AT-S60 Management Software ® AT-S60 ◆ User’s Guide AT-8400 SERIES SWITCH VERSION 2.1.
Copyright © 2005 Allied Telesyn, Inc. All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesyn, Inc. Microsoft is a registered trademark of Microsoft Corporation, Netscape Navigator is a registered trademark of Netscape Communications Corporation. All other product names, company names, logos or other designations mentioned herein are trademarks or registered trademarks of their respective owners. Allied Telesyn, Inc.
Table of Contents List of Figures ......................................................................................................................................................................................................15 Preface ....................................................................................................................................................................................................................21 How This Guide is Organized .........................
Table of Contents Chapter 3 Basic Switch Parameters ................................................................................................................................................................................ 45 Assigning an IP Address to a Switch ............................................................................................................................................................. 46 How Do You Assign an IP Address? .................................................
AT-S60 Management Software User’s Guide Deleting MAC Addresses ................................................................................................................................................................................ 124 Changing the Aging Time .............................................................................................................................................................................. 126 Chapter 8 Port Trunking ........................................
Table of Contents Chapter 12 Event Log ............................................................................................................................................................................................................203 Event Log Overview ..........................................................................................................................................................................................204 Configuring the Event Log .............................
AT-S60 Management Software User’s Guide Section III SNMPv3 Protocol ..................................................................................................................................................................... 292 Chapter 17 SNMPv3 Configuration ................................................................................................................................................................................ 293 SNMPv3 Overview ............................................
Table of Contents Displaying the Display SNMPv3 Target Parameters Table Menu ........................................................................................... 398 Displaying the Display SNMPv3 Community Table Menu ........................................................................................................ 399 Section IV VLANs ................................................................................................................................................................
AT-S60 Management Software User’s Guide Section V Security Features ..................................................................................................................................................................... 468 Chapter 21 Port Security ...................................................................................................................................................................................................... 469 Port Security Overview ......................
Table of Contents Chapter 25 Secure Sockets Layer (SSL) .........................................................................................................................................................................523 Secure Sockets Layer Overview ....................................................................................................................................................................524 SSL Encryption .....................................................................
AT-S60 Management Software User’s Guide Chapter 30 Basic Switch Parameters ............................................................................................................................................................................. 582 Configuring an IP Address and Switch Name ......................................................................................................................................... 583 Setting the System Time ..................................................
Table of Contents Chapter 37 Event Log ............................................................................................................................................................................................................655 Enabling or Disabling the Event Log ..........................................................................................................................................................656 Displaying Events ....................................................
AT-S60 Management Software User’s Guide Modifying a Target Parameters Table Entry .................................................................................................................................. 737 Configuring the SNMPv3 Community Table ........................................................................................................................................... 740 Creating an SNMPv3 Community Table Entry ......................................................................
Table of Contents Enabling Port-Based Access Control ................................................................................................................................................. 807 Configuring RADIUS Accounting ....................................................................................................................................................... 809 Setting the Port Role ....................................................................................................
List of Figures Figure 1: Main Menu .......................................................................................................................................................................................... 35 Figure 2: Connecting a Terminal or PC to the RS-232 Terminal Port ................................................................................................ 40 Figure 3: AT-S60 Main Menu ............................................................................................
List of Figures Figure 38: Modify Trunk Menu ..................................................................................................................................................................... 136 Figure 39: Port Mirroring Menu ................................................................................................................................................................... 144 Figure 40: Modify Mirror Menu ...................................................................
AT-S60 Management Software User’s Guide Figure 93: CIST Menu ...................................................................................................................................................................................... Figure 94: MSTI Menu ..................................................................................................................................................................................... Figure 95: VLAN-MSTI Association Menu ..........................
List of Figures Figure 148: GIP Connected Ports Ring Menu ......................................................................................................................................... 464 Figure 149: GVRP State Machine Menu (page 1) ................................................................................................................................... 465 Figure 150: Display GVRP State Machine Menu (page 2) .............................................................................
AT-S60 Management Software User’s Guide Figure 203: System Maintenance Tab ....................................................................................................................................................... Figure 204: Configuration Layer 2 Page, Enhanced Stacking Tab .................................................................................................. Figure 205: Enhanced Stacking Page ........................................................................................
List of Figures Figure 258: SNMPv3 Target Address Table Page .................................................................................................................................. 728 Figure 259: Add New SNMPv3 Target Address Table Page ............................................................................................................... 728 Figure 260: Modify SNMPv3 Target Address Table Page ..............................................................................................
Preface This guide contains instructions on how to configure an AT-8400 Series Switch using the AT-S60 management software. The Preface contains the following sections: ❑ How This Guide is Organized on page 22 ❑ Document Conventions on page 24 ❑ Where to Find Web-based Guides on page 25 ❑ Contacting Allied Telesyn on page 26 Note Within this manual, the AT-8400 Series Switch is often abbreviated as switch.
Preface How This Guide is Organized This manual is divided into the following six sections: ❑ Section I: Basic Features ❑ Section II: Advanced Features ❑ Section III: SNMPv3 Protocol ❑ Section IV: VLANs ❑ Section VI: Security Features ❑ Section VII: Web Browser Management See the description of each section below. Overview The Overview chapter reviews the different ways that you can access the AT-S60 management software on a switch. In addition, it describes how to specify ports.
AT-S60 Management Software User’s Guide Section V: Security Features The chapters in this section describe how to configure the authentication and advanced security features. The authentication features, 802.1x Port Based Access Control as well as TACACS+ and RADIUS protocols appear in both the AT-S60 version 2.0.0 NE and 2.0.0 software. The Encryption Services, Public Key Infrastructure (PKI), Secure Socket Layer (SSL), and Secure Shell (SSH) features only appear in the AT-S60 version 2.0.0 software.
Preface Document Conventions This document uses the following conventions: Warning Warnings inform you that performing or omitting a specific action may result in bodily injury. Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data.
AT-S60 Management Software User’s Guide Where to Find Web-based Guides The installation and user guides for all Allied Telesyn products are available in Portable Document Format (PDF) from on our web site at www.alliedtelesyn.com. You can view the documents on-line or download them onto a local workstation or server.
Preface Contacting Allied Telesyn This section provides Allied Telesyn contact information for technical support as well as sales and corporate information. Online Support You can request technical support online by accessing the Allied Telesyn Knowledge Base: http://kb.alliedtelesyn.com. You can use the Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions.
Chapter 1 AT-S60 Overview This chapter describes the AT-S60 software functions, the types of sessions you can use to access the software, and the management access levels.
Chapter 1: AT-S60 Overview Overview The AT-S60 management software is intended for the AT-8400 Series switch. The software is used to monitor and adjust a switch’s operating parameters.
AT-S60 Management Software User’s Guide The following sections in this chapter briefly describe each type of management session. In addition, the following sections are provided: ❑ Management Access Levels on page 33 ❑ Specifying Ports on page 34 ❑ Specifying Time and Date on page 35 Local Management Session To establish a local management session with an AT-8400 switch, connect a terminal (or a PC) with a terminal emulator program to the RS-232 Terminal port on the switch.
Chapter 1: AT-S60 Overview Telnet Management Session Any management workstation on your network that has the Telnet application protocol can be used to manage an AT-8400 switch. In this guide, this type of management session is referred to as a remote management session because you do not have to be in the same wiring closet as the switch you are managing. Instead, you can manage the switch from any workstation on the network that has the application protocol.
AT-S60 Management Software User’s Guide Web Browser Management Session You can also use a web browser to manage a switch. Using a web browser management session is also referred to as remote management, just like a Telnet management session. You can manage a switch from any workstation on your network that has a web browser. Note For instructions on starting this type of management session, refer to Starting a Web Browser Management Session on page 579.
Chapter 1: AT-S60 Overview SNMP Management Session Another way to remotely manage the switch is with an SNMP management program. AT-S60 software supports the SNMPv1, SNMPv2c, and SNMPv3 protocols. You need to be very familiar with Management Information Base (MIB) objects to configure SNMP management.
AT-S60 Management Software User’s Guide Management Access Levels There are two levels of management access on an AT-8400 switch: Manager and Operator. When you log in as a Manager, you can view and configure all of a switch’s operating parameters. When you log in as an Operator, you can only view the operating parameters. As an Operator, you cannot change any values. To log in, you enter a login id of Manager or Operator and the appropriate password when you start an AT-S60 management session.
Chapter 1: AT-S60 Overview Specifying Ports Many of the commands and parameters, in this manual involve specifying the port(s) on the switch. Port numbers are specified in the following format: slot.port Slot is the number of the slot in the switch that contains the line card. There are twelve line card slots in the AT-8400 chassis. Port is the port number on the line card. For example, to indicate port 4 on the line card in Slot 8, enter: 8.4 In many commands, you can specify a list of ports.
AT-S60 Management Software User’s Guide Specifying Time and Date The Simple Network Time Protocol (SNTP) feature places the time and date on the local and telnet interfaces. The time and date appear in the upper right hand corner of the menu. See Figure 1. Allied Telesyn AT-8400 Series - ATS60 V2.1.
Section I Basic Features The chapters in Section I explain how to manage an AT-8400 switch from a local or Telnet management session. It includes the following chapters.
AT-S80 User’s Guide 37
Chapter 2 Starting a Local or Telnet Management Session This chapter contains the procedure for starting a local or Telnet management session on an AT-8400 Series switch.
AT-S60 Management Software User’s Guide Local Management Session To establish a local management session using the AT-S60 management software, connect an RS-232 straight-through cable to the RS-232 terminal port on the AT-8400 chassis. Connect the other end of the cable to a terminal or a PC with a terminal emulator program. A local management session is so named because you must be physically close to the switch, usually within a few meters, to start this type of management session.
Chapter 2: Starting a Local or Telnet Mangement Session Starting a Local Management Session To start a local management session, perform the following procedure: 1. Connect one end of a straight-through RS-232 cable with a DB-9 connector to the RS-232 terminal port. See Figure 2. 5 6 M AT-8 40 RS TER -232 MIN POR AL T 1 7 8 PWR MGN FLT FAN A MST R T WAIT REM / OV FAN B E RES ET Figure 2 Connecting a Terminal or PC to the RS-232 Terminal Port 2.
AT-S60 Management Software User’s Guide When prompted for the user name and password, enter one of the following options. ❑ For Manager access, type manager as the login id. The default password is “friend.” Then press Return. ❑ For Operator access, type operator as the login id. The default password is “operator.” Then press Return. Note The user names cannot be changed. The passwords are case sensitive.
Chapter 2: Starting a Local or Telnet Mangement Session Please note the following: ❑ The Command Line Interface selection in the Main Menu is not described in this manual. For instructions on this option, refer to the AT-S60 Management Software Command Line Interface User’s Guide (PN 613-50401-00). ❑ If a pound sign (#) or dollar sign ($) is displayed instead of the Main Menu, the local interface has been configured for a command line prompt when a management session is started.
AT-S60 Management Software User’s Guide Telnet Management Session You can use the Telnet application protocol from a workstation on your network to manage an AT-8400 switch. This type of management is referred to as remote management because you can be physically far from the switch when you start the session. (In contrast to a local management session, which requires that you connect a terminal directly to the switch.
Chapter 2: Starting a Local or Telnet Mangement Session Starting a Telnet Management Session To start a Telnet management interface, specify the IP address of the Master switch of the stack in the Telnet application protocol. When prompted for the user name and password, enter one of the following options. ❑ For Manager access, type manager as the user name. The default password is “friend.” ❑ For Operator access, type operator as the user name. The default password is “operator.
Chapter 3 Basic Switch Parameters This chapter contains a variety of information about basic switch parameters and procedures for using them with a local or Telnet management session.
Chapter 3: Basic Switch Parameters Assigning an IP Address to a Switch When building or expanding your network, you need to decide which managed switches need an unique IP addresses. The rule used to be that a managed switch needed a IP address if you wanted to manage it remotely, such as with the Telnet application protocol. However, if a network contained a lot of managed switches, assigning each one an IP address was often cumbersome and time consuming.
AT-S60 Management Software User’s Guide How Do You Assign an IP Address? Once you have decided which, if any, switches on your network need an IP address, you have to access the AT-S60 software on the switches and assign the address or addresses. There are actually two ways in which you can assign a switch an IP address. The first method is to assign the IP configuration information manually. This method is explained in the next procedure, Configuring an IP Address and Switch Name on page 48.
Chapter 3: Basic Switch Parameters Configuring an IP Address and Switch Name The procedure in this section explains how to manually assign an IP address, subnet mask, and gateway address to the switch using a local or Telnet management session. Initially, it must be done from the local management interface. (If you want the switch to obtain its IP configuration from a DHCP or BOOTP server on your network, go to the procedure Activating the BootP and DHCP Services on page 57.
AT-S60 Management Software User’s Guide 2. Change the parameters as desired. The parameters in the Administrative Menu are described below: 1 - IP Address This parameter specifies the IP address of the switch. You must specify an IP address if you intend to remotely manage the switch using a web browser, a Telnet utility, or an SNMP management program, or if you want a switch to function as the Master switch of an enhanced stack. 2 - Subnet Mask This parameter specifies the subnet mask for the switch.
