format....................... DER Serial Number................ 0 Subject DN...................
PAGE 369
Chapter 21: Public Key Infrastructure (PKI) 10. Type 3 - Format to select the type of encoding format the certificate is to use. You can toggle between the following values: DER - Indicates the certificate contents are in a binary format. This is the default. PEM - Indicates the certificate are in the Privacy Enhanced Mail (PEM) format which is an ASCII format. 11. Type 4 - Serial Number to assign a certificate a serial number.
PAGE 370
AT-S60 Management Software User’s Guide Country names are generally given in the form of the two-letter ISO 3166 code for the country, for example, us, de, or nz. An example of a distinguished name for Janet Bloggs who works in Operations at Arctic Company in Fairbanks, Alaska is: cn=Janet Bloggs, ou=Operations, o=Arctic Company, l=Fairbanks, s=Alaska, c=us 14. Type 6 to create the certificate you have defined in the previous steps.
PAGE 371
Chapter 21: Public Key Infrastructure (PKI) 5. From the X509 Certificate Management menu, type 2 to select Add Certificate. The Add Certificate Menu is shown in Figure 129. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 30-Apr-2003 Add Certificate Menu 1 2 3 4 5 - Certificate Name ............. State ........................ Trusted Type ......................... EE File Name .....................
PAGE 372
AT-S60 Management Software User’s Guide Note To display the filenames of the certificates, see Displaying System Configuration Files on page 140. 10. Type 5 - Add Certificate to add the certificate to the certificate database. A wait message is displayed. Deleting and Modifying Certificates To delete or modify a certificate that is in the certificate database, perform the following procedure: 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 30 on page 105. 2.
PAGE 373
Chapter 21: Public Key Infrastructure (PKI) The Modify Certificate Menu is shown in Figure 130. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 30-Apr-2003 Modify Certificate Menu 1 2 3 4 - Certificate Name................. testcertificate State ........................... Trusted Type ............................
PAGE 374
AT-S60 Management Software User’s Guide The following message is displayed: Please wait while certificate is updated...Done. 12. After making changes, type R to until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 375
Chapter 21: Public Key Infrastructure (PKI) Viewing Certificates To view the details of a certificate, perform the following procedure: 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 30 on page 105. 2. From the Security menu, select the Keys/Certificate Configuration menu. The Keys/Certificate Configuration Menu is shown in Figure 121 on page 348. 3. From the Keys/Certificate menu, select 3 - Public Key Infrastructure (PKI) Configuration.
PAGE 376
AT-S60 Management Software User’s Guide The View Certificate Details Menu (page 1) is shown in Figure 131. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 View Certificate Details Certificate Details: Name ............... State .............. Manually Trusted ... Type ............... Source ............. Version ............ Serial Number ...... Signature Alg ...... Public Key Alg ..... Not Valid Before ... Not Valid After ....
PAGE 377
Chapter 21: Public Key Infrastructure (PKI) 7. Type N to see the second page of certificate details. The View Certificate Details Menu (page 2) is shown in Figure 132. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2003 View Certificate Details Subject ......... CN=Ben Herr,OU=Operations,O=Klondike Corp,St=CA,C=us Issuer .......... CN=Ben Herr,OU=Operations,O=Klondike Corp,St=CA,C=us MD5 Fingerprint...
PAGE 378
AT-S60 Management Software User’s Guide MD5 Fingerprint - Indicates the MD5 algorithm. This value provides a unique sequence for each certificate consisting of 16 bytes. SHA1 Fingerprint - Indicates the Secure Hash Algorithm. This value provides a unique sequence for each certificate consisting of 20 bytes.
PAGE 379
Chapter 21: Public Key Infrastructure (PKI) Generating Enrollment Requests To request a certificate from a Certificate Authority, you need to generate an enrollment request. By generating an enrollment request, you create a file with a .csr extension. After you have generated an enrollment request file, upload the file to a CA. For a complete list of all the steps to configure the switch to obtain a CA certificate, see Configuring CA Certificates on page 338.
PAGE 380
AT-S60 Management Software User’s Guide Figure 133 Generate Enrollment Request Menu 5. Type 1 - Request Name. The following message is displayed: Enter Enrollment Request Name -> 6. Enter up to 127 alphanumeric characters for an enrollment request name. The name you enter is used to create the filename of the enrollment request. The full filename consists of the enrollment request name followed by .csr extension.
PAGE 381
Chapter 22 Secure Sockets Layer (SSL) The chapter contains information about Secure Sockets Layer (SSL) as well as a procedure for configuring this protocol on a switch using a local or Telnet management session. It contains the following sections: ❑ Secure Sockets Layer Overview on page 381 ❑ Configuring SSL on page 384 Note The SSL feature only appears in the AT-S60 version 2.0.0 software.
PAGE 382
AT-S60 Management Software User’s Guide Secure Sockets Layer Overview This chapter describes the Secure Sockets Layer (SSL) feature, a security protocol that provides a secure and private TCP connection between a client and server. You can configure the SSL feature using a local or Telnet management session. SSL can be used with many higher layer protocols including HTTP, File Transfer Protocol (FTP) and Net News Transfer Protocol (NNTP).
PAGE 383
Chapter 22: Secure Sockets Layer (SSL) All application data messages are authenticated by SSL with a message authentication code (MAC). The MAC is a checksum that is created by the sender and is sent as part of the encrypted message. The recipient recalculates the MAC, and if the values match, the sender’s identity is verified. The MAC also ensures that the message has not been tampered with by a third party because any change to the message changes the MAC.
PAGE 384
AT-S60 Management Software User’s Guide The Alert message is used if the client or server detects an error. Alert messages also inform the other end that the session is about to close. In addition, the Alert message contains a severity rating and a description of the alert. For example, an alert message is sent if either party receives an invalid certificate or an unexpected message. The Application data message encapsulates the encrypted application data.
PAGE 385
Chapter 22: Secure Sockets Layer (SSL) Configuring SSL This section describes how to configure SSL. This procedure is part of a comprehensive procedure to create certificates on the switch. See Configuring SSL Certificates on page 337 for a list of all the procedures you must complete to create certificates on the switch. To configure the SSL protocol, perform the following procedure: 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 30 on page 105. 2.
PAGE 386
Chapter 23 Secure Shell (SSH) The chapter contains overview information about the Secure Shell (SSH) protocol as well a procedure for configuring this protocol on a switch using a local or Telnet management session. It contains the following sections: ❑ SSH Overview on page 386 ❑ SSH Overall Configuration on page 389 ❑ Configuring SSH on page 390 ❑ Displaying SSH Information on page 393 Note The SSH feature only appears in the AT-S60 version 2.0.0 software.
PAGE 387
Chapter 23: Secure Shell (SSH) SSH Overview This chapter describes the Secure Shell (SSH) protocol, including: ❑ Support for Secure Shell on the switch ❑ How to configure the switch to act as a SSH server ❑ How to use Secure Shell to manage the switch. To implement SSH on your switch, you need to configure the switch as an SSH server, install a SSH client on a management PC, and login to the client.
PAGE 388
AT-S60 Management Software User’s Guide ❑ RSA public keys with lengths of 512 to 2048 bits are supported. Keys are stored in a format compatible with other Secure Shell implementations, and mechanisms are provided to copy keys to and from the switch. ❑ Compression of SSH traffic. The following SSH options and features are not supported: ❑ IDEA or Blowfish encryption ❑ Nonencrypted Secure Shell sessions ❑ Tunnelling of TCP/IP traffic Note Non-encrypted Secure Shell sessions serve no purpose.
PAGE 389
Chapter 23: Secure Shell (SSH) You can download client software from the Internet. Two popular SSH clients are PuTTY and CYGWIN. To install SSH client software, follow the directions from the vendor. Once you have configured the SSH client software, you can use the client software to login to the SSH server as a manager, operator, or as RADIUS/TACACS+ users. The SSH server supports multiple client connections. The maximum number of SSH clients allowed is 10 users with one manager login.
PAGE 390
AT-S60 Management Software User’s Guide SSH Overall Configuration Configuring the SSH server requires you to perform several procedures. The information in this section lists the procedures you need to complete to configure the SSH feature, including the server and client configuration. Since SSH is a complex feature, you need to perform all the steps in the following procedure. To configure the switch as an SSH server and configure SSH clients, perform the following procedure: 1.
PAGE 391
Chapter 23: Secure Shell (SSH) Configuring SSH This section describes how to configure the switch as an SSH server. For a description of all the steps required to configure an SSH server, see SSH Overall Configuration on page 389. Before you begin this procedure, you need to configure a host and server keys for SSH. See Configuring Keys for Encryption on page 347. The minimum bit size of the server key is 512 bits. The recommended bit size for a server key is 768 bits.
PAGE 392
AT-S60 Management Software User’s Guide The Secure Shell (SSH) Menu is shown in Figure 135. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 30-Apr-2003 Secure Shell (SSH) 1 2 3 4 5 - SSH Server Status ....... Host Key ID.............. Server Key ID ........... Server Key Expiry Time .. Login Timeout ...........
PAGE 393
Chapter 23: Secure Shell (SSH) This timer determines how often the server key is regenerated. Naturally, a server key is regenerated for security purposes. A server key is only valid for the time period configured in the Server Key Expiry (Expiration) Time timer. Allied Telesyn International recommends you set this field to 1. With this setting, a new key is generated every hour. The default is 0 hours which means the server key never expires. The range is 0 to 5 hours. 8. Select 5 - Login Timeout.
PAGE 394
AT-S60 Management Software User’s Guide Displaying SSH Information To display SSH server information, perform the following procedure: 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 30 on page 105. 2. From the Security menu, select the Secure Shell (SSH) menu. The Secure Shell (SSH) Menu is shown in Figure 135 on page 391. 3. From the Secure Shell (SSH) menu, Select 6 - Show Server information to display the SSH Server data.
PAGE 395
Chapter 23: Secure Shell (SSH) ❑ Server Port: Indicates the well-known port for SSH. The default is port 22. ❑ Host Key ID: Indicates the host key ID defined for SSH. ❑ Host Key Bits: Indicates the number of bits in the host key. ❑ Server Key ID: Indicates the server key ID defined for SSH. ❑ Server Key Bits: Indicates the number of bits in the server key. ❑ Server Key Expiry: Indicates the length of time, in hours, until the server key is regenerated.
PAGE 396
Chapter 24 TACACS+ and RADIUS Protocols This chapter explains how you can use the two authentication protocols TACACS+ and RADIUS to control who can log onto a switch to manage it.
PAGE 397
Chapter 24: TACACS+ and RADIUS Protocols TACACS+ and RADIUS Overview The AT-S60 software has two standard management login accounts: Manager and Operator. The Manager account lets you change a switch’s parameter settings while the Operator account only lets you view the settings. Each account has its own password. The Manager account has a default password of “friend” and the Operator account has a default password “operator.
PAGE 398
AT-S60 Management Software User’s Guide Authorization defines what a user can do once logged in to a switch. You assign an authorization level to each user name and password combination that you create on the server software. The access level is either Manager or Operator. The final function of the TACACS+ protocol is accounting, which is used to keep track of user activity on network devices. The AT-8400 Series switch does not support this function.
PAGE 399
Chapter 24: TACACS+ and RADIUS Protocols Note This manual does not explain how to configure TACACS+ or RADIUS server software. For server configuration, refer to the documentation that came with the software. By default, authentication protocol is disabled on an AT-8400 Series switch. Once you activate it, you need to provide the following information: ❑ Which authentication protocol you want to use. Only one authentication protocol can be active on a switch at a time.
PAGE 400
AT-S60 Management Software User’s Guide Enabling TACACS+ or RADIUS To enable or disable the server-based authentication feature on the switch and to configure the TACACS+ and RADIUS settings, perform the following procedure: 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 30 on page 105. 2. From the Security Menu, select Server Based Authentication. The Authentication Menu is shown in Figure 137. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 401
Chapter 24: TACACS+ and RADIUS Protocols Configuring TACACS+ To configure TACACS+, perform the following procedure: 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 30 on page 105. 2. From the Security Menu, select Server Based Authentication. The Authentication Menu is shown in Figure 137 on page 399. 3. Type 3 to select TACACS+ Configuration. The TACACS+ Client Configuration Menu is shown in Figure 138. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 402
AT-S60 Management Software User’s Guide However, if you are specifying only one TACACS+ server or if the servers have difference encryption secrets, then respond with Yes to this prompt. The following prompt is displayed: Enter per-server secret [max 40 characters] -> Use this prompt to enter the encryption secret for the TACACS+ server whose IP address you are specifying.
PAGE 403
Chapter 24: TACACS+ and RADIUS Protocols Configuring RADIUS To configure RADIUS, perform the following procedure: 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 30 on page 105. 2. From the Security Menu, select Server Based Authentication. The Authentication Menu is shown in Figure 137 on page 399. 3. Type 4 to select RADIUS Configuration. The RADIUS Client Configuration Menu is shown in Figure 139. Allied Telesyn AT-8400 Series - ATS60 V2.0.
PAGE 404
AT-S60 Management Software User’s Guide the list. If there aren’t any more servers in the list, then the switch defaults to the standard Manager and Operator accounts. The default is 30 seconds. The range is 1 to 60 seconds. 3 - RADIUS Server 1 Configuration 4 - RADIUS Server 2 Configuration 5 - RADIUS Server 3 Configuration Use these parameters to specify the IP addresses of up to three network servers containing the RADIUS server software.
PAGE 405
Chapter 25 802.1x Port-Based Network Access Control This chapter contains an overview and procedures for 802.1x Port-based Network Access Control features.
PAGE 406
AT-S60 Management Software User’s Guide Port-Based Access Network Control Overview The AT-S60 software’s IEEE 802.1X-based Port-Based Network Access Control feature is a client-server-based access control and authentication protocol that restricts unauthorized clients who attempt to connect to a network through accessible, local ports.
PAGE 407
Chapter 25: 802.1x Port-Based Access Control 802.1x Port-Based Network Access Control The IEEE 802.1x standard provides a method of restricting access to networks based on authentication information. The 802.1x standard provides port-based network access control for devices connected to the Ethernet. This functionality allows a network controller to restrict external devices from gaining access to the network behind a 802.1x controlled port.
PAGE 408
AT-S60 Management Software User’s Guide the authentication server for verification, then the authentication server informs the authenticator whether or not the authentication attempt has succeeded. Consequently, PC A is either granted or denied access to the LAN behind the switch.
PAGE 409
Chapter 25: 802.1x Port-Based Access Control Port Authentication Control A physical port under 802.1x control has associated with it a logical system known as a Port Access Entity (PAE). The PAE controls the authentication process. The authentication processes on the authenticator and on the supplicant are controlled by separate PAEs. The PAE controlling a port acting as a supplicant is termed a Supplicant PAE. The PAE controlling a port acting as an authenticator is termed an Authenticator PAE.
PAGE 410
AT-S60 Management Software User’s Guide The Authenticator PAE can be configured to request that the Supplicant PAE reauthenticate itself at a configurable time period. See Figure 142. During the process of reauthentication, the controlled port remains authorized until reauthentication fails.
PAGE 411
Chapter 25: 802.1x Port-Based Access Control Authentication Server The authentication server verifies the supplicant’s details passed to it by the authenticator. This implementation of 802.1x control requires that a port acting as an authenticator must communicate with a RADIUS authentication server. The RADIUS server must be capable of receiving and deciphering EAP in RADIUS packets. See Figure 143. The supported encryption mechanisms for communication with the RADIUS server are EAP-MD5.
PAGE 412
AT-S60 Management Software User’s Guide Enabling and Disabling Port Access Control To globally enable or disable Port Access Control, perform the following procedure: Note Enabling or disabling Port Access Control can only be performed in a local management session. Note Before activating this feature, you must have the RADIUS EAP specified and enabled as the authentication method. This is discussed in Enabling TACACS+ or RADIUS on page 399. 1. From the Main Menu, type 6 to select Security Menu.
PAGE 413
Chapter 25: 802.1x Port-Based Access Control 4. Type E to enable port access control, or D to disable port access control. Press Return. If you select E, the following message appears: This change has an impact on port security limited mode and MAC address table! 5. Press any key to continue. 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
PAGE 414
AT-S60 Management Software User’s Guide Configuring the Port Access Role Use this procedure to configure a port with an access role of authenticator or supplicant. For information about authenticators and supplicants, see the Port-Based Access Network Control Overview on page 405. The number of ports you assign as authenticators and supplicants is only limited by the number of ports on a card. In addition, you can assign both authenticators and supplicants to one line card.
PAGE 415
Chapter 25: 802.1x Port-Based Access Control The Configure Port Access Role Menu is shown in Figure 145. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 01-Jan-2003 Configure Port Access Role Configuring Port 3.1 1 - Port Role ......... None R - Return to Previous Menu Enter your selection? Figure 145 Configure Port Access Role Menu 5. Type 1 to select Port Role. The following prompt is displayed: Enter new Port Role [N-None, A-Authenticator, SSupplicant] -> 6.
PAGE 416
AT-S60 Management Software User’s Guide Configuring Authenticator Parameters After you have enabled port access control and configured a port as an authenticator, use this procedure to configure the authenticator parameters. The procedure in Configuring the Port Access Role on page 413 describes how to configure a port as an authenticator. For information about the role of an authenticator, see the Port-Based Access Network Control Overview on page 405.
PAGE 417
Chapter 25: 802.1x Port-Based Access Control 3. From the Port Access Control menu, type 4 to select Configure Authenticator. The Configure Authenticator Menu is shown in Figure 146. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 22-Mar-2003 Configure Authenticator 1 - Configure Authenticator Port Access Parameters 2 - Display Authenticator Port Access Parameters R - Return to Previous Menu Enter your selection? Figure 146 Configure Authenticator Menu 4.
PAGE 418
AT-S60 Management Software User’s Guide The authenticator port access parameters are listed as menu items with default ranges set at the factory. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 22-Mar-2003 Configure Authenticator Port Access Parameters Configuring Port 1.3 1 2 3 4 5 6 7 - Port Control ...... Auto Quiet Period ........ 60 Tx Period ........... 30 Reauth Period ....... 3600 Supplicant Timeout .. 30 Server Timeout ...... 30 Max Requests ......
PAGE 419
Chapter 25: 802.1x Port-Based Access Control ❑ Force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the interface 2 - Quiet Period Sets the number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client. The default value is 60 seconds. The range is 0 to 65,535 seconds.
PAGE 420
AT-S60 Management Software User’s Guide Configure Supplicant Parameters After you have enabled port access control and configured a port as a supplicant, use this procedure in this section to configure the supplicant parameters. The procedure in Configuring the Port Access Role on page 413 describes how to configure a port as a supplicant. For information about the role of a supplicant, see the Port-Based Access Network Control Overview on page 405.
PAGE 421
Chapter 25: 802.1x Port-Based Access Control The Configure Supplicant Menu is shown in Figure 148. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 22-Mar-2003 Configure Supplicant 1 - Configure Supplicant Port Access Parameters 2 - Display Supplicant Port Access Parameters R - Return to Previous Menu Enter your selection? Figure 148 Configure Supplicant Menu 4. Type 1 to select Configure Supplicant Port Access Parameters to configure supplicant parameters.
PAGE 422
AT-S60 Management Software User’s Guide 6. Select the parameter that you want to modify. They are described below: 1 - Auth Period: This is the initialization time used by the authentication timer. The value is in seconds. The default is 30 seconds. The range is 1 to 300 seconds. 2 - Held Period: This is the initialization value for the supplicant held timer. The value is in seconds. The default is 60 seconds. The range is 0 to 65,535 seconds.
PAGE 423
Chapter 25: 802.1x Port-Based Access Control Displaying Port Access Status There are three ways to display port access status. You can display: ❑ Port roles assigned to all ports ❑ All Authenticator ports and their associated parameters ❑ All Supplicant ports and their associated parameters Each type of display provides different parameters. As a result, the advantage of displaying the individual authenticator and supplicant port information is that more information is given.
PAGE 424
AT-S60 Management Software User’s Guide The Display Port Access Status menu is shown in Figure 150. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 22-Mar-2003 Display Port Access Status Port PortRole State Additional Info --------------------------------------------------------------6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.
PAGE 425
Chapter 25: 802.1x Port-Based Access Control When you configure a port with a Supplicant role, the Status field can have the following values: Acquired Authenticated Authenticating Connecting Disconnected Held Logoff Note Consult IEEE std 8021X-2001 for Port-Based Network Access Control for detailed information regarding the above mentioned values in the Status field.
PAGE 426
AT-S60 Management Software User’s Guide The Display Authenticator Port Access Parameters Menu is shown in Figure 151. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 22-Mar-2003 Display Authenticator Port Access Parameters Port PortCtrl QuietP TxP ReAuthP SuppTO SvrTO MaxReq --------------------------------------------------------------4.1 8.8 9.
PAGE 427
Chapter 25: 802.1x Port-Based Access Control The Display Supplicant Port Access Parameters Menu is shown in Figure 152. Allied Telesyn AT-8400 Series - ATS60 V2.0.0 High School Switch 142 User: Manager 00:14:33 22-Mar-2003 Display Supplicant Port Access Parameters Port Auth Held Max Start Period Period Start Period Name Supplicant Supplicant Name Password -----------------------------------------------------------------6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.
PAGE 428
Section IV Web Browser Management The chapters in Section IV explain how to manage an AT-8400 switch using a web browser.