Chapter 3: Basic Switch Parameters 9 - Set Console Baud Rate This selection allows you set the baud rate of the serial port on the AT-8401 management card. The range is 2400 to 115,200 bps. This menu selection is only available from a local management session. The default is 9600 bps. B - Reboot the switch This selection allows you to reboot the switch without affecting the saved configuration on the switch.
AT-S60 Management Software User’s Guide Displaying and Clearing Line Card Information This section describes how to display line cards installed in an AT-8400 switch. The following procedures are provided: ❑ Displaying Line Card Information on page 51 ❑ Displaying Line Card Statistics on page 53 ❑ Clearing Line Card Statistics on page 54 Displaying Line Card Information Use this procedure to display the line cards and the AT-8401 management card, installed in your AT-8400 chassis.
Chapter 3: Basic Switch Parameters The Display Line Card Menu is shown in Figure 6. Allied Telesyn AT-8400 Series - AT-S60 V2.1.0 Engineering Switch 14 User: Manager 00:14:33 15-Jan-2004 Display Line Card 1 - Display Line Card Information 2 - Display Line Card Statistics 3 - Clear Line Card Statistics R - Return to Previous Menu Enter your selection? Figure 6 Display Line Card Menu 3. From the Display Line Card Menu, type 1 to select Display Line Card Information.
AT-S60 Management Software User’s Guide Displaying Line Card Statistics To display the current line card statistics, perform the following procedure: 1. From the Main Menu, type 5 to select System Menu. The System Menu is displayed in Figure 5 on page 51. 2. From the System Menu, type 3 to select Display Line Card. The Line Card Menu is displayed in Figure 6 on page 52. 3. From the Line Card Menu, type 2 to select Display Line Card Statistics. The following prompt appears: Enter line card-list: 4.
Chapter 3: Basic Switch Parameters Clearing Line Card Statistics To clear the current line card statistics, perform the following procedure: 1. From the Main Menu, type 5 to select System Menu. The System Menu is shown in Figure 5 on page 51. 2. From the System Menu, type 3 to select Display Line Card. The Display Line Card Menu is shown in Figure 6 on page 52. 3. Type 3 to select Clear Line Card Statistics. The following prompt is displayed: Enter Line card-list: 4.
AT-S60 Management Software User’s Guide Displaying and Clearing System Information This section describes how to display and clear the system information for an AT-8400 switch. See the following procedures: ❑ Displaying System Information on page 55 ❑ Clearing System Statistics on page 56 Displaying System Information To display the system information, perform the following procedure. 1. From the Main Menu, type 5 to select System Menu. The System Menu is shown in Figure 5 on page 51. 2.
Chapter 3: Basic Switch Parameters The Display System Statistics Menu is shown in Figure 10. Allied Telesyn AT-8400 Series - AT-S60 V2.1.0 Engineering Switch 14 User: Manager 00:14:33 15-Jan-2004 Display System Statistics Bytes Received.............41631 Frames Received............499 Broadcast Frames Received..351 Multicast Frames Received..136 Total Bytes Received.......41631 Total Frames Received......499 Frames 64 Bytes............324 Frames 64-127 Bytes........161 Frames 128-255 Bytes.......
AT-S60 Management Software User’s Guide Activating the BootP and DHCP Services The BootP and DHCP application protocols were developed to simplify network management. They are used to automatically assign IP configuration information—such as an IP address, subnet mask, and a default gateway address—to the devices on your network. An AT-8400 switch supports these protocols and can obtain its IP configuration information from a BootP or DHCP server on your network.
Chapter 3: Basic Switch Parameters Note If you activate BOOTP/DHCP, the switch immediately begins to query the network for a BOOTP or DHCP server. The switch continues to query the network for its IP configuration until it receives a response. 4. After making changes, type R to return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S60 Management Software User’s Guide Setting the System Time To set system time on the switch, configure the Simple Network Time Protocol (SNTP). This feature allows you to synchronize computer clocks on the Internet by specifying the difference between local time and Universal Coordinated Time (UTC). You can either set the system time manually every time you boot the switch or you can set the system time with an SNTP server. SNTP is a reduced version of the Network Time Protocol (NTP).
Chapter 3: Basic Switch Parameters The Configure System Software Menu is displayed in Figure 12. Allied Telesyn AT-8400 Series - AT-S60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 15-Jan-2004 Configure System Software 1 2 3 4 5 - Switch Mode ........................... Console Disconnect Timer Interval ..... MAC address aging time ................ Console Startup Mode .................. Telnet Server .........................
AT-S60 Management Software User’s Guide 5. Type 1 - System Time to manually set the time and date for the switch. To set system time with an SNTP server, go to step 8. The following prompt is displayed: Enter new system time [hh:mm:ss] -> 6. Enter a new time for the system. To specify time for the switch, use a 24-hour clock (or military time). Use the following format: hours, minutes, and seconds. Separate each unit of time with a colon. For example, enter 17:20:00 for 5:20 PM.
Chapter 3: Basic Switch Parameters 11. Enter an IP address of your SNTP or NTP server. Use the standard IP format: xxx.xxx.xxx.xxx 12. Type 4 - UTC Offset to specify a difference between the UTC and local time. Note If you have enabled DHCP, the switch automatically attempts to determine this value. In this case, you do not need to configure a value for the UTC Offset parameter. The following prompt is displayed: Enter UTC Offset [-12 to 12] -> 0 13. Enter a UTC Offset time. The default is 0 hours.
AT-S60 Management Software User’s Guide Rebooting a Switch To reset a switch while preserving the switch configuration, perform the following procedure: 1. From the Main Menu, type 4 to select Administration Menu. 2. From the Administration, type B to select Reboot the switch. The following prompt is displayed: The switch is about to reboot. Do you want to proceed? [Yes/No] -> 3. Type Y to reset the switch or N to cancel this procedure. If you type Y, the following is displayed: Rebooting the Switch... .
Chapter 3: Basic Switch Parameters Configuring the AT-S60 Software Security Features The AT-S60 software has several security features that can help prevent unauthorized individuals from changing the parameter settings of an AT-8400 switch. The security features are: ❑ Manager and Operator Passwords - The management software has two standard, management login accounts: Manager and Operator.
AT-S60 Management Software User’s Guide Configuring the Management Passwords There are two levels of management access on an AT-8400 switch: Manager and Operator. When you log in as a Manager, you can view and configure all of a switch’s operating parameters. When you log in as an Operator, you can only view the operating parameters. As an Operator, you cannot change any values.
Chapter 3: Basic Switch Parameters Note You must assign different values to each password. Configuring Management Access This procedure configures the console timer. It also enables and disables Telnet access and SNMP access. To configure management access, perform the following procedure: 1. From the Main Menu, type 5 to select System Menu. The System Menu is shown in Figure 5 on page 51. 2. From the System Menu, type 1 - Configure System. The Configure System Menu is shown in Figure 11 on page 59. 3.
AT-S60 Management Software User’s Guide 8. To configure SNMPv1 and SNMPv2 access, type 8 to select Configure SNMP. The Configure SNMP Menu is displayed in Figure 22 on page 87. See Chapter 5, SNMPv1 and SNMPv2c Configuration on page 84 for details about how to configure SNMPv1 and SNMPv2. If you disable SNMP access, no one can manage the switch remotely using an SNMP management program. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 3: Basic Switch Parameters Displaying the AT-S60 Hardware and Software Information The procedures in this section display the following switch information: ❑ System hardware information ❑ System Software information ❑ Fan status ❑ AT-S60 version number ❑ Bootloader version number ❑ MAC address Displaying System Hardware Information To display the system power and fan information, do the following: 1. From the Main Menu, type 5 to select the System Menu.
AT-S60 Management Software User’s Guide 4. To display fan information, select 4 - Display System Fan A Information or select 5 - Display System Fan B Information. The Display System Fan A Information Menu is shown in Figure 16 on page 69. The Display System Fan A Information Menu is identical to the Display System Fan B Information Menu. You cannot change the information displayed in selections 1 through 6 in the Display System Fan A Information Menu. These fields are for display purposes only.
Chapter 3: Basic Switch Parameters You cannot change the information displayed in selections 1 through 6 in the Display System Software Information Menu. These fields are for display purposes only. Allied Telesyn AT-8400 Series - AT-S60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 15-Jun-2004 Display System Software Information 1 2 3 4 5 6 - Application Software Version ... Application Software Build Date. Bootloader Version ............. Bootloader Build Date .......... MAC Address ...........
AT-S60 Management Software User’s Guide Pinging a Remote System You can instruct the switch to ping a remote device on your network. This procedure is useful in determining whether a valid link exists between the switch and another device. To ping a network device, perform the following procedure: 1. From the Main Menu, type 4 to select Administration Menu. The Administration Menu is shown in Figure 4 on page 48. 2. From the Administration Menu, type P to select Ping a Remote System.
Chapter 3: Basic Switch Parameters Returning the AT-S60 Software to the Factory Default Values The procedure in this section returns all AT-S60 software parameters to their default values. This procedure also deletes any VLANs that you have created on the switch. Note The AT-S60 software default values can be found in Appendix A, AT-S60 Default Settings on page 820. To return the AT-S60 management software to its default settings, perform the following procedure: 1.
AT-S60 Management Software User’s Guide 7. Type Y to reboot the switch. The operating parameters are returned to their default values and the switch is reset. The following message is displayed: Rebooting the switch, please wait... . . . Init Done! 8. Press any key to log in. Caution The switch does not forward traffic during the brief period required to reload its operating software. Some data traffic may be lost.
Chapter 3: Basic Switch Parameters Configuring the Console Startup Mode You can configure the AT-S60 software to display either the Main Menu or the command line interface prompt (#) when you start a local or Telnet management session. The default is the Main Menu. To change the console startup mode, perform the following procedure: 1. From the Main Menu, type 5 to select the System Menu. The System Menu is shown in Figure 5 on page 51. 2. From the System Menu, type 1 to select Configure System.
Chapter 4 Enhanced Stacking This chapter explains the enhanced stacking feature and provides procedures for using this feature with a local or Telnet management session.
Chapter 4: Enhanced Stacking Enhanced Stacking Overview The enhanced stacking feature can make it easier for you to manage an AT-8400 switch and any other ATI switches in your network that feature enhanced stacking. It offers the following benefits: ❑ From one local or remote management session, you can manage up to 24 switches. This eliminates having to initiate a separate management session for each switch in your network.
AT-S60 Management Software User’s Guide There are three basic steps to implementing this feature on your network: 1. Select a switch in your network to function as the master switch of the stack. You can select an AT-8400 switch, or any other ATI switch that is capable of enhanced stacking, to act as the master switch of an enhanced stack. For networks that consist of more than one subnet, you must assign at least one master switch in each subnet.
Chapter 4: Enhanced Stacking This is explained in the procedure Setting a Switch’s Enhanced Stacking Status on page 79. Example For an example of the enhanced stacking feature, see Figure 18. This example shows a mixture of AT-8400 and AT-8000 Series switches. With this configuration, starting a local or remote management sessions on either AT-8400 Series master switch, provides management access to the AT-8000 Series switches as well. Master 1 IP Address 149.32.11.22 Master 2 IP Address 149.32.11.
AT-S60 Management Software User’s Guide Setting a Switch’s Enhanced Stacking Status The enhanced stacking status of the switch can be master switch, slave switch, or unavailable. Each status is described below: ❑ Master switch - A master switch of a stack can be used to manage all the other switches in a subnet. You can assign the master status to either an AT-8400, or any other ATI switch that features enhanced stacking, which can then be used to manage a mixture of AT-8400 and AT-8000 Series switches.
Chapter 4: Enhanced Stacking Configuring Enhanced Stacking To adjust a switch’s enhanced stacking status, perform the following procedure: 1. From the Main Menu, type 8 to select Enhanced Stacking. The Enhanced Stacking menu is shown in Figure 19. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2004 Enhanced Stacking 1 - Switch State-(M)aster/(S)lave/(U)navailable....
AT-S60 Management Software User’s Guide Selecting a Switch in an Enhanced Stack Before performing a procedure on a switch, check that you are accessing the correct switch. If you assigned system names to your switches, this is a simple check. The name of the switch you are currently managing is displayed at the top of every management menu. For example, in Figure 20, the name of the switch is Sales Switch 591.
Chapter 4: Enhanced Stacking 3. Type 1 to select Get/Refresh List of Switches. The Master switch polls the network for all slave and Master switches in the subnet and displays a list of the switches in the Stacking Services menu. The updated Stacking Services menu is shown in Figure 21. Allied Telesyn AT-8400 Series - ATS60 V2.1.
AT-S60 Management Software User’s Guide 6. Enter a username. The usernames are “manager” to view and change the switch settings and “operator” to just view the settings. Press Return. A password prompt is displayed. 7. Enter the switch’s password and press Return. The default password for Manager access on an AT-8400 switch is “friend.” The default password for Operator access is “operator.” The passwords are case-sensitive. The Main Menu of the selected switch is displayed. You now can manage the switch.
Chapter 5 SNMPv1 and SNMPv2c Configuration This chapter provides a description of the AT-S60 implementation of the SNMPv1 and SNMPv2c protocols. In addition, it provides procedures that allow you to create, modify, and display SNMPv1 and SNMPv2c communities.