PAGE 429
Chapter 26 Starting a Web Browser Management Session This chapter contains the procedure for starting a management session on an AT-8400 Series switch using a web browser, such as Microsoft Internet Explorer or Netscape Navigator.
PAGE 430
AT-S60 Management Software User’s Guide Starting a Web Browser Management Session This section explains how to start a web browser management session. To start a web browser management session with the AT-S60 software, there must be at least one AT-8400 Series switch on your network that has been assigned an IP address. The switch with the IP address is referred to as the master switch.
PAGE 431
Chapter 26: Starting a Web Browser Management Session 2. Enter the IP address of the switch in the URL field of the browser, as shown in Figure 153. Switch’s IP Address Figure 153 Entering a Switch’s IP Address in the URL Field 3. When prompted, enter a user name and password. For information about login ids, see Management Access Levels on page 30. You cannot change the user names. However, you can change the passwords, as explained in Configuring the Management Passwords on page 58.
PAGE 432
AT-S60 Management Software User’s Guide The main menu is on the left side of the Home page. It consists of the following menus: ❑ Configuration ❑ Monitoring ❑ Logout Note The main menu includes an Enhanced Stacking option when enhanced stacking is implemented. Browser Tools You can use the browser’s bookmark feature to record the IP address of the switch. Note After 10 minutes of inactivity, a web browser management session times out.
PAGE 433
Chapter 27 Basic Switch Parameters This chapter provides the following procedures for configuring basic switch parameters using a web browser management session: ❑ Configuring an IP Address and Switch Name on page 433 ❑ Setting the System Time on page 438 ❑ Activating the BOOTP and DHCP Services on page 441 ❑ Displaying System Information on page 442 ❑ Configuring the SNMP Parameters and Trap IP Addresses on page 445 ❑ Resetting a Switch on page 452 ❑ Pinging a Remote System on page 453 ❑ Returning the AT
PAGE 434
AT-S60 Management Software User’s Guide Configuring an IP Address and Switch Name This procedure describes the parameters in the Administration section of the Configuration Menu. Information about the Configuration and MAC Address Aging Time parameters are discussed later in this guide. Note For guidelines on when to assign an IP address, subnet address, and gateway address to an AT-8400 Series switch, refer to Assigning an IP Address to a Switch on page 42.
PAGE 435
Chapter 27: Basic Switch Parameters The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155. Figure 155 Configuration System Page, General Tab Note The Save Changes button is only displayed when you have made changes on another configuration tab.
PAGE 436
AT-S60 Management Software User’s Guide 2. Change the following parameters as desired: System Name This parameter specifies a name for the switch (for example, Sales Ethernet switch). Entering a value for this parameter is optional. Note Allied Telesyn International recommends that you assign a name to each switch because switch names help you identify the various switches in your network. Knowing a switch’s name ensures you perform a configuration procedure on the correct switch.
PAGE 437
Chapter 27: Basic Switch Parameters Manager Password Manager Confirm Password These parameters are used to change the administrator’s login password for the switch. The password can be from 0 to 20 characters in length. The same password is used for both local and remote management sessions. To create a new password, enter the new password into both fields. The default password is “friend.
PAGE 438
AT-S60 Management Software User’s Guide 3. After you have set the parameters, click Apply. Your changes are activated on the switch. To save your changes, return to the System tab and click Save Changes. The changes you made are saved on the switch. Note Changing any of the above parameters, including the IP address and subnet mask, is immediately activated on the switch. Changing the IP address of the switch can cause the loss of the remote management session.
PAGE 439
Chapter 27: Basic Switch Parameters Setting the System Time To set system time manually on the switch, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2. Select the System Time tab. The System Time tab is shown in Figure 156. Figure 156 Configuration System Page, System Time Tab 3. In the System Time section, specify the time and date for the switch.
PAGE 440
AT-S60 Management Software User’s Guide 5. In the Additional Time Parameters section you can specify the UTC offset and enable or disable daylight savings time: UTC Offset - Specify a difference between the UTC and local time. The default is 0 hours. The range is -12 to +12 hours. Daylight Savings Time - Click Enabled to enable or Disabled to disable the switch’s ability to adjust the system time to daylight savings time. 6. Click Apply. Your changes are activated on the switch.
PAGE 441
Chapter 27: Basic Switch Parameters Setting Up SNTP When you set up SNTP, the switch polls an SNTP or NTP server for the time. SNTP is a reduced version of the Network Time Protocol (NTP). However, it is important to note that SNTP servers and clients are interoperable with NTP servers and clients. Note For more information about SNTP, refer to Setting the System Time on page 52. To set up SNTP, perform the following procedure: 1. From the Home Page, select Configuration.
PAGE 442
AT-S60 Management Software User’s Guide Activating the BOOTP and DHCP Services For background information on BOOTP and DHCP, refer to the section Activating the BootP and DHCP Services on page 50. To activate or deactivate the BOOTP and DHCP protocols on the switch from a web browser management session, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2.
PAGE 443
Chapter 27: Basic Switch Parameters Displaying System Information To view system information you access the Monitoring page. The parameters on this page are strictly for viewing purposes only. You cannot change any of the values from this page. To view basic information about the switch, perform the following procedure: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 157.
PAGE 444
AT-S60 Management Software User’s Guide The sections in the tab are defined below. General This section displays the basic switch information. The values cannot be changed at this menu. For the procedure to change the values of the System Name, Administrator, Comments, IP Address, Subnet Mask, and Default Gateway parameters, see Configuring an IP Address and Switch Name on page 433.
PAGE 445
Chapter 27: Basic Switch Parameters ❑ Switch Mode - Defines the switch’s current VLAN mode. If this parameter displays “Tagged,” the switch supports port-based and tagged VLANs. If this parameter displays “Basic,” the switch is operating in the Basic VLAN Mode. For information about VLANs, refer to the overview sections in Chapter 13, Virtual LANs on page 240. For instructions on how to set the switch’s VLAN mode from a web browser management session, refer to Setting the Switch’s VLAN Mode on page 529.
PAGE 446
AT-S60 Management Software User’s Guide Configuring the SNMP Parameters and Trap IP Addresses This procedure allows you to create SNMP communities that have access to the switch. In creating an SNMP community, you can specify up to eight IP addresses of management stations that can access the switch. In addition, you can specify up to eight trap receiver IP addresses of trap receivers that can receive unauthenticated failure trap messages from the switch.
PAGE 447
Chapter 27: Basic Switch Parameters 3. Adjust the following parameters as desired: Enable SNMP Access Use this parameter to enable the switch to be remotely managed with an SNMP application program. Note If the check box in the Enable SNMP Access box is empty, the switch cannot be managed through SNMP. This is the default. Enable Authentication Failure Trap Use this selection to allow trap receiver IP addresses to be specified.
PAGE 448
AT-S60 Management Software User’s Guide The Add New SNMP Community page is shown in Figure 159. Figure 159 Add New SNMP Community Page 6. Configure the following parameters: Community Name Enter an SNMP community name that consists of up to 15 alphanumeric characters. Status Click Enable to enable the SNMP community. Click Disable to disable the SNMP community.
PAGE 449
Chapter 27: Basic Switch Parameters Access Mode Click Read Only to allow read access to the SNMP community. To allow read-write access to the SNMP community, click Read-Write. Allow Any Station Click this option to allow any SNMP manager to access the switch. When you click this option, a warning message appears on the screen. Click OK to continue. Manager IP Address1 through Manager IP Address 8 Enter an IP Address of a switch that is permitted SNMP manager access to the current switch.
PAGE 450
AT-S60 Management Software User’s Guide Figure 160 Modify SNMP Community Page 4. Modify the following parameters: Community Name This field is not configurable from this page. It is the name of the SNMP community. Status Click Enable to enable the SNMP community. Click Disable to disable the SNMP community. Access Mode Click Read Only to allow read access to the SNMP community. Click Read-Write to allow read-write access to the SNMP community.
PAGE 451
Chapter 27: Basic Switch Parameters Allow Any Station Click this option to allow any SNMP manager to access the switch. When you click this option, a warning message appears on the screen. Click OK to continue. Manager IP Address1 through Manager IP Address 8 Enter an IP Address of a switch that is permitted SNMP manager access to the current switch. You can enter up to 8 Manager IP Addresses.
PAGE 452
AT-S60 Management Software User’s Guide The SNMP tab is shown in Figure 161 Figure 161 Monitoring Page, SNMP Tab Section IV: Web Browser Management 451
PAGE 453
Chapter 27: Basic Switch Parameters Resetting a Switch To reset a switch, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2. Click the Reset button at the bottom of the page. A confirmation prompt is displayed. 3. Click OK to reset the switch or Cancel to cancel the procedure. Resetting the switch ends your web browser management session.
PAGE 454
AT-S60 Management Software User’s Guide Pinging a Remote System You can instruct the switch to ping a node on your network. This procedure is useful in determining whether a valid link exists between the switch and another device. To ping a network device, perform the following procedure: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 157 on page 442. 2. Select the Ping Client tab.
PAGE 455
Chapter 27: Basic Switch Parameters Returning the AT-S60 Software to the Factory Default Values The procedure in this section returns all AT-S60 software parameters, except the IP address, subnet mask, and gateway address, to their default values. This procedure also deletes any VLANs that you have created on the switch. Note The AT-S60 software default values are described in Appendix A, AT-S60 Default Settings on page 585.
PAGE 456
AT-S60 Management Software User’s Guide 3. Click the Reset Switch After Setting Defaults checkbox. 4. Click Apply. 5. Follow the prompts.
PAGE 457
Chapter 27: Basic Switch Parameters Downloading a New Software Version You can download a new software version to your switch using TFTP and then reboot the switch to initialize the new files using the web interface. Note You can only download a .img file type (image file) using the web interface. To download any other file type (.cer, .cfg., etc.) use either the Telnet or local interface. See (x-ref local File System chapter) for more information about file types.
PAGE 458
AT-S60 Management Software User’s Guide 3. In the TFTP BootLoader/Image Download section, fill in the following parameters: TFTP Server IP Address The IP address of the TFTP server where the software image is located. Remote Image File Name The path and name of the software image. The file name can be a maximum of 20 characters long. Note The file you are downloading must be stored in the download directory of the TFTP server. 4.
PAGE 459
Chapter 27: Basic Switch Parameters 8. Click OK. The switch reboots and the web management session is terminated. Note Rebooting the switch terminates the web management session. Allow several minutes before you restart the web management session while the AT-8400 switch decompresses and reinitializes the new image.
PAGE 460
Chapter 28 Enhanced Stacking This chapter introduces enhanced stacking, describes how to assign enhanced stacking status to an AT-8400 Series Switch, and describes how to select a remote switch using a web browser management session.