AT-S60 Management Software User’s Guide SNMP Overview The SNMPv1 and SNMPv2c protocols allow you to create groups, called communities, and define IP addresses for SNMP managers. In addition, you can configure IP addresses for sending SNMP messages called traps. Using the SNMPv1 and SNMPv2c protocols, you can authenticate messages based on a password, called a community name, and manager IP addresses. Messages sent using the SNMPv1 and SNMPv2c protocols are plain text messages.
Chapter 5: SNMPv1 and SNMPv2c Configuration Configuring the SNMPv1 and SNMPv2c Protocols This section describes how to configure the SNMPv1 and SNMPv2c protocols. In this section, these protocols are configured together. You can configure the SNMPv1 and SNMPv2c protocols independently using the SNMPv3 Tables. (See Configuring the SNMPv3 Community Table on page 381.
AT-S60 Management Software User’s Guide To enable SNMPv1 and SNMPv2 as well as authentication trap messages, perform the following procedure. 1. From the Main Menu, type 5 to select System Menu. The System Menu is shown in Figure 5 on page 51. 2. From the System Menu, type 1 to select Configure System. The Configure System menu is shown Figure 11 on page 59. 3. From the Configure System menu, type 1 to select Configure System Software. The Configure System Software menu is shown in Figure 12 on page 60. 4.
Chapter 5: SNMPv1 and SNMPv2c Configuration When this parameter is enabled, the switch sends authentication failure traps under two conditions: - The SNMP management station attempts to access the switch using an incorrect or invalid community name. - The IP address of this SNMP management station is not configured as an SNMP manager within the community. Toggle between Enabled and Disabled by pressing 2 again. Caution You must configure a trap receiver IP address in order for trap message to be sent.
AT-S60 Management Software User’s Guide The Configure SNMPv1 and SNMPv2c Community menu is shown in Figure 23. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2004 Configure SNMPv1 & SNMPv2c Community Community Name Access Mode Status OpenAcc Manager IP Address Trap Receiver IP ==================================================================================== ati777 Read|Write Enabled No 147.35.18.87 1.1.1.1 atipublic750 Read Only Enabled Yes 147.35.18.
Chapter 5: SNMPv1 and SNMPv2c Configuration 9. Enter an open access status for the SNMP community. Choose one of the following options: Y - Enter Y to permit access to the SNMP community by any management station. N - Enter N to permit access to the SNMP community by a management station configured within this community. The following prompt is displayed: Enter SNMP Manager IP Addr: 10. Enter an IP address of an SNMP management station to permit it to access the switch.
AT-S60 Management Software User’s Guide Deleting an SNMPv1 and SNMPv2 Community To delete an SNMPv1 and SNMPv2c community, perform the following procedure. 1. From the Main Menu, type 5 to select System Menu. The System Menu is shown in Figure 5 on page 51. 2. From the System Menu, type 1 to select Configure System. The Configure System Menu is shown in Figure 11 on page 59. 3. From the Configure System Menu, type 1 to select Configure System Software.
Chapter 5: SNMPv1 and SNMPv2c Configuration Modifying SNMPv1 and SNMPv2 Community Attributes For each SNMPv1 and SNMPv2c community, you can modify several attributes.
AT-S60 Management Software User’s Guide The Modify SNMPv1 and SNMPv2c Community Menu is shown in Figure 24. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 15-Jan-2004 Modify SNMPv1 & SNMPv2c Community Community Name Access Mode Status OpenAcc Manager IP Addr Trap Receiver IP ==================================================================================== 142alliedtelesyn Read|Write Enabled No 147.35.18.85 1.1.1.1 2.2.2.2 2.2.2.
Chapter 5: SNMPv1 and SNMPv2c Configuration 11. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting Attributes from a Community To delete an IP address from either the list of Manager IP addresses or the list of Trap Receiver IP addresses, perform the following procedure: 1. From the Main Menu, type 5 to select System Menu. The System Menu is shown in Figure 5 on page 51. 2. From the System Menu, type 1 to select Configure System.
AT-S60 Management Software User’s Guide 9. Enter an IP address that you want to delete. Or, to skip this prompt, press Return. Delete an IP address to deny an SNMP manager to access the switch. Use the following format for an IP address: XXX.XXX.XXX.XXX The following prompt is displayed. Do you want to delete this SNMP Manager? (Y/N): [Yes/No]-> 10. Choose from the following options: Y - Select Y to delete the IP address of this SNMP manager. N - Select N to retain the IP address of the SNMP manager.
Chapter 5: SNMPv1 and SNMPv2c Configuration The Configure System Software Menu is shown in Figure 12 on page 60. 4. From the Configure System Software Menu, type 8 to select Configure SNMP. The Configure SNMP Menu is shown in Figure 22 on page 87. 5. To configure SNMP parameters, type 3 to select Configure SNMPv1 & SNMPv2c Community. The Configure SNMP Community Menu is shown in Figure 23 on page 89. 6. To modify SNMPv1 & SNMPv2c Community attributes, type 3 to select Modify SNMP Community.
AT-S60 Management Software User’s Guide Changing the Community Status You may want to change the status of a community to temporarily disable a community. To change the community status from enabled to disabled, perform the following procedure: 1. From the Main Menu, type 5 to select System Menu. The System Menu is shown in Figure 5 on page 51. 2. From the System Menu, type 1 to select Configure System. The Configure System Menu is shown in Figure 11 on page 59. 3.
Chapter 5: SNMPv1 and SNMPv2c Configuration D - Select D to disable the SNMP Community. The following prompt is displayed: Do you want to change Community Status? (Y/N): [Yes/No]-> 10. Choose one of the following selections: Y - Select Y to change the Community Status. N - Select N to retain the Community Status. 11. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S60 Management Software User’s Guide 8. Enter a community name from the list at the top of the Modify SNMPv1 & SNMPv2c Community Menu. SNMP community names are case sensitive. The following prompt is displayed: Enter Open Access Status [Y-Yes, N-No]: 9. Enter the access status of this community. Choose one of the following options: Y - Select Y to allow access to this community by any management station.
Chapter 5: SNMPv1 and SNMPv2c Configuration Displaying an SNMPv1 and SNMPv2c Community Use the following procedure to display the attributes of an SNMPv1 and SNMPv2c communities. 1. From the Main Menu, type 5 to select System Menu. The System Menu is shown in Figure 5 on page 51. 2. From the System Menu, type 1 to select Configure System. The Configure System Menu is shown in Figure 11 on page 59. 3. From the Configure System Menu, type 1 to select Configure System Software.
Chapter 6 Port Parameters The chapter contains procedures for viewing and changing the parameter settings for the individual ports on a switch with a local or Telnet management session.
Chapter 6: Port Parameters Displaying Port Status This section provides a procedure to display the status of a port. To display port statistics, see Displaying Port Statistics on page 112. To display the status of the ports on the switch, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 26. Allied Telesyn AT-8400 Series - AT-S60 V2.1.
AT-S60 Management Software User’s Guide The information in this menu is for viewing purposes only. The columns in the menu are described below: Port Indicates the port number in the following format: slot number. port number For more information, see Specifying Ports on page 34. Media Indicates the type of port. See the following: ❑ TP (for twisted pair) indicates one of the following: — An RJ-45 port on an AT-8411 line card.
Chapter 6: Port Parameters Disabled - Indicates the port has been manually disabled. The port is not able to send or receive Ethernet frames. Link The status of the link between the port and the end node connected to the port. Possible values are: Up - Indicates that a valid link exists between the port and the end node. Down - Indicates that the port and the end node have not established a valid link.
AT-S60 Management Software User’s Guide Enabled - Flow control occurs on both frames entering and leaving the port. Disabled - No flow control occurs on the port. STP The current operating status of the port. Possible values are: Forwarding - The port is sending and receiving Ethernet frames. This is the normal state for a switch port. Disabled - STP operations have been disabled on the port. Blocking - This is the standby mode. The port does not participate in frame relay.
Chapter 6: Port Parameters Configuring Port Parameters To configure the parameter settings for a port on the switch, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 26 on page 102. 2. From the Port Menu, type 1 to select Port Configuration. The following prompt is displayed: Enter port-list: 3. Enter the number of the port you want to configure and press Return. See Specifying Ports on page 34.
AT-S60 Management Software User’s Guide 4. Adjust the port parameters as desired. You adjust a parameter by typing its number. This toggles the parameter through its possible settings. The parameters are described below. 0 - Port Name This parameter appears only if you are configuring a single port. You can use this selection to assign a name to a port. The name can be up to fifteen alphanumeric characters. Spaces are allowed. 1 - Status You use this selection to change the administrative status of a port.
Chapter 6: Port Parameters High Priority - Indicates high priority has been assigned to the port. All ingress tagged and untagged frames received on the port are forwarded to the egress port’s high priority queue. 4 - HOL Blocking You use this selection to prevent a frame from being forwarded to a blocking or blocked port. For example, a blocking or blocked port can be one that is receiving too many frames. Press 4 to toggle between the following settings: Enabled - Indicates HOL blocking is turned on.
AT-S60 Management Software User’s Guide Disabled - Indicates that no flow control occurs on the port. Enabled - Indicates that flow control occurs on the port. 7 - Negotiation You use this selection to configure a port for Auto-Negotiation or to manually set a port’s speed and duplex mode. Press 7 to toggle between the following settings: ❑ Auto - Select Auto (for Auto-Negotiation) to set both speed and duplex mode for the port automatically.
Chapter 6: Port Parameters Table 1 Line Card Port-Speed Settings Line Card Port Speed AT-8413 GB/T copper port 10/100/1000 Mbps AT-8413 GB/T fiber port 1000 Mbps AT-8414/ST AT-8414/SC 10 Mbps 9 - Duplex: Use this selection to configure the duplex mode of the port. See Table 2 for duplex settings for each line card. Choose from the following selections: ❑ Full - Indicates full-duplex mode. ❑ Half - Indicates half-duplex mode.
AT-S60 Management Software User’s Guide Note MDI/X applies only to copper ports, not fiber ports. B - Media Selection Use this parameter to select the media type on an AT-8413 line card. This parameter is only available when the Negotiation parameter is set to manual. Choose from the following settings: ❑ Type GBIC (for GBIC port) to indicate only the GBIC port is available for connectivity. ❑ Type TP (for twisted pair) to indicate only the twisted pair port is available for connectivity.
Chapter 6: Port Parameters Displaying Port Statistics To display Ethernet port statistics, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 26 on page 102. 2. From the Port Menu, type 3 to select Port Statistics. The Port Statistics menu is shown in Figure 29. Allied Telesyn AT-8400 Series - AT-S60 V2.1.
AT-S60 Management Software User’s Guide The Display Port Statistics Menu is shown in Figure 30. User: Manager Allied Telesyn AT-8400 Series - ATS60 V2.1.0 High School Switch 142 00:14:33 15-Jan-2004 Display Port Statistics Port 6.1 Bytes Received ............... Frames Received .............. Broadcast Frames Received..... Multicast Frames Received .... Total Bytes Received ......... Total Frames Received ........ Frames 64 Bytes .............. Frames 65-127 Bytes .......... Frames 128-255 Bytes........
Chapter 6: Port Parameters Total Bytes Received Number of bytes received by the port. Jabber Number of occurrences of corrupted data or useless signals appearing on the port. Total Frames Received Number of frames received by the port. CRC Error Number of frames with a cyclic redundancy check (CRC) error but with the proper length (64-1518 bytes) received on the port.
Chapter 7 MAC Address Table This chapter provides an overview of MAC addresses. In addition, it describes the procedures for viewing the static and dynamic MAC address table using a local or Telnet management session.
Chapter 7: MAC Address Table MAC Address Overview Every hardware device that you connect to your network has a unique MAC address associated with it. A MAC address is assigned to a device by the device’s manufacturer. For example, every network interface card that you use to connect your computers to your network has a MAC address assigned to it by the adapter’s manufacturer. The AT-8400 Series switch has a MAC address table.
AT-S60 Management Software User’s Guide The type of MAC address described above is referred to as a dynamic MAC address. Dynamic MAC addresses are addresses that the switch learns by examining the source MAC addresses of the frames received on the ports. Dynamic MAC addresses are not stored indefinitely in the MAC address table. The switch deletes a dynamic MAC address from the table if it does not receive any frames from the node over a specified period of time.
Chapter 7: MAC Address Table Displaying MAC Addresses The management software has menu selections for displaying all or parts of the MAC addresses table of the AT-8400 Series switch. To display the MAC address table, perform the following procedure: 1. From the Main Menu, type 7 to select MAC Address Tables. The MAC Address Tables Menu is shown in Figure 31. Allied Telesyn AT-8400 Series - ATS60 V2.1.
AT-S60 Management Software User’s Guide 3. Select the desired option. Each option is described below: 1 - Display All MAC Addresses This option displays the Display All MAC Addresses menu. This menu lists all the switch’s dynamic and static address, including multicast addresses. An example of the menu is shown in Figure 33. Allied Telesyn AT-8400 Series - ATS60 V2.1.
Chapter 7: MAC Address Table 2 - Display All static MAC Addresses This option displays only the static MAC addresses. The columns in the menu are the same as those in the Display All MAC Addresses Menu. For definitions of the columns, refer to Table 3 on page 119. 3 - Display MAC addresses by Port You can use this option to view the MAC addresses that have been learned on a particular port. When you select this option, the following prompt is displayed: Enter port-list: Enter the ports.