PAGE 461
Chapter 28: Enhanced Stacking Overview Using a web browser management session, you can view and set the enhanced stacking status of the switch. In addition, you can view and manage other switches in an enhanced stack. For detailed information about enhanced stacking, see Enhanced Stacking Overview on page 80. The enhanced stacking status of the switch can be master, slave, or unavailable.
PAGE 462
AT-S60 Management Software User’s Guide Setting a Switch’s Enhanced Stacking Status To adjust a switch’s enhanced stacking status, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2. From the Configuration menu, select the Layer 2 option. The Layer 2 page is displayed with the MAC Address tab selected by default, as shown in Figure 204 on page 541. 3.
PAGE 463
Chapter 28: Enhanced Stacking Selecting a Switch in an Enhanced Stack You can use the AT-S60 software to access a remote switch from a master switch. The remote switch can be either a slave or a master. When you start a web browser management session on the master switch, you are addressing only the master switch. Consequently, the management tasks that you perform only affect the master switch. To manage a remote switch in the same subnet, you need to select it from the master switch.
PAGE 464
AT-S60 Management Software User’s Guide The master switch polls the network for all remote switches in the same subnet and displays a list of the switches in the Enhanced Stacking page. See Figure 166. Figure 166 Enhanced Stacking Page To sort the switches in the list by switch name or MAC address, click on the column headers. By default, the list is sorted by MAC addresses. To refresh the list, click Refresh. This instructs the master switch to poll the subnet for all available switches again. 2.
PAGE 465
Chapter 28: Enhanced Stacking The Home page for the remote switch you selected is displayed. An example is shown in Figure 167. You can now manage the remote switch. Figure 167 AT-S39 Home Page For information about the remote switch you selected, consult the appropriate Allied Telesyn documentation. Returning to the Master Switch When you have finished managing a remote switch, select the Disconnect option on the Home page of the remote switch.
PAGE 466
Chapter 29 Port Parameters The procedures in this chapter allow you to view and change the parameter settings for the individual ports on a switch using a web browser management session. Examples of port parameters that you can adjust include duplex mode and port speed.
PAGE 467
Chapter 29: Port Parameters Configuring Port Parameters This procedure describes how to configure one or more ports on an AT-8400 switch. It is important to note that when you select multiple ports for configuration, you are making the same configuration changes on all of the ports. To configure the parameter settings for a port or ports on a switch, perform the following procedure: 1. From the Home Page, select Configuration.
PAGE 468
AT-S60 Management Software User’s Guide Caution Use caution when you update the port that is connected to your management workstation and is communicating with the switch. When you make changes to this port, you could inadvertently lose your management session. 4. Click Modify. The Port Configuration page is shown in Figure 169.
PAGE 469
Chapter 29: Port Parameters To select a value, click the circle next it. Possible values are: ❑ Auto-Negotiate: Select Auto-Negotiation to set both speed and duplex mode for the port automatically. This is the default setting. ❑ 10 Mbps - Half Duplex: Select this value to set the port or ports to a speed of 10 Mbps and half-duplex mode. ❑ 10 Mbps - Full Duplex: Select this value to set the port or ports to a speed of 10 Mbps and full-duplex mode.
PAGE 470
AT-S60 Management Software User’s Guide ❑ High - Indicates high priority has been assigned to the port. As a result, all tagged and untagged packets are sent to the high priority queue. Status You use this selection to enable or disable a port. When disabled, a port does not receive or transmit frames. For example, you may want to disable a port and prevent packets from being forwarded if a problem occurs with the node or cable connected to the port.
PAGE 471
Chapter 29: Port Parameters Flow Control Flow control applies only to ports operating in full-duplex mode. The switch uses a special pause packet to stop the end node from sending frames. The pause packet notifies the end node to stop transmitting for a specified period of time. To select a value, click the circle next it. Possible values are: ❑ Auto - Indicates the port conforms to the flow control setting of the end node.
PAGE 472
AT-S60 Management Software User’s Guide Displaying Port Status and Statistics The procedures in this section display the operating status of the ports on a switch and port statistics. You can view a port’s operating speed, duplex mode, MDI/MDI-X configuration, and more. You can also view the operating status of any GBIC modules installed. Displaying Port Status To display the status of a port, perform the following procedure: 1. From the Home page, select Monitoring.
PAGE 473
Chapter 29: Port Parameters 3. Click on a port. You can select more than one port at a time when you want to display port status. However, you can select only one port when displaying statistics. After you select a port, it turns white. (To deselect a port, click it again.) 4. Click Status to display the port’s operating status. The Port Status page is shown in Figure 171. Figure 171 Port Status Page The information on this page is for viewing purposes only.
PAGE 474
AT-S60 Management Software User’s Guide Link The status of the link between the port and the end node connected to the port. Possible values are: ❑ Up - indicates that a valid link exists between the port and the end node. ❑ Down - indicates that the port and the end node have not established a valid link. Neg The status of Auto-Negotiation on the port. Possible values are: ❑ Auto - Indicates that the port is using Auto-Negotiation to set operating speed and duplex mode.
PAGE 475
Chapter 29: Port Parameters STP State The current operating status of the port. Possible values are: ❑ Forwarding - The port is sending and receiving Ethernet frames. This is the normal state for a switch port. ❑ Disabled - STP operations have been disabled on the port. ❑ Blocking - This is the standby mode. The port does not participate in frame relay. The forwarding process discards received frames and does not submit forwarded frames for transmission.
PAGE 476
AT-S60 Management Software User’s Guide You can select only one port when displaying statistics. After you select a port, it turns white. (To deselect a port, click it again.) 4. Click Statistics. The Port Statistics page is shown in Figure 172. Figure 172 Port Statistics Page Note To view the status of the port, click Status. The information on this page is described below: Bytes Received Number of bytes received on the port. Frames Received Number of frames received on the port.
PAGE 477
Chapter 29: Port Parameters Bytes Sent Number of bytes transmitted from the port. Frames Sent Number of frames transmitted from the port. Broadcast Frames Sent Number of broadcast frames transmitted from the port. Multicast Frames Sent Number of multicast frames transmitted from the port. Jabber Number of received packets in which the packet data is greater than MAXFRAMESIZE and the packet has an invalid CRC.
PAGE 478
Chapter 30 Port Security This chapter explain how to display the port security status using a web browser management session. It contains the following procedure: ❑ Displaying the Port Security Level on page 478 Note For background information on port security, refer to Port Security Overview on page 102. Note You cannot set up port security from a web browser management session. To set port security, use a local or Telnet management session.
PAGE 479
Chapter 30: Port Security Displaying the Port Security Level To display the switch’s port security levels, perform the following procedure: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 157 on page 442. 2. Select the Layer 2 option. The Monitoring Layer 2 page is displayed with the MAC Address tab selected by default, as shown Figure 204 on page 541. 3. Select the Port Security tab.
PAGE 480
AT-S60 Management Software User’s Guide 4. Click on the ports to display their security status. After you click on a port, it turns white. You can select multiple ports to display. (To deselect a port, click it again.) 5. Click View. The Security for Ports page is shown in Figure 174. This page displays the current security levels of the ports you selected.
PAGE 481
Chapter 30: Port Security ❑ Lock all ports: The Lock All Ports security level causes the switch to immediately stop learning new dynamic MAC addresses on behalf of the specified port. For detailed information about the security mode parameter, see Port Security Overview on page 102. Intruder Action Indicates the action taken by the port if the security on the port is violated.
PAGE 482
Chapter 31 Port Trunking This chapter explains how to configure a port trunk using a web browser management session. This chapter contains the following procedures: ❑ Creating or Deleting a Port Trunk on page 482 ❑ Modifying a Port Trunk on page 485 ❑ Displaying the Port Trunks on page 487 Note For background information on port trunking, refer to Port Trunking Overview on page 110.
PAGE 483
Chapter 31: Port Trunking Creating or Deleting a Port Trunk The following procedures allow you to create or delete a port trunk using the web browser management session. Creating a Port Trunk To create a port trunk, perform the following procedure: Caution Configure the software for ports on the switch and the end node before you connect the cables of a port trunk. Connecting the cables prior to configuring the ports can create loops in your network topology. Loops can result in broadcast storms.
PAGE 484
AT-S60 Management Software User’s Guide 4. Click Add. The Add New Trunk page is shown in Figure 176. Figure 176 Add New Trunk Page 5. Enter the name of the trunk in the Trunk Name box. 6. Click on the ports you want to include in the trunk. Selected ports turn white. To deselect a port, click it again. 7. Scroll down the page. 8. Click Apply. You are returned to the Port Trunking page. It is updated with the new trunk port information. The new port trunk is immediately activated on the switch. 9.
PAGE 485
Chapter 31: Port Trunking 10. Configure the ports on the remote switch for port trunking. You can now connect the data cables to the ports of the trunk on the switch. Deleting a Port Trunk To delete a port trunk, perform the following procedure: Caution Before you delete a trunk in software, disconnect the cables from the ports. Deleting the trunk without disconnecting the data cables can create a loop in your network topology. This situation can result in broadcast storms. 1.
PAGE 486
AT-S60 Management Software User’s Guide Modifying a Port Trunk This procedure allows you to modify a port trunk using a web browser management session. To modify a port trunk, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2. From Configuration menu, select the Layer 1 option.
PAGE 487
Chapter 31: Port Trunking The Modify Trunk page is shown in Figure 177. Figure 177 Modify Trunk Page 5. Click on the ports to select them for port trunking. Selected ports turn white. Click again to deselect a port. 6. Click Apply. 7. The Port Trunking page opens as shown in Figure 175 on page 482. Your changes are immediately activated on the switch. 8. To save your changes, return to the General tab and click Save Changes. Your changes are saved on the switch.
PAGE 488
AT-S60 Management Software User’s Guide Displaying the Port Trunks This procedure allows you to view the port trunk settings using a web browser management session. To display the port trunks, perform the following procedure: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 157 on page 442. 2. Select the Layer 1 option.
PAGE 489
Chapter 32 Port Mirroring This chapter explains how to configure a port mirror using a web browser management session. This chapter contains the following procedures: ❑ Creating a Port Mirror on page 489 ❑ Deleting a Port Mirror on page 491 ❑ Modifying a Port Mirror on page 492 ❑ Displaying the Port Mirror List on page 494 Note For background information on port mirroring, refer to Port Mirroring Overview on page 125.
PAGE 490
AT-S60 Management Software User’s Guide Creating or Deleting a Port Mirror Use the following procedures to create, delete, or modify a port mirror. For information about how ports are specified, see Specifying Ports on page 31. After you have made your changes, you need to save them on the Configuration System page. Creating a Port Mirror To create a port mirror, perform the following procedure: 1. From the Home Page, select Configuration.