AT-S60 Management Software User’s Guide 6 - Display Multicast MAC Addresses This selection displays the multicast MAC addresses. For definitions of the columns, refer to Table 3 on page 119.
Chapter 7: MAC Address Table Adding Static Unicast and Multicast MAC Addresses This section contains the procedure for adding static addresses to the switch. A MAC address added to the table with this procedure remains permanently in the table, even when the source end node is inactive. You can assign up to 255 static MAC addresses per port on the AT-8400 Series switch. Note When you add a static multicast address you must assign the address to all ports on the switch that belong to the multicast group.
AT-S60 Management Software User’s Guide The following prompt is displayed: Please enter MAC address -> 4. Enter the static MAC address in the following format: XXXXXX XXXXXX Once you have specified the MAC address, the following prompt is displayed: Enter port-list: 5. Enter the number of the port on the switch where you want the address assigned. The management software adds the address to the MAC address table. 6.
Chapter 7: MAC Address Table Deleting MAC Addresses This section contains the procedure for deleting static and dynamic unicast and multicast MAC addresses from the MAC address table and for purging the table of all dynamic addresses. To delete MAC addresses from the table, perform the following procedure: 1. From the Main Menu, type 7 to select MAC Address Tables. The MAC Address Tables menu is shown in Figure 31 on page 118. 2. From the MAC Address Tables menu, type 1 to select Configure MAC Addresses.
AT-S60 Management Software User’s Guide b. Type Y for yes to delete the dynamic MAC addresses or N for no to cancel the procedure. If you type Y for yes, all dynamic MAC addresses are deleted from the MAC address table. The switch immediately begins to relearn the addresses and to add them to the table.
Chapter 7: MAC Address Table Changing the Aging Time The switch uses the aging time to delete inactive dynamic MAC addresses from the MAC address table. When the switch detects that no packets have been sent to or received from a particular MAC address in the table after the period specified by the aging time, the switch deletes the address. This prevents the table from becoming full of addresses of nodes that are no longer active. The default setting for the aging time is 300 seconds (5 minutes).
Chapter 8 Port Trunking This chapter describes port trunking and contains the procedures for creating, deleting, and modifying port trunks with a local or Telnet management session.
Chapter 8: Port Trunking Port Trunking Overview Port trunking is an economical way for you to increase the bandwidth between two Ethernet switches. For the AT-8400 Series switch, a port trunk can consists of up to eight ports that have been grouped together to function as one logical path. A port trunk increases the bandwidth between switches and is useful in situations where a single physical data link between switches is insufficient to handle the traffic load.
AT-S60 Management Software User’s Guide The example in Figure 36 illustrates a 10/100 port trunk with 8 data links between two AT-8400 switches. AT Figure 36 Port Trunk Example with 10/100 Mbps Ports In addition, you can create a port trunk between an AT-8400 switch and other switches that support trunking. Port Trunking Guidelines When creating a port trunk, you need to follow a set of guidelines.
Chapter 8: Port Trunking ❑ For 10/100 port trunks, such as those on an AT-8411 TX line card, all ports included in the trunk must reside on the same line card. See Figure 36 on page 129 for an illustration of a 10/100 Mbps port trunk. ❑ For 1,000 Mbps port trunks, such as those on an AT-8413 line card, all ports included in the trunk must reside on different line cards. Generally, there is one 1,000 Mbps port per line card as with the AT-8413 line card.
AT-S60 Management Software User’s Guide Before Creating Port Trunks As mentioned in the above guidelines for creating port trunks, you need to ensure the settings on your ports are identical before adding them to a port trunk. To display your current port settings, see Displaying Port Status on page 102. Then, to update the port configuration so all of the ports in the trunk have the same configuration, see Configuring Port Parameters on page 106.
Chapter 8: Port Trunking Creating a Port Trunk This section contains the procedure for creating a port trunk on the switch. You must configure all the ports in your port trunk with the same settings. For more details, review the guidelines in Port Trunking Overview on page 128 before performing the procedure. Caution Connect the cables to the trunk ports on the switches after you have configured the trunk with the management software.
AT-S60 Management Software User’s Guide 3. Type 1 to select Create Trunk. The following prompt is displayed. Enter Trunk Name: -> 4. Enter an alphanumeric name that identifies the trunk, such as universitytrunk7. Press Return. You can select a name with a maximum of 16 alphanumeric characters. In addition, the trunk name must contain one alphabetic character. Trunk names must be unique. You cannot enter a port name for this parameter.
Chapter 8: Port Trunking Deleting a Port Trunk Use this procedure to delete an existing port trunk, including the trunk ID, name, and ports associated with the port trunk. Caution Before performing the following procedure, disconnect the cables from the port trunk on the switch. Deleting a port trunk with the cables attached can create loops in your network topology. Data loops can result in broadcast storms and poor network performance.
AT-S60 Management Software User’s Guide Modifying a Port Trunk Use this procedure to modify an existing port trunk. See the Port Trunking Guidelines on page 129 for information specific to 10/100 Mbps and 1000 Mbps port trunks.
Chapter 8: Port Trunking The Modify Trunk menu is shown in Figure 38. Notice the two current port trunks, called highschool and elementary, included in this figure. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2004 Modify Trunk ID Name Type Ports ----------------------------------------------------------1 2 1 2 3 4 5 highschool elementary - 10/100MB 10/100MB 4.1-4 4.
AT-S60 Management Software User’s Guide Changing the Name of the Port Trunk Use this procedure to change the name of an port trunk. To change the name of an port trunk, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 26 on page 102. 2. From the Port Menu, type 4 to select Port Trunking. The Trunk Configuration menu is shown in Figure 37 on page 132. 3. Type 3 to modify a trunk. The Modify Trunk menu is shown in Figure 38 on page 136. 4.
Chapter 8: Port Trunking 2. From the Port Menu, type 4 to select Port Trunking. The Trunk Configuration menu is shown in Figure 37 on page 132. 3. Type 3 to modify a trunk. The Modify Trunk menu is shown in Figure 38 on page 136. 4. Select 2 - Add ports to Trunk to add ports to an existing trunk. The following prompt appears: Enter Trunk ID: [1 to 22] -> 1 5. Enter the trunk ID number of the trunk you want to modify and press Return. A list of the current trunk IDs appears in the Modify Trunk menu.
AT-S60 Management Software User’s Guide Deleting Ports from a Port Trunk Use this procedure to delete ports from an existing port trunk. If you want to delete all the ports from an existing port trunk and replace them with a new set of ports, see Replacing Ports in a Trunk on page 140 and Clearing Ports in a Port Trunk on page 141. To delete a port from a port trunk, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 26 on page 102. 2.
Chapter 8: Port Trunking Replacing Ports in a Trunk Use this procedure to overwrite, or replace, the current ports in a port trunk with a new list of ports. To add ports to an existing port trunk while retaining the current ports, see Adding Ports to an Existing Port Trunk on page 137. To overwrite the current ports in a port trunk with a new list of ports, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 26 on page 102. 2.
AT-S60 Management Software User’s Guide Clearing Ports in a Port Trunk Use this procedure to clear, or delete, all of the current ports in a port trunk while leaving the port trunk ID, name, and type. To delete individual ports, see Deleting Ports from a Port Trunk on page 139. To clear or delete all the ports on a port trunk, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 26 on page 102. 2.
Chapter 9 Port Mirroring This chapter describes port mirroring and provides the procedures for creating and deleting a port mirror using a local or Telnet management session.
AT-S60 Management Software User’s Guide Port Mirroring Overview The port mirroring feature allows you to monitor the traffic on one or more ports by copying the traffic to another port which is called the destination mirror port. Using port mirroring, you can connect a network analyzer to the mirror port to monitor both traffic received and transmitted from one or more ports (which are called source mirror ports).
Chapter 9: Port Mirroring Creating a Port Mirror Use the following procedure to create a port mirror. For information about how to specify a port, see Specifying Ports on page 34. To create a port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 26 on page 102. 2. From the Port Menu, type 5 to select Port Mirroring. The Port Mirroring menu is shown in Figure 39. Allied Telesyn AT-8400 Series - ATS60 V2.1.
AT-S60 Management Software User’s Guide Note You cannot assign a range of ports on the same line card as source mirror ports. The source mirror port (or ports) is displayed at the top of the screen. 7. After making changes, Type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Your changes are saved. The port mirror is now functional.
Chapter 9: Port Mirroring Modifying a Source Port Mirror Use the following procedure to add, delete, set (overwrite), or clear a source port mirror. For information about how to specify a port, see Specifying Ports on page 34. To modify a source port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 26 on page 102. 2. From the Port Menu, type 5 to select Port Mirroring. The Port Mirroring menu is shown in Figure 39 on page 144. 3.
AT-S60 Management Software User’s Guide The following prompt appears: Enter Source Port(s) [port-list]: 6. Enter the source mirror port (s) or port list and press Return. Note You cannot assign a range of ports as source mirror ports. The display at the top of the Port Mirroring menu is updated. 7. To delete a source port mirror, enter 2. The following prompt appears: Enter Destination Port: 8. Enter the destination port from the list at the top of the screen and press Return.
Chapter 9: Port Mirroring Deleting a Destination Port Mirror To delete a destination port mirror and its source mirror port(s), perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 26 on page 102. 2. From the Port Menu, type 5 to select Port Mirroring. The Port Mirroring menu is shown in Figure 39 on page 144. 3. Type 3 to select Delete Mirror. The following prompt is displayed. Enter Destination Port: 4.
AT-S60 Management Software User’s Guide Enabling a Destination Port Mirror Use this procedure if you have previously disabled a destination port mirror (see Disabling a Destination Port Mirror on page 150) and you want to make it active again. To enable a destination port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 26 on page 102. 2. From the Port Menu, type 5 to select Port Mirroring.
Chapter 9: Port Mirroring Disabling a Destination Port Mirror Use this procedure to prevent traffic from the source mirror port from being mirrored to the destination port. You may want to use this procedure to temporarily stop mirroring the source traffic while reserving the destination port for mirroring. To disable a port mirror, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 26 on page 102. 2.
Section II Advanced Features The chapters in Section II explain how to manage the advanced features on an AT-8400 switch from a local or Telnet management session.
Chapter 10 File System Configuration The chapter describes the file system operations you can perform on configuration and system files.
AT-S60 Management Software User’s Guide File System Configuration Overview The File System Menus allow you to choose the active system configuration file, create a system configuration file, and perform basic file operations on system files. You may want to create a configuration file to perform a routine task or to ensure all your AT-8400 switches have an identical configuration. There are two ways of obtaining new configuration files.
Chapter 10: File System Configuration File Naming Conventions The file subsystem provides a flat file system which means directories are not supported. Files are uniquely identified by a file name in the following format: filename.ext where: ❑ filename is a descriptive name for the file, and may be one to sixteen characters in length. Valid characters are lowercase letters (a–z), uppercase letters (A–Z), digits (0–9), and the following characters: ~ ’ @ # $ % ^ & ( ) _ - { }.
AT-S60 Management Software User’s Guide Using Wildcards to Specify Groups of Files You can use the asterisk character (*) as a wildcard character in some fields to identify groups of files. In addition, a wildcard can be combined with other characters. The following are examples of valid wildcard expressions: *.cfg *.key 28*.
Chapter 10: File System Configuration Setting, Creating, Editing, and Displaying System Configuration Files Use the procedures in this section to load a system configuration file onto the switch, create a system configuration file, and view the contents of system configuration files.
AT-S60 Management Software User’s Guide The File Menu is shown in Figure 41. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2004 File Menu 1 2 3 4 5 6 7 8 - Boot Configuration File ............ boot.cfg (Exist) Current Configuration .............. boot.cfg Create Configuration File View Configuration File Display File(s) Copy File Rename File Delete File R - Return to Previous Menu Enter your selection? Figure 41 File Menu 2.
Chapter 10: File System Configuration Creating a System Configuration File This procedure allows you to save your system configuration to a file on the switch. You may want to save a copy of your system configuration file to download it onto another switch. Or, you may want to create a backup of your current configuration file. If the system configuration file does not reflect the current configuration on the system, the S - Save Configuration appears on the Main Menu.
AT-S60 Management Software User’s Guide Editing a System Configuration File You can edit a system configuration file on your workstation, using a text editor such as Word pad, and then upload it to one or more switches. A system configuration file contains a structured list of commands. Because the system configuration file defines so many switch operations, it is crucial to follow these guidelines when you edit the file: ❑ Follow the syntax of the CLI commands exactly.
Chapter 10: File System Configuration The View Configuration File Menu is shown in Figure 42. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2004 View Configuration File Menu Configuration File: mydefault.cfg ------------------------------------------------------------------# # Port Configuration # set set set set # switch switch switch switch port(s)=3.1 port(s)=3.2 port(s)=3.3 port(s)=3.
AT-S60 Management Software User’s Guide The second page of the View Configuration File Menu is shown in Figure 43. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2004 View Configuration File Menu Configuration File: boot.cfg ------------------------------------------------------------------# #Port Security Configuration # # #VLAN Configuration # create vlan=v3 vid=3 vlantype=portbased taggedports=1.2-8 untaggedport=3.
Chapter 10: File System Configuration Copying and Renaming System Files Use this procedure to copy and rename system files that reside on the switch. You can copy and rename certificate, certificate request, configuration, image, and key files. To display a list of system file names, see Displaying System Files on page 165. To copy and rename system files, perform the following procedure: 1. From the Main Menu, type 9 to select File Menu. The File Menu is shown in Figure 41 on page 157. 2.
AT-S60 Management Software User’s Guide Deleting System Files Use this procedure to delete a system file. You can delete any of the following file types: ❑ certificate files ❑ certificate enrollment request files ❑ configuration files ❑ image files ❑ key files If you delete a configuration file that is set as the Boot Configuration file, then (Not Exist) appears next to the configuration file name on the File Menu. See Setting a System Configuration File on page 156.
Chapter 10: File System Configuration 2. From the File Menu, type 8 to select Delete file to delete a system file. The following prompt is displayed: Enter File Name to be deleted: 3. Enter the name of the file you want to delete. The following message is displayed: Deleting file...
AT-S60 Management Software User’s Guide Displaying System Files Use this procedure to display a list of current system files. You can use this procedure to display certificate, configuration, image, and key files. For information about shortcuts for specifying file names, see File Naming Conventions on page 154. To display a list of current system file names, perform the following procedure: 1. From the Main Menu, type 9 to select File Menu. The File Menu is shown in Figure 41 on page 157. 2.
Chapter 10: File System Configuration The Display File(s) Menu is shown in Figure 44. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2004 Display File(s) Menu Filename Size (bytes) Created ------------------------------------------------------------------default.cfg boot.cfg newcfg.cg serverkey150.key hostkey250.key atikey350.
Chapter 11 File Downloads and Uploads This chapter contains procedures for downloading and uploading files to a switch, as well as information on obtaining AT-S60 software updates.
Chapter 11: File Downloads and Uploads Overview Downloading and uploading are useful system features that make switch management efficient. For example, you can upload a configuration file from a switch to your management station, make changes with a text editor, and then download it onto a different switch. This can be useful in network environments that contain a number of AT-8400 chassis on different subnets that need to be configured at the same, or nearly the same time.
AT-S60 Management Software User’s Guide contains the factory default settings. For more information, refer to Appendix A: AT-S60 Default Settings on page 820. For information about editing a system configuration file, see Editing a System Configuration File on page 159. Obtaining Management Software Updates on page 171 describes where to find management software updates. The Downloads & Uploads Menu is shown in Figure 45. Allied Telesyn AT-8400 Series - ATS60 V2.1.
Chapter 11: File Downloads and Uploads The final section, Downloading the AT-S60 Image Switch to Switch on page 201, contains the procedure for downloading the image file from one switch to another. This process is particularly useful if your network contains a large number of AT-8400 chassis. You can upgrade the software on one master switch and then instruct the master switch to upgrade the software on the other switches in the same subnet.
AT-S60 Management Software User’s Guide Obtaining Management Software Updates New releases of management software for our managed products can be downloaded from either of the following Internet sites: • • the Allied Telesyn web site: http://www.alliedtelesyn.com the Allied Telesyn FTP server: ftp://ftp.alliedtelesyn.com To use the FTP server, go to the above web site. Then login to the FTP server by entering “anonymous” for the user name and your email address for the password.
Chapter 11: File Downloads and Uploads Downloading Files This section contains the procedures for downloading files onto a switch from a local or Telnet management session.
AT-S60 Management Software User’s Guide Downloading an Image File Using Xmodem or TFTP The following procedures describe how to download a .img file type (image file) only. To download a different file type, see Downloading a File Using Xmodem or TFTP on page 180. See Table 5 on page 168 for more information about file types. Caution The switch stops forwarding Ethernet traffic during the initialization of the AT-S60 software image.
Chapter 11: File Downloads and Uploads Note Menu options 2 and 4 in the menu are described in Uploading Files on page 187. Option 3 is described in Downloading a File Using Xmodem or TFTP on page 180. 4. Type 1 to download a new software image file onto the switch.
AT-S60 Management Software User’s Guide Downloading an Image File Using Xmodem To download an image file using Xmodem (this procedure shows how to use the Hilgraeve HyperTerminal program), perform the following procedure: 1. Type X at the prompt displayed in Step 4 in the procedure that begins on page 173. The following prompt is displayed: You are going to invoke the Xmodem download utility. Do you wish to continue? [Yes/No] 2. Type Y.
Chapter 11: File Downloads and Uploads 5. Click on the Protocol field and select as the transfer protocol either Xmodem or 1K XModem. Note The transfer protocol must be Xmodem or 1K Xmodem. The recommended transfer protocol is 1K Xmodem because it is much faster than the Xmodem protocol. For a faster download, set the console baud rate to 115200. Refer to Starting a Local Management Session on page 40 for information on setting the console baud rate. 6. Click Send.
AT-S60 Management Software User’s Guide The Downloads & Uploads Menu is displayed, as shown in Figure 46 on page 173. 8. If the new image file differs from the existing one, the following message is displayed: For a local management session: Switch is about to reboot. Do you want to proceed? [Yes/No] For a Telnet management session: Remote access will be lost. Do you want to continue? [Yes/No] 9. Type N if you do not want to activate the new image file.
Chapter 11: File Downloads and Uploads Downloading an Image File Using TFTP To download a file using TFTP, perform the following procedure: 1. To begin: a. If you are using a Telnet management session, the following prompt is already displayed from step 4 in the procedure that begins on page 173: Only TFTP downloads are available for a Telnet access. TFTP server IP address: b.
AT-S60 Management Software User’s Guide 5. If the new image file differs from the existing one, the following message is displayed: For the local management session: Switch is about to reboot. Do you want to proceed? [Yes/No] For the Telnet management session: Remote access will be lost. Do you want to continue? [Yes/No] 6. Type N if you do not want to activate the new image file. The Downloads & Uploads menu is displayed, as shown in Figure 46 on page 173. 7.
Chapter 11: File Downloads and Uploads Downloading a File Using Xmodem or TFTP The following procedures describe how to download certificate, certificate enrollment requests, configuration, and key files. See Table 5 on page 168 for a list of file types and their extensions. To download an image file, see Downloading an Image File Using Xmodem or TFTP on page 173. If you are downloading a configuration file, there are some precautions you need to take.
AT-S60 Management Software User’s Guide The Downloads & Uploads menu is shown in Figure 50. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 High School Switch 142 User: Manager 00:14:33 01-Jan-2004 Downloads & Uploads 1 - Download Application Image/BootLoader 2 - Upload Application Image/BootLoader 3 - Download a File 4 - Upload a File R - Return to Previous Menu Enter your selection? Figure 50 Downloads & Uploads Menu Note Menu options 2 and 4 in the menu are described in Uploading Files on page 187. 4.
Chapter 11: File Downloads and Uploads Downloading a File Using Xmodem To download certificate, certificate enrollment requests, configuration, and key files using Xmodem, perform the following procedure: 1. Type X at the prompt displayed in Step 4 in the procedure that begins on page 180. The following prompt is displayed Local file name: 2. Enter the local file name. This will be the name of the of the file after it is downloaded to the switch.
AT-S60 Management Software User’s Guide The Send File window is shown in Figure 52. Figure 52 Send File Window Note The transfer protocol must be Xmodem or 1K Xmodem. 5. In the Filename field, type the path and filename, or click the Browse button to locate and select the file to be downloaded onto the switch. 6. Click on the Protocol field and select as the transfer protocol either Xmodem or, for a faster download, 1K XModem.
Chapter 11: File Downloads and Uploads 7. Click Send. The file immediately begins to download onto the switch. The Xmodem File Send window in Figure 53 displays current status of the file download. Figure 53 XModem File Send Window When the download process is complete, a message is displayed that shows the file name and size.
AT-S60 Management Software User’s Guide Downloading a File Using TFTP To download a certificate, certificate enrollment requests, configuration, and key files using TFTP, perform the following procedure: 1. If you are using a Telnet management session, go to step 2. If you are using a local management session, type T at the prompt displayed in Step 4 in the procedure that begins on page 180. The following prompt is displayed: TFTP server IP address: 2. Enter the IP address of the TFTP server.
Chapter 11: File Downloads and Uploads Press any key. The Downloads & Uploads Menu is displayed, as shown in Figure 50 on page 181. If you specified an acceptable file name, the download begins. When the TFTP download is complete, the following message is displayed: File successfully sent! Press any key to continue... 5. Press any key. The Downloads & Uploads menu is displayed, as shown in Figure 50 on page 181.
AT-S60 Management Software User’s Guide Uploading Files This section contains procedures for uploading the following files to a management station or TFTP server using a local or Telnet management session.
Chapter 11: File Downloads and Uploads Uploading an Image File Using Xmodem or TFTP The following procedures describe how to upload an .img file type (image file) only. To upload other file types, see Uploading a File Using Xmodem or TFTP on page 194. See Table 5 on page 168 for a list of file types.
AT-S60 Management Software User’s Guide 4. Type 2 to upload the AT-S60 software image from the switch. If you are using a local management session, the following prompt is displayed: Upload Method/Protocol [X-Xmodem, T-TFTP]: If you are using a Telnet management session, the following prompt is displayed: Only TFTP uploads are available for a Telnet access. TFTP server IP address: To upload an image file using Xmodem, refer to Uploading an Image File Using Xmodem, which follows.
Chapter 11: File Downloads and Uploads Uploading an Image File Using Xmodem To upload an image file using Xmodem (this procedure shows how to use the Hilgraeve HyperTerminal program), perform the following procedure: 1. Type X at the prompt displayed in Step 4 in the procedure that begins on page 187. The following prompt is displayed: You are going to invoke the Xmodem upload utility. Do you wish to continue? [Yes/No] 2. Type Y.
AT-S60 Management Software User’s Guide 5. Click on the Protocol field and select as the transfer protocol either Xmodem or 1K XModem. Note The transfer protocol must be Xmodem or 1K Xmodem. The recommended transfer protocol is 1K Xmodem because it is much faster than the Xmodem protocol. For a faster download, set the console baud rate to 115200. Refer to Starting a Local Management Session on page 40 for information on setting the console baud rate. 6. Click Receive.
Chapter 11: File Downloads and Uploads The file immediately begins to upload onto the system. The Xmodem File Receive window displays the current status of the file upload. The upload time depends upon the size of the file. When the upload is complete, the following message is displayed: Xmodem File Transfer Completed Press any key to continue... 8. Press any key. The Downloads & Uploads Menu is displayed, as shown in Figure 54 on page 188.
AT-S60 Management Software User’s Guide Uploading an Image File Using TFTP To upload an image file using TFTP, perform the following procedure: 1. If you are using a Telnet management session, go to step 2. If you are using a local management session, type T at the prompt displayed in Step 4 in the procedure that begins on page 187. The following prompt is displayed: TFTP Server IP address: 2. Enter the IP address of the TFTP server. The following prompt is displayed: Remote File Name: 3.
Chapter 11: File Downloads and Uploads Uploading a File Using Xmodem or TFTP The following procedures describe how to upload certificate, certificate enrollment requests, configuration, and key files. See Table 5 on page 168 for a list of file types and extensions. To upload an image file, see Uploading an Image File Using Xmodem or TFTP on page 188. To upload files, perform the following procedure: 1.
AT-S60 Management Software User’s Guide 4. Type 2 to upload the AT-S60 software image from the switch. If you are using a local management session, the following prompt is displayed: Upload Method/Protocol [X-Xmodem, T-TFTP]: If you are using a Telnet management session, the following prompt is displayed: Only TFTP uploads are available for a Telnet access. TFTP server IP address: To upload a file using Xmodem, refer to Uploading a File Using Xmodem, which follows.
Chapter 11: File Downloads and Uploads Uploading a File Using Xmodem To upload a file using Xmodem (this procedure shows how to use the Hilgraeve HyperTerminal program), perform the following procedure: 1. Type X at the prompt displayed in Step 4 in the procedure that begins on page 187. The following prompt is displayed: Local file name: 2. Enter a name for the file to be uploaded from the switch. Note The file name must already exist on the switch.
AT-S60 Management Software User’s Guide 4. In the HyperTerminal main window, select the Transfer menu. Then select Receive File from the pull-down menu, as shown in Figure 60. Figure 60 Transfer Menu The Receive File window in Figure 61 is shown. Figure 61 Receive File Window 5. In the Place received file in the following folder field, type the path to the destination folder, or click the Browse button to locate the destination folder. 6.
Chapter 11: File Downloads and Uploads 8. Enter a name for storing the uploaded file. This will be the name for the file on the management station after the upload process is complete. The Xmodem file receive window opens, as shown in Figure 63 Figure 63 Xmodem File Receive Window The file immediately begins to upload onto the system. The Xmodem File Receive window displays current status of the file upload. The upload time depends upon the size of the file.
AT-S60 Management Software User’s Guide Uploading a File Using TFTP To upload a file using TFTP, perform the following procedure: 1. To begin: a. If you are using a Telnet management session, the following prompt is already displayed from step 4 in the procedure that begins on page 194: Only TFTP downloads are available for a Telnet access. TFTP server IP address: b.