PAGE 491
Chapter 32: Port Mirroring The Add New Mirror page is displayed as shown in Figure 180. Figure 180 Add New Mirror Page 5. Click the ports in the graphical switch image. Click once for S, which stands for the source mirror port. Click twice for D, which stands for destination mirror port. Click three times to deselect a port. 6. Click Apply. The Port Mirroring tab is displayed. It reflects the changes you made in Step 6. The port mirror is immediately activated on the switch.
PAGE 492
AT-S60 Management Software User’s Guide Deleting a Port Mirror Use this procedure to delete a port mirror using a web browser management session. 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2. Select the Layer 1 option. The Layer 1 page is displayed with the Port Settings tab selected by default, as shown in Figure 168 on page 466. 3. Select the Port Mirroring tab.
PAGE 493
Chapter 32: Port Mirroring Modifying a Port Mirror To change the source mirror port or the destination mirror port on an existing port mirror, perform the following procedure. 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2. Select the Layer 1 option. The Layer 1 page is displayed with the Port Settings tab selected by default, as shown in Figure 168 on page 466. 3.
PAGE 494
AT-S60 Management Software User’s Guide 5. Make your changes to the mirror ports. Click once to select S - source mirror port. To change your D - destination mirror port, you must deselect your current destination port mirror by clicking it off. Then you can click on a new destination port mirror. 6. Click Apply. Your changes are activated on the switch. The Port Mirroring page opens with the new ports. To save your changes, return to the General tab and click Save Changes.
PAGE 495
Chapter 32: Port Mirroring Displaying the Port Mirror List This procedure allows you to view the list of port mirrors using a web browser management session. 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 157 on page 442. 2. Select the Layer 1 option. The Layer 1 page is displayed with the Port Settings tab selected by default, as shown in Figure 170 on page 471. 3. Select the Port Mirroring tab.
PAGE 496
Chapter 33 STP, RSTP, and MSTP This chapter explains how to configure STP, RSTP, and MSTP parameters on an AT-8400 chassis using a web browser management session. It contains the following procedures: ❑ Enabling STP, RSTP, or MSTP on page 496 ❑ Configuring STP on page 498 ❑ Configuring RSTP on page 502 ❑ Configuring MSTP on page 507 ❑ Displaying STP, RSTP, or MSTP Settings on page 517 Note For background information on STP and RSTP, refer to STP and RSTP Overview on page 185.
PAGE 497
Chapter 33: STP, RSTP, and MSTP Enabling STP, RSTP, or MSTP The AT-8400 Series switch can support the three spanning tree protocols STP, RSTP, and MSTP. However, only one spanning tree protocol can be active on the switch at a time. So before you can enable a spanning tree protocol, you must first select it as the active spanning tree protocol. Once selected, you can then enable or disable it.
PAGE 498
AT-S60 Management Software User’s Guide Note If you do not want to change the active spanning tree protocol and just want to enable or disable it, go to Step 5. 4. To change the active spanning tree protocol on the switch, click STP, RSTP, or MSTP in the Active Protocol Version section of the tab. The default is RSTP. Note Only one spanning tree protocol can be active on the switch at a time. 5. To enable or disable the active spanning tree protocol on the switch, click the Enable Spanning Tree check box.
PAGE 499
Chapter 33: STP, RSTP, and MSTP Configuring STP To configure STP, perform the following procedure: Caution The bridge provides default STP parameters that are adequate for most networks. Changing the STP parameters without prior experience and an understanding of how STP works may have a negative effect on your network. Consult the IEEE 802.1d standard before changing any of the STP parameters. 1.
PAGE 500
AT-S60 Management Software User’s Guide . Figure 184 Expanded STP Spanning Tree Tab 3. In the Configure STP Parameters section, adjust the bridge STP settings as needed. The parameters are described below. Bridge Priority The priority number for the bridge. This number is used in determining the root bridge for STP. The bridge with the lowest priority number is selected as the root bridge.
PAGE 501
Chapter 33: STP, RSTP, and MSTP parameter can be from 0 (zero) to 15, with 0 having the highest priority. For a list of the increments, refer to Table 5, Bridge Priority Value Increments on page 187 Bridge Hello Time The time interval between generating and sending configuration messages by the bridge. This parameter can be from 1 to 10 seconds. The default is 2 seconds.
PAGE 502
AT-S60 Management Software User’s Guide The STP Settings page is shown in Figure 185. Figure 185 STP Settings Page 6. Adjust the settings as desired. The parameters are described below. Port Priority This parameter is used as a tie breaker when two or more ports are determined to have equal costs to the root bridge. The default value for priority is 128. The range is 0-15, with 0 having the highest priority.
PAGE 503
Chapter 33: STP, RSTP, and MSTP Configuring RSTP To configure RSTP, perform the following procedure: Caution The bridge provides default RSTP parameters that are adequate for most networks. Changing them without prior experience and an understanding of how RSTP works might have a negative effect on your network. Consult the IEEE 802.1w standard before changing any of the RSTP parameters. 1. Follow the steps in the procedure described in Enabling STP, RSTP, or MSTP on page 496. 2.
PAGE 504
AT-S60 Management Software User’s Guide Figure 186 Expanded RSTP Spanning Tree Tab 4. In the Configure RSTP Parameters section, adjust the parameters as desired. The parameters are defined below. Force Version This selection determines whether the bridge operates with RSTP or in an STP-compatible mode. The default is RSTP. If you select RSTP, the bridge operates all ports in RSTP, except for those ports that receive STP BPDU packets. If you select Force STP Compatible, the bridge operates all ports in STP.
PAGE 505
Chapter 33: STP, RSTP, and MSTP bridges have the same priority value, the bridge with the numerically lowest MAC address becomes the root bridge. When a root bridge goes off-line, the bridge with the next priority number automatically takes over as the root bridge. This parameter can be from 0 (zero) to 15, with 0 having the highest priority.
PAGE 506
AT-S60 Management Software User’s Guide The RSTP Settings page is shown in Figure 187. Figure 187 RSTP Settings Page 7. Adjust the settings as desired. The parameters are described below. Port Priority This parameter is used as a tie breaker when two or more ports are determined to have equal costs to the root bridge. The range is 0 to 240, in increments of 16. The default value is 8 (priority value of 128). For a list of the increments, refer to Table 7, Port Priority Value Increments on page 189.
PAGE 507
Chapter 33: STP, RSTP, and MSTP Point-to-Point This parameter defines whether the port is functioning as a pointto-point port. The default setting is Auto Detect, which sets port cost depending on the speed of the port. Default values are 100 for a 10 Mbps port, 10 for a 100 Mbps port, and 4 for a 1 Gbps port. For an explanation of this parameter, refer to Point-to-Point Ports and Edge Ports on page 190. Edge Port This parameter defines whether the port is functioning as an edge port.
PAGE 508
AT-S60 Management Software User’s Guide Configuring MSTP This section contains the following procedures: ❑ Configuring MSTP Parameters on page 507 ❑ Configuring the CIST Priority on page 510 ❑ Creating, Deleting, or Modifying MSTI IDs on page 511 ❑ Adding, Removing, or Modifying VLAN Associations to MSTIs on page 513 ❑ Configuring MSTP Port Parameters on page 515 Note MSTP must be selected as the active spanning tree protocol on the switch before you can configure it.
PAGE 509
Chapter 33: STP, RSTP, and MSTP Figure 188 Expanded MSTP Spanning Tree Tab Section IV: Web Browser Management 508
PAGE 510
AT-S60 Management Software User’s Guide Note This procedure explains the Configure MSTP Parameters section of the page. The CIST/MSTI Table is explained in Adding, Removing, or Modifying VLAN Associations to MSTIs on page 513. The graphic image of the switch is described in Configuring MSTP Port Parameters on page 515. 5. In the Configure MSTP Parameters section, adjust the parameters as needed. The parameters are described below.
PAGE 511
Chapter 33: STP, RSTP, and MSTP All bridges in a single-instance bridged LAN use this aging time to test the age of stored configuration messages called bridge protocol data units (BPDUs). For example, if you use the default of 20, all bridges delete current configuration messages after 20 seconds. The range of this parameter is from 6 to 40 seconds. The default is 20 seconds.
PAGE 512
AT-S60 Management Software User’s Guide Creating, Deleting, or Modifying MSTI IDs To create, delete, or modify MSTI IDs, perform one of the following procedures. Creating an MSTI ID To create an MSTI ID, do the following: 1. Display the Spanning Tree Expanded page for MSTP by performing Steps 1 through 4 in the procedure Configuring MSTP Parameters on page 507. 2. In the CIST/MSTI Table section of the tab, click Add. The Add New MSTI page is displayed as shown in Figure 189.
PAGE 513
Chapter 33: STP, RSTP, and MSTP Deleting an MSTI ID To delete an MSTI ID, do the following: 1. Display the Spanning Tree Expanded page for MSTP by performing Steps 1 through 4 in the procedure Configuring MSTP Parameters on page 507. 2. In the CIST/MSTI Table section of the tab, click the circle next to the MSTI ID you want to delete. You can select only one MSTI ID at a time. 3. Click Remove. 4. A confirmation prompt is displayed. 5. Click OK to delete the MSTI or Cancel to cancel the procedure. 6.
PAGE 514
AT-S60 Management Software User’s Guide 4. In the Priority field, enter a new MSTI Priority value. This parameter is used in selecting a regional root for the MSTI. The range is 0 (zero) to 61,440 in increments of 4,096, with 0 being the highest priority. For a list of the increments, refer to Table 5, Bridge Priority Value Increments on page 187. The default is 0. 5. Click Apply. To save your changes, return to the General tab and click Save Changes. The changes you made are saved on the switch. 6.
PAGE 515
Chapter 33: STP, RSTP, and MSTP Modifying a VLAN Association To modify a VLAN association, do the following: 1. Display the Spanning Tree Expanded page for MSTP by performing Steps 1 through 4 in the procedure Configuring MSTP Parameters on page 507. 2. In the CIST/MSTI Table section of the tab, the VLAN Associations field, modify the VIDs of the VLANS that you no longer want to be associated with this MSTI. You can specify more than one VID at a time (e.g., 2,4,7). 3. Click Apply.
PAGE 516
AT-S60 Management Software User’s Guide Configuring MSTP Port Parameters To configure MSTP port parameters, perform the following procedure: 1. Perform Steps 1 through 4 in the procedure Configuring MSTP Parameters on page 507 to display the expanded Spanning Tree page for MSTP. 2. In the diagram of the switch at the bottom of the MSTP Spanning Tree Expanded page, click the ports you want to configure. You can select more than one port at a time. 3. Click Configure.
PAGE 517
Chapter 33: STP, RSTP, and MSTP Edge Port This parameter defines whether the port is functioning as an edge port. For an explanation of this parameter, refer to Point-to-Point Ports and Edge Ports on page 190. Point-to-Point This parameter defines whether the port is functioning as a pointto-point port. For an explanation of this parameter, refer to Pointto-Point Ports and Edge Ports on page 190.