Chapter 11: File Downloads and Uploads Note The file name must already exist on the switch. Note If you receive the following message: The specified local file name/type can not be uploaded. Press any key to continue. the file name extension is not correct or the file does not exist. See File Naming Conventions on page 154 for more information about file types. After you specify an acceptable file name, the upload begins.
AT-S60 Management Software User’s Guide Downloading the AT-S60 Image Switch to Switch This procedure explains how to download an AT-S60 software image from a master AT-8400 switch to another switch using enhanced stacking. You can update only AT-8400 Series switches. In other words, you cannot download AT-S60 management software onto an AT-8000 Series switch. Downloading an image file from one AT-8400 to another is useful in networks that contain a large number of AT-8400 chassis.
Chapter 11: File Downloads and Uploads Note You can update only AT-8400 Series switches. You cannot download AT-S60 management software onto an AT-8000 Series switch. The following prompt is displayed: Do you want to show remote switch burning flash -> [Yes/No] You can use this prompt to view system messages as the software image is stored to flash memory. 6. You can respond with Yes or No to this prompt. It does not affect the download.
Chapter 12 Event Log This chapter describes the event log.
Chapter 12: Event Log Event Log Overview A managed switch is a complex piece of computer equipment that includes both hardware and software. Multiple software features operate simultaneously, interoperating with each other and processing large amounts of network traffic. It is often difficult to determine exactly what is happening when a switch appears not to be operating normally, or what happened when the problem occurred.
AT-S60 Management Software User’s Guide Configuring the Event Log To enable or disable the event log and specify what the switch does when the log reaches its maximum capacity, perform the following procedure: 1. From the Main menu, type E to select Event Log. The Event Log Menu is shown in Figure 64. Allied Telesyn Ethernet Switch AT-S60 V2.1.0 Production Switch 32 User: Manager 11:20:02 02-Jan-2004 Event Log 1 - Event Logging..............Disabled 2 - Log Full Action............Wrap 3 - Event Output.....
Chapter 12: Event Log Halt Once the event log reaches its maximum capacity, this option causes the log to stop adding new entries. 4. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. To display the events in the log, go to the next procedure.
AT-S60 Management Software User’s Guide Displaying Events To specify the types of events you want to display in the event log, perform the following procedure: 1. From the Main menu, type E to select Event Log. The Event Log menu is shown in Figure 64 on page 205. Note The 3 - Event Output option is a read-only field. The selection is always set to Temporary. 2. To select the order of the events in the log, type 4 to select the Event Order.
Chapter 12: Event Log 5. Choose one or more of the following selections: Table 6 Event Log Severity Levels Value Severity Level Description ALL All levels Displays all of the following message types. E Error Switch operation is severely impaired. W Warning An issue may require manager attention. I Information Useful information that can be ignored during normal operation. D Debug Detailed high-volume information that is intended for Technical Support.
AT-S60 Management Software User’s Guide An example of an event log is show in Figure 65. This log is in the Full display mode. The Normal display mode does not include the Filename, Line Number, and Event ID items. Allied Telesyn Ethernet Switch AT-S60 V2.1.0 Production Switch 32 User: Manager 11:20:02 02-Jan-2004 Event Log S Date Time EventID Source File:Line Number Event -----------------------------------------------------------------I 2/01/04 09:11:02 073001 garpmain.
Chapter 12: Event Log ❑ Date - The date the event occurred. ❑ Time - The time the event occurred. ❑ Event - The module within the AT-S60 software that generated the event followed by a brief description of the event. For a list of the AT-S60 modules, see Software Modules on page 210. ❑ Event ID - A unique number that identifies the event. (Displayed only in the Full display mode.) ❑ Source File and Line Number - The name of the AT-S60 source file and line number that generated the event.
AT-S60 Management Software User’s Guide Table 8 AT-S60 Software Modules Section II: Advanced Features Module Name Description PSEC Port security (MAC address-based) PTRUNK Port trunking RADIUS RADIUS authentication protocol SNMP SNMP SSH Secure Shell protocol SSL Secure Sockets Layer protocol STP Spanning Tree, Rapid Spanning, and Multiple Spanning Tree protocols SYSTEM Hardware status; Manager and Operator log in and log off events.
Chapter 12: Event Log Saving the Event Log To save the current contents of the event log as a file in the file system, you use the “S - Save Log to File” on the Event Log menu. Once you create an event log file, you can either view it or download it to your management workstation. Before you create an event log file, configure the Event Log feature to specify which log entries you want to save. See Configuring the Event Log on page 205.
AT-S60 Management Software User’s Guide Clearing the Event Log To clear all events from the log, perform the following procedure: 1. From the Main menu, type E to select Event Log The Event Log menu is shown in Figure 64 on page 205. 2. Type C to select Clear Log. A confirmation prompt is displayed, 3. Type Y to clear the log or N to cancel the procedure. The log, if enabled, immediately begins to learn new events.
Chapter 13 Class of Service (CoS) This chapter contains the procedures for configuring Class of Service (CoS).
AT-S60 Management Software User’s Guide Class of Service Overview When a port on an Ethernet switch becomes oversubscribed, meaning that its egress queues contain more frames than the port can handle in an timely and orderly manner, there is the possibility that frames may be delayed in reaching their destinations. A port may be forced to delay the transmission of some frames while it handles other traffic.
Chapter 13: Class of Service Each switch port has two egress queues, low and high. When a tagged frame enters a switch port, the switch responds by placing the frame into one of the two egress queues according to following assignments: IEEE 802.
AT-S60 Management Software User’s Guide Configuring CoS To configure CoS for a port, perform the following procedure: 1. From the Main Menu, type 1 to select Port Menu. The Port Menu is shown in Figure 26 on page 102. 2. From the Port Menu, type 1 to select Port Configuration. The following prompt is displayed: Enter port-list: 3. Enter the port you want to configure. For information on entering ports, refer to Specifying Ports on page 34. The Port Configuration menu for the selected port(s) is displayed.
Chapter 14 IGMP Snooping This chapter provides a description of the Internet Group Management Protocol (IGMP) snooping feature. Also, it explains how to activate and configure the IGMP snooping feature on the switch using a local or Telnet management session.
AT-S60 Management Software User’s Guide IGMP Snooping Overview IGMP enables routers to create lists of nodes that are members of multicast groups. (A multicast group is a group of end nodes that request multicast packets from a multicast application.) The router creates a multicast membership list by periodically sending out queries to the local area networks connected to its ports. A user activates IGMP by selecting a multicast application such as a radio, voice, or video application on their PC.
Chapter 14: IGMP Snooping IGMP snooping enables the Fast Ethernet switch to monitor the flow of queries from a router and reports from host nodes to build its own multicast membership lists. The switch uses the lists to forward multicast packets only to switch ports where there are host nodes that are members of multicast groups. This improves switch performance and network security by restricting the flow of multicast packets only to those switch ports connected to host nodes.
AT-S60 Management Software User’s Guide Configuring IGMP Snooping To configure, enable, or disable IGMP snooping on the switch and to configure IGMP snooping parameters, perform the following procedure: 1. From the Main Menu, type 5 to select System Menu. The System Menu is shown in Figure 5 on page 51. 2. From the System Menu, type 1 to select Configure System. The Configure System Menu is shown in Figure 11 on page 59. 3. From the Configure System menu, type 1 to select Configure System Software.
Chapter 14: IGMP Snooping Options 1 through 5 are described below: 1 - IGMP Snooping Status Enables and disables IGMP snooping on the switch. After selecting this option, type E to enable or D to disable this feature. The default is disabled. 2 - Multicast Host Topology Defines whether there is one host node per switch port or multiple host nodes per port. Possible settings are SingleHost/Port (Edge) and Multi-Host/Port (Intermediate).
AT-S60 Management Software User’s Guide This parameter is useful with networks that contain a large number of multicast groups. You can use the parameter to prevent the switch’s MAC address table from becoming filled with multicast addresses, leaving no room for dynamic or static MAC addresses. 5 - Multicast Router Ports Mode Controls whether the detection of ports on the switch that are connected to multicast routers is made automatically or manually.
Chapter 14: IGMP Snooping Displaying a List of Host Nodes This procedure displays a list of the multicast groups on a switch, as well as the host nodes. To display the list, perform the following procedure: 1. From the IGMP Snooping Configuration Menu, type 6 to select View Multicast Hosts List. For instructions on how to display the IGMP Snooping Configuration Menu, perform Steps 1 to 4 of Configuring IGMP Snooping on page 221. The View Multicast Hosts List Menu is shown in Figure 68.
AT-S60 Management Software User’s Guide Status The status of the host node. The status can be either Active, meaning the node is an active member of a multicast group, or Left Group, meaning the node has recently left the group.
Chapter 14: IGMP Snooping Displaying a List of Multicast Routers A multicast router is a router that is receiving multicast packets from a multicast application and transmitting the packets to host nodes. You can use the AT-S60 software to display a list of the multicast routers that are connected to the switch. To display a list of the multicast routers, perform the following procedure: 1. From the IGMP Snooping Configuration Menu, type 7 to select View Multicast Router List.
AT-S60 Management Software User’s Guide RouterIP The IP address of the multicast router. If you enter the multicast router ports manually, the menu contains a single column labelled Static Router Ports and a list of the ports that you entered when you configured IGMP snooping.
Chapter 15 STP and RSTP This chapter provides background information on the Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). The chapter also contains procedures on how to adjust spanning tree bridge and port parameters.
AT-S60 Management Software User’s Guide STP and RSTP Overview A physical loop in a network topology can pose a significant problem to Ethernet network performance. A loop exists when two or more nodes on a network can transmit data to each other over more than one data link. The problem with physical loops is that data packets can become caught in repeating cycles, referred to as broadcast storms, that needlessly consume network bandwidth and significantly reduce network performance.
Chapter 15: STP and RSTP Note Spanning tree is disabled by default on the switch. Note For information about Multiple Spanning Tree, see Chapter 16, Multiple Spanning Tree Protocol (MSTP) on page 257. Note An AT-8411 TX line card with more than four ports functioning as redundant links to other network devices can significantly retard the speed of convergence for STP and RSTP. You can avoid this problem by selecting ports on different line cards to function as redundant links.
AT-S60 Management Software User’s Guide Table 9 Bridge Priority Value Increments Increment Bridge Priority Increment Bridge Priority 0 0 8 32768 1 4096 9 36864 2 8192 10 40960 3 12288 11 45056 4 16384 12 49152 5 20480 13 53248 6 24576 14 57344 7 28672 15 61440 Path Costs and Port Costs Once the Root Bridge has been selected, the bridges must determine if the network contains redundant paths and, if one is found, they must select a preferred path while placing the redunda
Chapter 15: STP and RSTP The port costs of the ports on an AT-8400 Series switch can be adjusted through the management software. For STP and RSTP, the range is 0 to 200,000,000. The default value of 0 activates auto-detection. This features sets port cost according to port speed, assigning lower costs to ports operating at higher speeds. Table 10 lists the auto-detection default values for STP and RSTP.
AT-S60 Management Software User’s Guide The range for port priority is 0 to 240 in increments of 16. Just as with the bridge priority value, you specify the increment that corresponds to the desired value. Table 11 lists the port priority increments. The default value is 128, with an increment of 8.
Chapter 15: STP and RSTP The forwarding delay value is adjustable on the AT-8400 Series switch through the management software. The appropriate value for this parameter depends on a number of variables, with the size of your network being a primary factor. For large networks, you should specify a value large enough to allow the root bridge sufficient time to propagate a topology change throughout the entire network.
AT-S60 Management Software User’s Guide There are two possible selections: ❑ Point-to-point ❑ Edge port If a bridge port is operating in full-duplex mode, then the port is functioning as point-to-point. Figure 70 illustrates an AT-8400 chassis and an AT-8024 switch that have been interconnected with one data link. With the link operating in full-duplex, the ports are said to be pointto-point ports.
Chapter 15: STP and RSTP If a port is operating in half-duplex mode and is not connected to any further bridges participating in STP or RSTP, then the port is an edge port. Figure 71 illustrates an edge port on an AT-8411 TX line card in an AT-8400 chassis. The port is connected to an Ethernet hub, which in turn is connected to a series of Ethernet workstations.
AT-S60 Management Software User’s Guide A port can be both point-to-point and edge at the same time. It would operate in full-duplex and have no STP or RSTP devices connected to it. Figure 72 illustrates a port on an AT-8411 TX line card functioning both as point-to-point and edge.
Chapter 15: STP and RSTP The single spanning tree encompasses all ports on the switch. If the ports are grouped into different VLANs, the spanning tree crosses the VLAN boundaries. This can pose a problem where multiple VLANs that span different switches are connected with untagged ports. What can occur is that spanning tree blocks a data link because it detects a physical data loop. This can cause fragmentation of your VLANs. This is illustrated in Figure 73.
AT-S60 Management Software User’s Guide Another approach is to connect your VLANs with tagged ports instead of untagged ports. A tagged port can handle traffic from more than one VLAN at a time. For information on tagged and untagged ports, refer to Chapter 18, Tagged and Port-based Virtual LANs on page 401. You can also place different VLANs in different spanning trees. This is accomplished using the Multiple Spanning Tree Protocol, explained in MSTP Overview on page 258.
Chapter 15: STP and RSTP Enabling or Disabling STP and RSTP The AT-8400 Series switch can support STP, RSTP, and MSTP. However, only one spanning tree protocol can be active on the switch at a time. Before you enable a spanning tree protocol, you must first select it as the active spanning tree protocol on the switch. Once you have selected it as the active protocol, you can enable or disable it.
AT-S60 Management Software User’s Guide The following prompt is displayed: Enter new value (S-STP, R-RSTP, M-MSTP): 4. Type S to select STP, R to select RSTP, or M to select MSTP. The following prompt is displayed: Do you want to enable spanning tree? (Y/N) -> If you respond with Yes to this prompt, the management software reboots the switch and enables the selected spanning tree protocol. If you respond with No, the management software reboots but does not activate spanning tree.
Chapter 15: STP and RSTP Configuring STP This section contains the following procedures: ❑ Configuring STP Bridge Settings on page 242 ❑ Configuring STP Port Parameters on page 245 ❑ Displaying STP Port Settings on page 247 Configuring STP Bridge Settings This section contains the procedure for configuring a bridge’s STP settings. Caution The default STP parameters are adequate for most networks.
AT-S60 Management Software User’s Guide The STP Menu is shown in Figure 75. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2004 STP Menu 1 2 3 4 5 6 7 - Bridge Priority ..... Bridge Hello Time ... Bridge Forwarding ... Bridge Max Age ...... Bridge Identifier ... Root Bridge ......... Root Priority .......
Chapter 15: STP and RSTP 3 - Bridge Forwarding The waiting period in seconds before a bridge changes to a new state, for example, becomes the new root bridge after the topology changes. If the bridge transitions too soon, not all links may have yet adapted to the change, resulting in network loops. The range is 4 to 30 seconds. The default is 15 seconds. 4 - Bridge Max Age The length of time in seconds after which stored bridge protocol data units (BPDUs) are deleted by the bridge.
AT-S60 Management Software User’s Guide Configuring STP Port Parameters To adjust a port’s STP parameters, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Menu. The Spanning Tree Menu is shown in Figure 74 on page 240. 2. From the Spanning Tree Menu, type 3 to select STP Configuration. The STP Menu is shown in Figure 75 on page 243. 3. From the STP Menu, type P to select STP Port Parameters. The STP Port Parameters Menu is shown in Figure 76.
Chapter 15: STP and RSTP The STP Port Configuration menu is shown in Figure 77. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2004 Configure STP Port Settings Configuring Ports 1.4 1 - Port Priority ...... 128 2 - Port Cost .......... Automatic-Update R - Return to Previous Menu Enter your selection? Figure 77 Configure STP Port Settings Menu 6. Adjust the settings as desired. The parameters are described below.
AT-S60 Management Software User’s Guide Displaying STP Port Settings To display port STP settings, perform the following procedure: 1. From the Spanning Tree Menu, type 3 to select STP Configuration. The STP Menu is shown in Figure 75 on page 243. 2. From the STP Menu, type P to select STP Port Parameters. The STP Port Parameters Menu is shown in Figure 76 on page 245. 3. From the STP Port Parameters Menu, type 2 to select Display STP Port Configuration.
Chapter 15: STP and RSTP Configuring RSTP This section contains the following procedures: ❑ Configuring RSTP Bridge Settings on page 248 ❑ Configuring RSTP Port Parameters on page 252 ❑ Displaying RSTP Port Configuration and Port State on page 254 Configuring RSTP Bridge Settings This section contains the procedure for configuring a bridge’s RSTP settings. Caution The default RSTP parameters are adequate for most networks.
AT-S60 Management Software User’s Guide The RSTP Menu is shown in Figure 79. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2004 RSTP Menu 1 2 3 4 5 6 7 8 - Force Version ....... Bridge Priority ..... Bridge Hello Time ... Bridge Forwarding ... Bridge Max Age ...... Bridge Identifier ... Root Bridge ......... Root Priority .......
Chapter 15: STP and RSTP 3 - Bridge Hello Time The time interval, in seconds, between generating and sending configuration messages by the bridge. This parameter can be from 1 to 10 seconds. The default is 2 seconds. 4 - Bridge Forwarding The waiting period before a bridge changes to a new state, for example, becomes the new root bridge after the topology changes. If the bridge transitions too soon, not all links may have yet adapted to the change, possibly resulting in a network loop.
AT-S60 Management Software User’s Guide 8 - Root Priority Indicates the bridge priority value on the root bridge. The bridge priority value is used by spanning tree to select the root bridge for the spanning tree domain. The bridge with the lowest value is assigned as the root bridge. This is a read-only parameter. 4. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 15: STP and RSTP Configuring RSTP Port Parameters To adjust a port’s RSTP parameters, perform the following procedure: 1. From the Main Menu, type 3 to select Spanning Tree Menu. The Spanning Tree Menu is shown in Figure 74 on page 240. 2. From the Spanning Tree Menu, type 4 to select RSTP Configuration. The RSTP Menu is shown in Figure 79 on page 249. 3. From the RSTP Configuration menu, type P to select RSTP Port Parameters. The RSTP Port Parameters Menu is shown in Figure 80.
AT-S60 Management Software User’s Guide The Configure RSTP Port Settings Menu is shown in Figure 81. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 High School Switch 142 User: Manager 00:14:33 15-Jan-2004 Configure RSTP Port Settings Configuring Ports 4.8 1 2 3 4 - Port Priority ...... Path Cost .......... Point-to-Point ..... Edge Port ..........
Chapter 15: STP and RSTP C - Check Migration To RSTP on Selected Ports (MCHECK) This parameter resets a RSTP port, allowing it to send RSTP BPDUs. When an RSTP bridge receives STP BPDUs on an RSTP port, the port transmits STP BPDUs. The RSTP port continues to transmit STP BPDUs indefinitely. Type C to reset the RSTP port to transmit RSTP BPDUs. Each time a RSTP port is reset by receiving STP BPDUs, you need to type C to reset the RSTP port, allowing it to send RSTP BPDUs.
AT-S60 Management Software User’s Guide The Display RSTP Port Configuration Menu is shown in Figure 78. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Production Switch 142 User: Manager 00:14:33 15-Jan-2004 Display RSTP Port Configuration Port | Edge-Port | Point-to-Point| Cost | Priority --------------------------------------------------------4.1 Yes Auto Detect Auto Update 128 4.2 Yes Auto Detect Auto Update 128 4.3 Yes Auto Detect Auto Update 128 4.4 Yes Auto Detect Auto Update 128 4.
Chapter 15: STP and RSTP The Display RSTP Port State Menu is shown in Figure 78. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Production Switch 142 User: Manager 00:14:33 15-Mar-2004 Display RSTP Port State Port State Role P2P Version Port-Cost ------------------------------------------------------------------1.1 Disabled ------------------------------------3.1 Disabled ------------------------------------3.2 Disabled ------------------------------------3.3 Disabled ------------------------------------3.
Chapter 16 Multiple Spanning Tree Protocol (MSTP) This chapter provides background information on the Multiple Spanning Tree Protocol (MSTP). The chapter also contains procedures on how to enable MSTP on the switch and configure MSTP parameters. The sections in this chapter include: ❑ MSTP Overview on page 258 ❑ Configuring MSTP on page 274 Note For further information on Multiple Spanning Tree Protocol, refer to IEEE Std 802.1s.
Chapter 16: Multiple Spanning Tree MSTP Overview As mentioned in Chapter 15, STP and RSTP on page 228, STP and RSTP are referred to as single-instance spanning trees that search for physical loops across all VLANs in a bridged network. When loops are detected, the protocols stop the loops by placing one or more bridge ports in a blocking state.
AT-S60 Management Software User’s Guide Note Due to different vendor implementations of the new IEEE 802.1s standard, compatibility issues concerning MSTP instances between the AT-8400 Series switch and switches from other vendors may exist. This can result in compatibility issues between different MSTP implementations. For this release, MSTP is compatible only with other AT-8400 Series switches.
Chapter 16: Multiple Spanning Tree If the switches were running STP or RSTP, one of the links would be blocked because the links constitute a physical loop. Which link would be blocked depends on the STP or RSTP bridge settings. In the example, the link between the two parts of the Production VLAN is blocked, resulting in a loss of communications between the two parts of the Production VLAN.
AT-S60 Management Software User’s Guide Figure 85 illustrates the same two AT-8400 Series switches and the same two virtual LANs. But in this example, the two switches are running MSTP and the two VLANs have been assigned different spanning tree instances. Now that they reside in different MSTIs, both links remain active, enabling the VLANs to forward traffic over their respective direct link.
Chapter 16: Multiple Spanning Tree A MSTI can contain more than one VLAN. This is illustrated in Figure 86 where there are two AT-8400 Series switches with four VLANs. There are two MSTIs, each containing two VLANs. MSTI 1 contains the Sales and Presales VLANs and MSTI 2 contains the Design and Engineering VLANs.
AT-S60 Management Software User’s Guide This example illustrates Allied Telesyn’s implementation of MSTP. It shows that a tagged port cannot be a member of VLANs that belong to different MSTIs. That is why each MSTI in the example has its own tagged link. MSTI Guidelines Here are several guidelines to keep in mind about MSTIs: ❑ An AT-8400 Series switch can support up to 16 spanning tree instances, including the CIST, at a time. ❑ A MSTI can contain any number of VLANs.
Chapter 16: Multiple Spanning Tree A configuration name is a name you assign to a region to help you identify it. You must assign each bridge in a region exactly the same name—even the same upper and lowercase lettering. Identifying the regions in your network is easier if you choose names that are characteristic of the functions of the nodes and bridges of the region. In addition, standardize the capitalization of the configuration name. Examples are Sales Region and Engineering Region.
AT-S60 Management Software User’s Guide Figure 87 illustrates the concept of regions. It shows one MSTP region consisting of two AT-8400 Series switches. Each switch in the region has the same configuration name and revision level. The switches also have the same five VLANs and the VLANs are associated with the same MSTIs.
Chapter 16: Multiple Spanning Tree The AT-8400 Series switch determines regional boundaries by examining the MSTP BPDUs received on the ports. A port that receives a MSTP BPDU from another bridge with regional information different from its own is considered to be a boundary port and the bridge connected to the port as belonging to another region. The same is true for any ports connected to bridges running the singleinstance spanning tree STP or RSTP.
AT-S60 Management Software User’s Guide ❑ Each MSTI must have a regional root for locating loops in the instance. MSTIs can share the same regional root or have different roots. A regional root is determined by the MSTI priority value and a bridge’s MAC address. ❑ The regional root of a MSTI must be in the same region as the MSTI. Common and Internal Spanning Tree (CIST) MSTP has a default spanning tree instance called the Common and Internal Spanning Tree (CIST). This instance has an MSTI ID of 0.
Chapter 16: Multiple Spanning Tree MSTP with STP and RSTP MSTP is fully compatible with STP and RSTP. If a port on an AT-8400 Series switch running MSTP receives STP BPDUs, the port sends only STP BPDU packets. If a port receives RSTP BPDUs, the port sends MSTP BPDUs since RSTP can process MSTP BPDUs. A port connected to a bridge running STP or RSTP is considered a boundary port of the MSTP region and the bridge as belonging to a different region. An MSTP region can be considered as a virtual bridge.
AT-S60 Management Software User’s Guide ❑ All of the bridges in a region must have the same configuration name, revision level, VLANs, and VLAN to MSTI associations. ❑ An MSTI cannot span multiple regions. ❑ Each MSTI must have a regional root for locating loops in the instance. MSTIs can share the same regional root or have different roots. A regional root is determined by the MSTI priority value and a bridge’s MAC address. ❑ The regional root of a MSTI must be in the same region as the MSTI.
Chapter 16: Multiple Spanning Tree This is shown in Figure 88. Port 8 on a line card in Switch A is a member of a VLAN assigned to MSTI ID 7. Port 1 on another line card in the same switch is a member of a VLAN assigned to MSTI ID 10. The BPDUs transmitted by port 8 to Switch B would indicate that the port is a member of both CIST and MSTI 7, while the BPDUs from Port 1 would indicate the port is a member of the CIST and MSTI 10.
AT-S60 Management Software User’s Guide A problem can arise if you assign some VLANs to MSTIs while leaving others assigned to CIST. The problem is illustrated in Figure 89. The network is the same as the previous example. The only difference is that the VLAN containing Port 8 on Switch A has not been assigned to an MSTI, and belongs only to CIST with its MSTI ID 0.
Chapter 16: Multiple Spanning Tree This is illustrated in Figure 90. The example shows two switches, each residing in a different region. Port 1 on a line card in Switch A is a boundary port. It is an untagged member of the Accounting VLAN, which has been associated with MSTI 4. Port 8 on another line card is a tagged and untagged member of three different VLANs, all associated to MSTI 12.
AT-S60 Management Software User’s Guide Here is an example. Let’s assume that you have two regions that contain the following VLANS: Region 1 VLANs Sales Presales Marketing Advertising Technical Support Product Management Project Management Accounting Region 2 VLANs Hardware Engineering Software Engineering Technical Support Product Management CAD Development Accounting The two regions share three VLANs: Technical Support, Product Management, and Accounting.