PAGE 518
AT-S60 Management Software User’s Guide Displaying STP, RSTP, or MSTP Settings To display spanning tree parameter settings, perform the following procedure: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 157 on page 442. 2. Select the Layer 2 option. The Monitoring Layer 2 page is displayed with the MAC Address tab selected by default, as shown Figure 204 on page 541. 3. Select the Spanning Tree tab.
PAGE 519
Chapter 33: STP, RSTP, and MSTP Figure 193 shows an example of the Monitor STP Parameters tab. The contents of this tab differs depending on which spanning tree protocol is active on the switch. The information in this page is for viewing purposes only. Figure 193 Monitoring Layer 2 Page, Spanning Tree Tab 5. To view port settings, click a port in the switch and click Settings. You can select more than one port.
PAGE 520
AT-S60 Management Software User’s Guide The STP Settings page is shown in Figure 194. Figure 194 STP Settings Page 6. Click OK.
PAGE 521
Chapter 34 Virtual LANs This chapter explains how to create, modify, and delete VLANs using a web browser management session. In addition, this chapter explains how to change a switch’s VLAN operating mode.
PAGE 522
AT-S60 Management Software User’s Guide Creating a VLAN To create a new port-based or tagged VLAN, perform the following procedure. Before you create a VLAN, you may want to set the VLAN mode for a switch. See Setting the Switch’s VLAN Mode on page 529. 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2. From the Configuration menu, select the Layer 2 option.
PAGE 523
Chapter 34: Virtual LANs The Add New VLAN page is shown in Figure 196. Figure 196 Add New VLAN Page 5. In the VID field, enter a VID value for the new VLAN. The range of the VID value is 2 to 4094. The default is the next available VID number on the switch. If this is a unique VLAN in your network, its VID must be unique as well. However, if the VLAN is to be part of a larger VLAN that spans multiple switches, assign the same VID value on each switch.
PAGE 524
AT-S60 Management Software User’s Guide The name can be from one to 18 characters in length. The name should reflect the function of the nodes of the VLAN (for example, Sales or Accounting). The name can contain spaces but not special characters, such as asterisks (*) or exclamation points (!). If the VLAN is to be unique in your network, the name should be unique as well.
PAGE 525
Chapter 34: Virtual LANs Modifying a VLAN To modify a port-based or tagged VLAN, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 157 on page 442. 2. From the Configuration menu, select the Layer 2 option. The Layer 2 page is displayed with the MAC Address tab selected by default, as shown in Figure 204 on page 541. 3. Select the VLAN tab.
PAGE 526
AT-S60 Management Software User’s Guide 6. Modify the VLAN parameters by referring to Step 6 through Step 7 in the previous procedure, Creating a VLAN on page 521. When you modify a VLAN, observe the following guidelines: ❑ You cannot change the VID of a VLAN. ❑ You cannot change the name of any VLAN. 7. After making the desired changes, click Apply. The modified VLAN is now ready for network operations.
PAGE 527
Chapter 34: Virtual LANs Deleting a VLAN To delete a port-based or tagged VLAN from the switch, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2. From the Configuration menu, select the Layer 2 option. The Layer 2 page is displayed with the MAC Address tab selected by default, as shown in Figure 204 on page 541. 3. Select the VLAN tab.
PAGE 528
AT-S60 Management Software User’s Guide Displaying VLANs To display all the existing VLANs on a switch, perform the following procedure: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 157 on page 442. 2. Select the Layer 2 option. The Monitoring Layer 2 page is displayed with the MAC Address tab selected by default, as shown Figure 204 on page 541. 3. Select the VLAN tab.
PAGE 529
Chapter 34: Virtual LANs Type The VLAN type: port-based or tagged. Protocol The only option is GVRP. Tagged(T)/Untagged(U) Ports Which ports are tagged (T) and which are untagged (U).
PAGE 530
AT-S60 Management Software User’s Guide Setting the Switch’s VLAN Mode This section contains the procedure for setting a switch’s VLAN mode. You can configure a switch to support port-based and tagged VLANs or to operate in the Basic VLAN mode. A change to VLAN status is not activated until you reset the switch. Note Refer to Chapter 13, Virtual LANs on page 240, for descriptions of port-based and tagged VLANs and the Basic VLAN mode. To set the switch’s VLAN mode, perform the following procedure: 1.
PAGE 531
Chapter 35 GARP VLAN Registration Protocol This chapter about web server security contains the following procedures: ❑ Configuring GVRP on page 531 ❑ Resetting GVRP to the Defaults on page 533 ❑ Modifying the GVRP Port Configuration on page 534 ❑ Displaying the GVRP Settings on page 535 Note For background information on GVRP, refer to GARP VLAN Registration Protocol (GVRP) Overview.
PAGE 532
AT-S60 Management Software User’s Guide Configuring GVRP To configure GVRP, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2. From the Configuration menu, select the Layer 2 option. The Layer 2 page is displayed with the MAC Address tab selected by default, as shown in Figure 204 on page 541. 3. Select the GVRP tab. The GVRP tab is shown in Figure 199.
PAGE 533
Chapter 35: GARP VLAN Registration Protocol 4. Configure the following parameters: Enable GVRP Click in this box to enable GVRP. Leave Time Sets the duration of the Leave Period timer. The range is from 30 to180 centiseconds and the default is 60. Join Time Sets the duration of the Join Period timer. The range is from 10 to 60 centiseconds and the default is 20. Enable GIP Enables the operation of GIP.
PAGE 534
AT-S60 Management Software User’s Guide Resetting GVRP to the Defaults To reset GVRP to the defaults: 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2. From the Configuration menu, select the Layer 2 option. The Layer 2 page is displayed with the MAC Address tab selected by default, as shown in Figure 204 on page 541. 3. Select the GVRP tab. The GVRP tab is shown in Figure 199 on page 531.
PAGE 535
Chapter 35: GARP VLAN Registration Protocol Modifying the GVRP Port Configuration To modify the GVRP port configuration: 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2. From the Configuration menu, select the Layer 2 option. The Layer 2 page is displayed with the MAC Address tab selected by default, as shown in Figure 204 on page 541. 3. Select the GVRP tab.
PAGE 536
AT-S60 Management Software User’s Guide Displaying the GVRP Settings Use this procedure to view the GVRP settings: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 157 on page 442. 2. Select the Layer 2 option. The Monitoring Layer 2 page is displayed with the MAC Address tab selected by default, as shown Figure 204 on page 541. 3. Select the GVRP tab. The GVRP tab is shown in Figure 201.
PAGE 537
Chapter 35: GARP VLAN Registration Protocol The GVRP Port Configuration page is shown in Figure 202. Figure 202 GVRP Port Configuration Page 5. To display the GVRP counters, click View GVRP Counters in the View GVRP Parameters section.
PAGE 538
AT-S60 Management Software User’s Guide The GVRP Counters page is shown in Figure 203. Figure 203 GVRP Counters Page The information on this page is described below: Receive: Total GARP Packets Total number of GARP packets (PDUs) received by this GARP application. Transmit: Total GARP Packets Total number of GARP packets (PDUs) transmitted by this GARP application. Receive: Invalid GARP Packets Number of invalid GARP packets (PDUs) received by this GARP application.
PAGE 539
Chapter 35: GARP VLAN Registration Protocol Transmit Discarded: GARPDisabled Number of GARP packets (PDUs) discarded because the GARP application was disabled. This counter is incremented when ports are added to or deleted from the GARP application arising from port movements in the underlying VLAN or STP. Receive Discarded: Port Not Listening Number of GARP packets (PDUs) discarded because the port that the packets were received on was not listening, that is, MODE=NONE has been set on the port.
PAGE 540
AT-S60 Management Software User’s Guide Transmit GARP Messages: JoinIn Total number of GARP JoinIn messages transmitted for all attributes in the GARP application. Receive GARP Messages: LeaveEmpty Total number of GARP LeaveEmpty messages received for all attributes in the GARP application. Transmit GARP Messages: LeaveEmpty Total number of GARP LeaveEmpty messages transmitted for all attributes in the GARP application.
PAGE 541
Chapter 36 MAC Address Table This chapter describes how to view the dynamic and static addresses in the MAC address table of the switch using a web browser management session. It contains the following procedures: ❑ Displaying the MAC Address Table on page 541 ❑ Adding Static Unicast and Multicast MAC Addresses on page 544 ❑ Deleting MAC Addresses on page 546 ❑ Changing the Aging Time on page 547 Note For background information on MAC addresses, refer to MAC Address Overview on page 308.
PAGE 542
AT-S60 Management Software User’s Guide Displaying the MAC Address Table To view the MAC address table, perform the following procedure: 1. From the Home Page, select either Configuration or Monitoring. If you select Configuration, the Configuration System page is displayed with the General tab displayed by default, as shown in Figure 155 on page 434. 2. Select the Layer 2 option. The Layer 2 page is displayed with the MAC Address tab shown by default.
PAGE 543
Chapter 36: MAC Address Table View Static MAC Addresses This option displays only the static MAC addresses. Static MAC addresses are addresses that you entered manually into the MAC address table. View IP Multicast Addresses This option displays the multicast MAC addresses. View MAC Addresses on Port(s) This option is used to display the MAC addresses learned on a particular port. For information about how to specify ports, see Specifying Ports on page 31.
PAGE 544
AT-S60 Management Software User’s Guide The MAC addresses are displayed in a table. The columns in the table are: VLAN ID The VID of the VLAN to which the port is an untagged member. MAC ADDRESS The MAC addresses of the nodes connected to the port. PORT The port on the switch where the MAC address was learned or assigned. See Specifying Ports on page 31. TYPE The MAC address type. The type can be either static or dynamic. 4. Click Close.
PAGE 545
Chapter 36: MAC Address Table Adding Static Unicast and Multicast MAC Addresses This section contains the procedure for assigning a static unicast or multicast address to ports on the switch. You can assign up to 255 static MAC addresses per port. Note When you add a static multicast address you must assign the address to all ports on the switch that belong to the multicast group. This includes the ports connected to the multicast application server and the host nodes.
PAGE 546
AT-S60 Management Software User’s Guide 5. In the Port Number field, enter the port number that is to be assigned the MAC address. You can specify more than one port. For information about specifying ports, see Specifying Ports on page 31. 6. In the VLAN ID field, enter the VLAN ID for the specified port. The range of VLAN IDs is 1 to 4094, with 1 as the default VLAN ID. 7. Click Apply. The MAC Addresses Table page is displayed as shown in Figure 204 on page 541. 8.
PAGE 547
Chapter 36: MAC Address Table Deleting MAC Addresses To delete a static, dynamic, or multicast MAC address from the switch, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2. From the Configuration menu, select the Layer 2 option. The Layer 2 page is displayed with the MAC Address tab selected by default, as shown in Figure 204 on page 541. 3.
PAGE 548
AT-S60 Management Software User’s Guide Changing the Aging Time The switch uses the aging time to delete inactive dynamic MAC addresses from the MAC address table. When the switch detects that no packets have been sent to or received from a particular MAC address in the table after the period specified by the aging time, the switch deletes the address. This prevents the table from becoming full of node addresses that are inactive. The default setting for the aging time is 300 seconds (5 minutes).
PAGE 549
Chapter 37 IGMP Snooping This chapter describes how to configure the IGMP snooping feature on the switch. It contains the following procedures: ❑ Configuring IGMP Snooping on page 549 ❑ Displaying a List of Host Nodes and Multicast Routers on page 552 Note For background information on this feature, refer to IGMP Snooping Overview on page 324.
PAGE 550
AT-S60 Management Software User’s Guide Configuring IGMP Snooping To configure IGMP snooping from a web browser management session, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2. Select the IGMP tab. The Configuration IGMP tab is shown in Figure 207. Figure 207 Configuration System Page, IGMP Tab 3. Adjust the IGMP parameters as necessary.
PAGE 551
Chapter 37: IGMP Snooping Select the Single-Host/Port (Edge) setting when there is only one host node connected to each port on the switch.
PAGE 552
AT-S60 Management Software User’s Guide If the switch does not detect any queries from a multicast router during the specified time interval, it assumes that the router is no longer active on the port. Maximum Multicast Groups Specifies the maximum number of multicast groups the switch learns. The range is 1 to 256 groups. The default is 64 multicast groups. This parameter is useful with networks that contain a large number of multicast groups.
PAGE 553
Chapter 37: IGMP Snooping Displaying a List of Host Nodes and Multicast Routers You can use the AT-S60 software to display a list of the multicast groups on a switch, as well as the host nodes. In addition, you can view the multicast routers. A multicast router receives multicast packets from a multicast application and transmits the packets to host nodes. To view host nodes and multicast routers, perform the following procedure: 1. From the Home page, select Monitoring.
PAGE 554
AT-S60 Management Software User’s Guide The View Multicast Hosts List page is shown in Figure 209. Figure 209 View Multicast Hosts List Page This page displays the following information: Multicast Group The multicast address of the group. VLAN ID The VID of the VLAN in which the port is an untagged member. Member Port The port(s) on the switch to which one or more host nodes of the multicast group are connected. Host IP The IP address(es) of the host node(s) connected to the port.
PAGE 555
Chapter 37: IGMP Snooping The View Multicast Routers List page is shown in Figure 210. Figure 210 View Multicast Routers List Page The page displays the following information: Port The port on the switch where the multicast router is connected. VLAN ID The VID of the VLAN in which the port is an untagged member. Router IP The IP address of the port on the router.
PAGE 556
Chapter 38 TACACS+ and RADIUS Protocols This chapter contains instructions on how to configure the authentication protocols. This chapter contains the following procedure: ❑ Enabling TACACS+ or RADIUS on page 556 ❑ Configuring TACACS+ on page 558 ❑ Configuring RADIUS on page 560 ❑ Displaying the TACACS+ Settings on page 562 ❑ Displaying the RADIUS Settings on page 564 Note For background information on the authentication protocols, refer to TACACS+ and RADIUS Overview on page 396.
PAGE 557
Chapter 38: TACACS+ and RADIUS Protocols Enabling TACACS+ or RADIUS To configure the authentication protocols, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2. Select the Server-based Authentication tab. The Server-based Authentication tab is shown in Figure 212. Figure 212 Configuration System Page, Server-based Authentication Tab 3.
PAGE 558
AT-S60 Management Software User’s Guide 4. To select an authentication protocol, click either TACACS+ or RADIUS in the Authentication Method section of the tab. The default is TACACS+. Note Only one authentication protocol can be active on the switch at a time. 5. Click Apply. 6. To save your changes, return to the General tab and click Save Changes. The changes you made are saved on the switch.
PAGE 559
Chapter 38: TACACS+ and RADIUS Protocols Configuring TACACS+ To configure TACACS+, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2. Select the Server-based Authentication tab. The Server-based Authentication tab is displayed as shown in Figure 212 on page 556. 3. Click the check circle next to TACACS+ Configuration and click Configure.
PAGE 560
AT-S60 Management Software User’s Guide Global Server Timeout This parameter specifies the maximum amount of time the switch waits for a response from a TACACS+ server before assuming the server cannot respond. If the timeout expires and the server has not responded, the switch queries the next TACACS+ server in the list. If there aren’t any more servers, then the switch defaults to the standard Manager and Operator accounts. The default is 30 seconds. The range is from 1 to 30 seconds.
PAGE 561
Chapter 38: TACACS+ and RADIUS Protocols Configuring RADIUS To configure RADIUS, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System page is displayed with the General tab selected by default, as shown in Figure 155 on page 434. 2. Select the Server-based Authentication tab. The Server-based Authentication tab is displayed as shown in Figure 212 on page 556. 3. Click the check circle next to RADIUS Configuration and click Configure.
PAGE 562
AT-S60 Management Software User’s Guide Global Server Timeout This parameter specifies the maximum amount of time the switch waits for a response from a TACACS+ server before assuming the server cannot respond. If the timeout expires and the server has not responded, the switch queries the next TACACS+ server in the list. If there are no more servers, then the switch defaults to the standard Manager and Operator accounts. The default is 30 seconds. The range is from 1 to 30 seconds.
PAGE 563
Chapter 38: TACACS+ and RADIUS Protocols Displaying the TACACS+ Settings To display the TACACS+ RADIUS settings, perform the following procedure: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 157 on page 442. 2. Select the Server-based Authentication tab. The Server-based Authentication tab is shown in Figure 215. Figure 215 Monitoring System Page, Server-based Authentication Tab 3.
PAGE 564
AT-S60 Management Software User’s Guide The TACACS+ Client Configuration page is shown in Figure 216. Figure 216 TACACS+ Client Configuration Page 5. Click Cancel to close the page.
PAGE 565
Chapter 38: TACACS+ and RADIUS Protocols Displaying the RADIUS Settings To display the RADIUS settings, perform the following procedure: 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 157 on page 442. 2. Select the Server-based Authentication tab. The Server-based Authentication tab is shown in Figure 215 on page 562. 3. Click View. The RADIUS Client Configuration page is shown in Figure 217.
PAGE 566
Chapter 39 802.1x Port-Based Network Access Control This chapter describes how to configure and display port access information. It contains the following procedures: ❑ Configuring Port Access on page 566 ❑ Displaying 802.1x Port Access Information on page 573 Note For background information on this feature, refer to Port-Based Access Network Control Overview on page 405.
PAGE 567
Chapter 39: 802.1x Port-Based Network Access Control Configuring Port Access To configure 802.1x port access from a web browser management session, perform the following procedure: 1. On the Home page, select Configuration. The Configuration System page is displayed with the General tab shown by default. 2. Select the Layer 1 option. The Layer 1 page is displayed with the Port Settings tab shown by default. 3. Select the 802.1x Port Access tab. The Configuration 802.
PAGE 568
AT-S60 Management Software User’s Guide 4. In the Configure Port Access Parameters section, adjust the following parameters as necessary: Enable Port Access - Click to check and enable port access. Authentication Method - RADIUS EAP is the only selection. 5. After setting the parameters, click Apply. Your changes are activated on the switch. To save your changes, return to the General tab and click Save Changes. The changes you made are saved on the switch. 6.
PAGE 569
Chapter 39: 802.1x Port-Based Network Access Control Configuring an Authenticator Port To configure an authenticator port, perform the following procedure: 1. On the Home page, select Configuration. The Configuration System page is displayed with the General tab shown by default. 2. Select the Layer 1 option. The Layer 1 page is shown with the Port Settings tab shown by default. 3. Select the 802.1x Port Access tab. The Configuration 802.1x Port Access tab is displayed as shown in Figure 218 on page 566.
PAGE 570
AT-S60 Management Software User’s Guide 5. Configure the following parameters: Port Control Choose from the following values: ❑ Auto: Enables 802.1X port-based authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes.
PAGE 571
Chapter 39: 802.1x Port-Based Network Access Control Reauth Period Enables periodic re-authentication of the client, which is disabled by default. The default value is 3,600 seconds. The range is from 1 to 65,535 seconds. Server Timeout This is the timer used by the switch to determine authentication server timeout conditions. The default value is 30 seconds. The range is from 1 to 65,535 seconds. 6. Click Apply to save the settings and close the page.
PAGE 572
AT-S60 Management Software User’s Guide The Supplicant Parameters page is displayed, as shown in Figure 221. Figure 221 Supplicant Parameters Page 5. Configure the following parameters: Auth Period - This is the initialization time used by the authentication timer. The value is in seconds. The default is 30 seconds. The range is 1 to 300 seconds.
PAGE 573
Chapter 39: 802.1x Port-Based Network Access Control User Password - Enter a password to access the supplicant port. There is no default value. This is an alphanumeric value of up to 40 characters. 6. Click Apply to save the settings and close the page. If you click Close, the page is closed but the settings are not saved.
PAGE 574
AT-S60 Management Software User’s Guide Displaying 802.1x Port Access Information To view host nodes and multicast routers, perform the following procedure: 1. From the Home Page, select Monitoring. The Monitoring System page is displayed with the General tab shown by default. 2. Select the Layer 1 option. The Layer 1 page is displayed with the Port Settings tab shown by default. 3. Select the 802.1x Port Access tab. The 802.1x Port Access tab is displayed as shown in Figure 222.
PAGE 575
Chapter 39: 802.1x Port-Based Network Access Control A port status page is displayed, as shown in Figure 223. Figure 223 Port Access Port Status Page 5. To review the port access settings, select a port or ports and click Settings. For authenticator port(s), the Authenticator Port Parameters page is displayed, as shown in Figure 224.
PAGE 576
AT-S60 Management Software User’s Guide For a description of the parameters displayed on this page, refer to Configuring an Authenticator Port on page 568. For supplicant port(s), the Supplicant Port Parameters Page is displayed, as shown in Figure 225. Figure 225 Supplicant Port Parameters Page For a description of the parameters displayed on this page, refer to Configuring a Supplicant Port on page 570.
PAGE 577
Chapter 40 Web Server Security This chapter about web server security contains the following procedures: ❑ Displaying the Encryption Keys on page 577 ❑ Displaying the PKI Settings on page 579 ❑ Displaying the SSL Settings on page 583 Note For background information on encryption, refer to Encryption Overview on page 341. For background information on PKI, refer to Public Key Infrastructure Overview on page 358. For information about SSL, refer to Secure Sockets Layer Overview on page 381.
PAGE 578
AT-S60 Management Software User’s Guide Displaying the Encryption Keys To display the encryption keys, perform the following procedure: Note You cannot set up the encryption keys from a web browser management session. To set the encryption keys, use a local or Telnet management session. For more information, see Configuring Keys for Encryption on page 347. 1. From the Home page, select Monitoring.
PAGE 579
Chapter 40: Web Server Security The following information is displayed: Key ID The identification number for the key. Algorithm The encryption algorithm for the key. The only option is RSA. Length The length of the key in bytes. Digest CRC value of the MD5 digest of the key data. Description The name or description of the key. 4. To view the latest list of keys, click Refresh.
PAGE 580
AT-S60 Management Software User’s Guide Displaying the PKI Settings To display the PKI settings, perform the following procedure: Note You cannot set up PKI from a web browser management session. To set up PKI, use a local or Telnet management session. For more information, see Chapter 21, Public Key Infrastructure (PKI) on page 357. 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 157 on page 442. 2.
PAGE 581
Chapter 40: Web Server Security The PKI tab is shown in Figure 227. Figure 227 Monitoring Security Page, PKI Tab The following information is displayed: Name The name of the PKI certificate. State Shows whether or not the certificate is automatically trusted. MTrust Indicates you verified the certificate is from a trusted authority or from an untrusted authority. Type The certificate type: CA, EE, or Self. Source Indicates the certificate was created on the switch.
PAGE 582
AT-S60 Management Software User’s Guide 5. To view detailed information about the certificate, select the certificate and then click View. The Certificate Page is shown in Figure 228. Figure 228 Certificate Page The following fields are displayed: Name - Lists the name of the certificate. State - Indicates the certificate is Trusted or Untrusted. Manually Trusted - Indicates you verified the certificate is from a trusted authority or from an untrusted authority.
PAGE 583
Chapter 40: Web Server Security Subject - Lists the Subject Distinguished Name. Issuer - Lists the Distinguished Name of the issuer of the certificate. MD5 Fingerprint - The MD5 digest of the certificate. This value provides a unique sequence for each certificate consisting of 16 bytes. SHA1 Fingerprint - The Secure Hash Algorithm digest of the certificate. This value provides a unique sequence for each certificate consisting of 20 bytes.
PAGE 584
AT-S60 Management Software User’s Guide Displaying the SSL Settings To view the SSL settings, perform the following procedure: Note You cannot set up SSL from a web browser management session. To set up SSL, use a local or Telnet management session. For more information, see Configuring SSL on page 384. 1. From the Home page, select Monitoring. The Monitoring System page is displayed with the General tab selected by default, as shown in Figure 157 on page 442. 2. Select the Layer 2 option.
PAGE 585
Chapter 40: Web Server Security The following information is displayed: Maximum Number of Sessions The maximum number of SSL sessions allowed in the cache. The cache is used to speed up the SSL connections by removing previous sessions if possible. Session Cache Timeout The maximum time that a session is retained in the cache.
PAGE 586
Appendix A AT-S60 Default Settings This appendix lists the AT-S60 factory default settings.
PAGE 587
Appendix A: AT-S60 Default Settings Basic Switch Default Settings This section lists the default settings for basic switch parameters.
PAGE 588
AT-S60 Management Software User’s Guide Management Interface Setting Default Operator Password operator (case-sensitive) Console Disconnect Timer Interval 10 minutes Negotiation Auto (see Note) STP State Forwarding Security Mode Automatic Note For the AT-8412/SC FX and AT-8412/MT FX line cards, the default setting for Negotiation is Manual. For all the other line cards, the default setting for Negotiation is Auto.
PAGE 589
Appendix A: AT-S60 Default Settings Switch Administration Default Settings System Software Default Settings The following table describes the switch administration default settings. Administration Setting Default IP Address 0.0.0.0 Subnet Mask 0.0.0.0 Gateway Address 0.0.0.0 System Name None Administrator None Comments None BOOTP/DHCP Disabled Console Baud Rate 9600 bps MAC Address Aging Time 300 seconds The following table lists the system software default settings.
PAGE 590
AT-S60 Management Software User’s Guide Enhanced Stacking Default Setting The following table lists the Enhanced Stacking default setting.
PAGE 591
Appendix A: AT-S60 Default Settings IGMP Snooping Default Settings The following table lists the IGMP Snooping default settings.
PAGE 592
AT-S60 Management Software User’s Guide PKI Default Settings The following table lists the PKI default settings, including the generate enrollment request settings.
PAGE 593
Appendix A: AT-S60 Default Settings Port Configuration Default Settings The following table lists the port configuration default settings.
PAGE 594
AT-S60 Management Software User’s Guide Port Security Default Settings The following table lists the port security default settings.
PAGE 595
Appendix A: AT-S60 Default Settings Server-Based Authentication Default Settings This section describes the server-based authentication, RADIUS, and TACACS+ client default settings. Server-Based Authentication Default Settings RADIUS Default Settings TACACS+ Client Default Settings The following table describes the server-based authentication default settings.
PAGE 596
AT-S60 Management Software User’s Guide SNMP Default Settings The following table describes the SNMP default settings.
PAGE 597
Appendix A: AT-S60 Default Settings SSH Default Settings The following table lists the SSH and the SSH server default settings.
PAGE 598
AT-S60 Management Software User’s Guide SSL Default Settings The following table lists the SSL default settings.
PAGE 599
Appendix A: AT-S60 Default Settings STP, RSTP, and MSTP Default Settings This section provides the STP switch, STP, RSTP, and MSTP default settings. Spanning Tree Switch Settings STP Default Settings The following table describes the Spanning Tree Protocol default settings for the switch. STP Switch Setting Default Spanning Tree Status Disabled Active Protocol Version RSTP The following table describes the STP default settings.
PAGE 600
AT-S60 Management Software User’s Guide RSTP Default Settings MSTP Default Settings The following table describes the RSTP default settings. RSTP Setting Default Force Version RSTP Bridge Priority 32768 Bridge Hello Time 2 Bridge Forwarding 15 Bridge Max Age 20 Edge Port Yes Point-to-Point Auto Detect (Port) Cost Automatic Update (Port) Priority 128 The following table describes the MSTP default settings.
PAGE 601
Appendix A: AT-S60 Default Settings MSTP Setting Default Internal Cost Auto Update Port Priority 128 600
PAGE 602
AT-S60 Management Software User’s Guide VLAN and GARP Default Settings This section provides VLAN, GARP, and GVRP default settings. VLAN Default Settings GARP and GVRP Default Settings The following table lists the VLAN default settings. VLAN Setting Default Default VLAN Name Default_VLAN (all ports) Management VLAN ID 1 (Default_VLAN) VLAN Mode User Configured Uplink Port None The following table lists the GARP and GVRP default settings.
PAGE 603
Appendix A: AT-S60 Default Settings Web Server Default Settings The following table lists the Web Server default settings.
PAGE 604
AT-S60 Management Software User’s Guide 802.1x Port-Based Network Access Control Default Settings The following table describes the 802.1x Port Access Control default settings. 802.
PAGE 605
Index 802.
PAGE 606
AT-S60 Management Software User’s Guide Boot Protocol (BootP) activating 50, 441 defined 50 bootloader version number 60 BOOTP/DHCP parameter 45, 436, 588 BPDU.
PAGE 607
D data authentication, described 345 data bits parameter 36 data compression parameter 394 Data Encryption Standard (DES), described 342 data encryption, described 342 daylight savings time (DST) parameter 55, 439, 587 default configuration file parameter 144, 586 default gateway parameter 45, 435 default values, AT-S60 585 default VLAN name parameter 243, 601 DER certificate format 379 DES. See Data Encryption Standard (DES) DHCP. See Dynamic Host Control Protocol (DHCP) digital certificates.
PAGE 608
AT-S60 Management Software User’s Guide displaying GVRP state machine 304 parameters 297, 535 statistics 297 enabling on a port 294 GIP connected ports ring 303 guidelines 286 GVRP counters 298 GVRP state machine, displaying 304 intermediate switches 287 overview 284 parameters, displaying 297, 535 port configuration, displaying 535 port configuration, modifying 534 resetting to defaults 533 security issues 287 statistics, displaying 297 GARP.
PAGE 609
K key exchange algorithms 346 key pair ID parameter 379, 591 L Limited security level 102, 479 line cards, displaying information 47 statistics 49 link parameter 90, 473 local management session defined 26 quitting 38 starting 35 Lock All Ports security level 480 Locked security level 103 login timeout parameter 392, 596 M MAC (message authentication code) definition 382 MAC address aging time parameter 318, 436, 547, 588 MAC address table defined 308 displaying 310, 541 MAC addresses adding 314, 544 define
PAGE 610
AT-S60 Management Software User’s Guide MSTI ID creating 511 deleting 512 modifying 512 MSTI IDs associating to VLANs 235 creating 232 deleting 232 list 231 modifying 233 removing a VLAN association 235 port priority 231 removing a VLAN association 513 Multiple Spanning Tree Protocol (MSTP) associating VLANs to MSTI IDs 233, 513 associations 216 bridge forwarding delay 229, 509 bridge hello time 228, 509 bridge identifier 230 bridge max age 229, 509 bridge settings, configuring 227, 507 configuration name
PAGE 611
modifying 371 validating 361 PKI.
PAGE 612
AT-S60 Management Software User’s Guide port trunking defined 110 diagram 110 guidelines 111 port VLAN identifier (PVID), defined 244 port-based access control. See 802.
PAGE 613
configuration overview 389 encryption algorithms 386 encryption keys 387 overview 386 server configuring 390 described 387 displaying information 393 users adding 387 deleting 387 modifying 387 Secure Sockets Layer (SSL) certificates authenticating 383 described 383 certificates, configuring 337 configuring 384 data transfer 382 displaying 583 encryption 381 message types 382 overview 381 session 382 user verification 382 Secured security level 103, 479 security mode parameter 106, 479, 593 security.
PAGE 614
AT-S60 Management Software User’s Guide SSL. See Secure Sockets Layer (SSL) starting session local 35 Telnet 39 web browser 429 static unicast MAC address adding 314, 544 defined 309 deleting 316, 546 displaying 310, 541 status (of a port) parameter 90 status (port) parameter 592 status (web server) parameter 336, 602 stop bits parameter 36 STP ID parameter 303 STP state parameter 91, 587 STP.
PAGE 615
used parameter 302 user name, default 37, 40 UTC offset parameter 55, 439, 587 X X.509 certificate 360 specification 359 V versions supported (SSH) parameter 393 virtual LAN (VLAN) creating 260, 265, 521 defined 241 deleting 270, 526 displaying 257, 282, 527 mode, changing 271, 529 modifying 266, 524 multiple 802.1Q-compliant 276 defined 275 non-802.