Chapter 16: Multiple Spanning Tree Configuring MSTP This section contains the following procedures: ❑ Enabling or Disabling MSTP on page 274 ❑ Configuring MSTP Bridge Settings on page 277 ❑ Configuring the CIST Priority on page 279 ❑ Creating, Deleting, and Modifying MSTI IDs on page 280 ❑ Associating VLANs to MSTI IDs on page 283 ❑ Configuring MSTP Port Settings on page 288 ❑ Displaying MSTP Port Settings and Status on page 290 Note You cannot configure MSTP unless the protocol has been selected as the ac
AT-S60 Management Software User’s Guide The Spanning Tree Menu is shown in Figure 91. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 15-Jan-2004 Spanning Tree Menu 1 2 3 4 5 - Spanning Tree Status ...... Disabled Active Protocol Version ...
Chapter 16: Multiple Spanning Tree 5. Type Y for yes or N for no. The switch reboots and if you select Yes, the selected spanning tree protocol becomes the active protocol on the switch. You can now configure the parameters of the selected spanning tree protocol. Unlike other management procedures with the AT-S60 software, this procedure does not require you to return to the Main Menu to save your changes. The change to the active spanning tree protocol is automatically saved before the switch reboots.
AT-S60 Management Software User’s Guide Configuring MSTP Bridge Settings This section contains the procedure for configuring a bridge’s MSTP settings. 1. From the Main Menu, type 3 to select Spanning Tree Menu. The Spanning Tree Menu is shown in Figure 91 on page 275. 2. From the Spanning Tree Menu, type 5 to select MSTP Configuration. The MSTP Menu is shown in Figure 92. Allied Telesyn AT-8400 Series - ATS60 V2.1.
Chapter 16: Multiple Spanning Tree 2 - Hello Time The time interval between generating and sending configuration messages by the bridge. The range of this parameter is 1 to 10 seconds. The default is 2 seconds. This value is active only if the bridge is selected as the root bridge of the network. 3 - Forwarding Delay The waiting period before a bridge changes to a new state, for example, becomes the new root bridge after the topology changes.
AT-S60 Management Software User’s Guide revision level must be the same on all bridges in a region. Different regions can have the same revision level without conflict. 8 - Bridge Identifier The MAC address of the bridge. The bridge identifier is used as a tie breaker in the selection of a root bridge when two or more bridges have the same bridge priority value. This value cannot be changed. 4. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 16: Multiple Spanning Tree more bridges have the same bridge or CIST priority values, the bridge with the numerically lowest MAC address becomes the root bridge. The Associated VLANs field displays the VIDs of the VLANs that are currently associated with CIST and have not been assigned to a MSTI. 4. To change the CIST priority, type 1. The following prompt is displayed: Enter new priority [the value will be multiplied by 4096]: [0 to 15] -> 5.
AT-S60 Management Software User’s Guide The MSTI Menu is shown in Figure 94. Allied Telesyn AT-8400 Series - ATS60 V2.1.
Chapter 16: Multiple Spanning Tree 5. Enter the new MSTP ID. The MSTI IDs range is from 1 to 15. You can specify only one MSTI ID at a time. The following prompt is displayed: Success...Do you want to associate VLANs with this MSTI ID: [Yes/No] -> 6. If you want to associate VLANs to the MSTI now, type Y for yes. If you want to do it later, type N for no. To add or remove VLANs from an existing MSTI, go to Associating VLANs to MSTI IDs on page 283.
AT-S60 Management Software User’s Guide Modifying an MSTI ID To change the MSTI priority value for an MSTI, do the following: 1. From the Main Menu, type 3 to select Spanning Tree Menu. The Spanning Tree Menu is shown in Figure 91 on page 275. 2. From the Spanning Tree Menu, type 5 to select MSTP Configuration. The MSTP Menu is shown in Figure 92 on page 277. 3. From the MSTI Menu, type 3 to select MSTI Configuration Menu.
Chapter 16: Multiple Spanning Tree Adding or Removing a VLAN from an MSTI ID This procedure explains how to associate VLANs on the switch to an existing MSTI ID and also how to remove VLANs. Before performing this procedure, note the following: ❑ You must create a MSTI ID before you can assign VLANs to it. To create a MSTI ID, refer to Creating, Deleting, and Modifying MSTI IDs on page 280. ❑ You can assign a VLAN to only one MSTI.
AT-S60 Management Software User’s Guide The VLAN-MSTI Association Menu is shown in Figure 95. Allied Telesyn AT-8400 Series - ATS60 V2.1.
Chapter 16: Multiple Spanning Tree Associating a VLAN to an MSTI ID To associate a VLAN to an MSTP ID, do the following: 1. From the Main Menu, type 3 to select Spanning Tree Menu. The Spanning Tree Menu is shown in Figure 91 on page 275. 2. From the Spanning Tree Menu, type 5 to select MSTP Configuration. The MSTP Menu is shown in Figure 92 on page 277. 3. From the MSTP Menu, type V to select VLAN-MSTI Association Menu. The VLAN-MSTI Association Menu is shown in Figure 95 on page 285. 4.
AT-S60 Management Software User’s Guide 4. From the VLAN-MSTI Association Menu, type 2 to select Delete VLANs from MSTI. The following prompt is displayed: Enter the MSTI ID [0 to 15] -> 5. Enter the MSTI ID to which you want to associate a VLAN. A prompt similar to the following is displayed: Enter the list of VLANs: 6. Enter the VLAN ID of the virtual LAN that you want to remove from the MSTI ID.
Chapter 16: Multiple Spanning Tree You can enter more than one VLAN at a time (for example, 2,4,7) (To view VIDs, refer to Displaying VLANs on page 418.) The VLANs already associated with the MSTI ID are removed when the new VLANs are added. The removed VLANs are returned to CIST. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Configuring MSTP Port Settings To configure a port’s MSTP parameters, perform the following procedure: 1.
AT-S60 Management Software User’s Guide The Configure MSTP Port Settings menu is shown in Figure 97. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 15-Jan-2004 Configure MSTP Port Settings 1 2 3 4 5 - Port Priority ............... Port Internal Path Cost ..... Port External Path Cost ..... Point-to-Point .............. Edge Port ...................
Chapter 16: Multiple Spanning Tree 5 - Edge Port This parameter defines whether the port is functioning as an edge port. For an explanation of this parameter, refer to Point-to-Point Ports and Edge Ports on page 234. C - Check Migration To RSTP on Selected Ports (MCHECK) The MCHECK parameter appears only when MSTP is enabled. This parameter resets a RSTP port, allowing it to send RSTP BPDUs. When an RSTP bridge receives STP BPDUs on an RSTP port, the port transmits STP BPDUs.
AT-S60 Management Software User’s Guide 5. To display MSTP port state information, type 3 to select Display MSTP Port State. This selection displays a menu that contains the following MSTP operating status for a port: ❑ State - Identifies the MSTP state of the port. Possible states are: discarding, learning, and forwarding. A state of disabled means the port has not established a link with its end node. ❑ MSTI-ID - The MSTI ID of the VLAN containing the port.
Section III SNMPv3 Protocol There is one chapter in this section that describes the SNMPv3 Protocol. This chapter explains how to configure an AT-8400 switch with the SNMPv3 Protocol from a local or Telnet management session.
Chapter 17 SNMPv3 Configuration This chapter provides a description of the AT-S60 implementation of the SNMPv3 protocol. In addition, it provides procedures that allow you to create and modify SNMPv3 users.
Chapter 17: SNMPv3 Configuration SNMPv3 Overview The SNMPv3 protocol builds on the existing SNMPv1 and SNMPv2c protocol implementation which is described in Chapter 5: “SNMPv1 and SNMPv2c Configuration.” In the SNMPv3 protocol, User-based Security Model (USM) authentication is implemented along with encryption, allowing you to configure a secure SNMP environment. The SNMP terminology changes in the SNMPv3 protocol.
AT-S60 Management Software User’s Guide With the SNMPv3 protocol, you create users, determine the protocol used for message authentication as well as determine if data transmitted between an SNMP agent and an NMS is encrypted. In addition, you have the ability to restrict user privileges by determining the user’s view of the Management Information Bases (MIBs). In this way, you restrict which MIBs the user can display and modify.
Chapter 17: SNMPv3 Configuration SNMPv3 Privacy Protocol After you have configured an authentication protocol, you have the option of assigning a privacy protocol if you have the encrypted version of the AT-S60 software. In SNMPv3 protocol terminology, privacy is equivalent to encryption. Currently, the DES protocol is the only encryption protocol supported. The DES privacy protocol requires the authentication protocol to be configured as either MD5 or SHA.
AT-S60 Management Software User’s Guide The AT-S60 software supports the MIB tree, starting with the Internet MIBs, as defined by 1.3.6.1. There are two ways to specify a MIB view. You can enter the OID number of the MIB view or its equivalent text name. For example, to specify MIBs in the Internet view, you can enter the OID format “1.3.6.1” or the text name “internet.” In addition, you can define a MIB view that the user can access or a MIB view that the user cannot access.
Chapter 17: SNMPv3 Configuration To determine the destination of the message, you configure the IP address of the host. This configuration is similar to the SNMPv1 and SNMPv2c configuration.
AT-S60 Management Software User’s Guide First, you create a user in the Configure SNMPv3 User Table. Then you define the MIB view this user has access to in the Configure SNMPv3 View Table. To configure a security group and associate a MIB view to a security group, you configure the Configure SNMPv3 Access Table. Finally, configure the Configure SNMPv3 SecurityToGroup Menu to associate a user to a security group. See Figure 99 for an illustration of how the user configuration tables are linked.
Chapter 17: SNMPv3 Configuration You start the message notification configuration by defining the type of message you want to send with the SNMPv3 Notify Table. Then you define a IP address that is used for notification in the Configure SNMPv3 Target Address Table. This is the IP address of the SNMPv3 manager. Finally, you associate the trap information with a user by configuring the Configure SNMPv3 Target Parameters Table.
AT-S60 Management Software User’s Guide ❑ SNMPv3 Target Parameters Table on page 302 ❑ SNMPv3 Community Table on page 303 SNMPv3 User Table The Configure SNMPv3 User Table menu allows you to create an SNMPv3 user and provides the options of configuring authentication and privacy protocols. With an authentication protocol configured, users are authenticated when they send and receive messages. In addition, you can configure a privacy protocol and password so messages a user sends and receives are encrypted.
Chapter 17: SNMPv3 Configuration SNMPv3 SecurityToGroup Table The Configure SNMPv3 SecurityToGroup Table Menu allows you to associate a User Name with a security group called a Group Name. The User Name is previously configured with the Configure SNMPv3 User Table Menu. The security group is previously configured with the Configure SNMPv3 Access Table Menu. Lastly, you can configure a storage type for this table entry which allows you to save the entry to flash memory.
AT-S60 Management Software User’s Guide SNMPv3 Community Table The Configure SNMPv3 Community Table Menu allows you to configure SNMPv1 and SNMPv2c communities. If you are going to use the SNMPv3 Tables to configure SNMPv1 and SNMPv2c communities, start with the SNMPv3 Community Table. See Configuring the SNMPv3 Community Table on page 381.
Chapter 17: SNMPv3 Configuration Configuring the SNMPv3 Protocol This section describes how to configure the SNMPv3 protocol using the SNMPv3 Tables. To successfully configure this protocol, you must perform the procedures in the order given. For overview information about SNMPv3, see the SNMPv3 Overview on page 294. In order to allow an NMS to access the switch, you need to enable SNMP access.
AT-S60 Management Software User’s Guide Configuring the SNMPv3 User Table This section contains a description of the SNMPv3 User Table and how to create, delete, and modify table entries. Configure the SNMPv3 User Table first. Creating this table, allows you to create an entry in an SNMPv3 User Table for a User Name.
Chapter 17: SNMPv3 Configuration The Configure SNMPv3 Table Menu is shown in Figure 101. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 Table 1 2 3 4 5 6 7 8 9 - SNMP Engine...............
AT-S60 Management Software User’s Guide The Configure SNMPv3 User Table Menu is shown in Figure 102. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 User Table Engine ID ................. User Name ................. Authentication Protocol ... Privacy Protocol .......... Storage Type .............. Row Status ................
Chapter 17: SNMPv3 Configuration protocol after a message is received. This algorithm generates the message digest. The user is authenticated when the authentication protocol checks the message digest. With the SHA selection, you can configure a Privacy Protocol. N-None This value represents no authentication protocol. When messages are received, users are not authenticated. With the None selection, you cannot configure a Privacy Protocol. If you select NONE, you are prompted for the Storage Type.
AT-S60 Management Software User’s Guide You are prompted to re-enter the password. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 13. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 User Table to nonvolatile memory.
Chapter 17: SNMPv3 Configuration The following prompt is displayed: Enter User (Security) Name: 4. Enter the User Name of the User Table entry you want to delete. The following prompt is displayed: Do you want to delete this table entry? (Y/N): [Yes/No]-> 5. Enter Y to delete the user or N to save the user. 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S60 Management Software User’s Guide The Modify SNMPv3 User Table is shown in Figure 103. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 15-Jan-2004 Modify SNMPv3 User Table Engine ID ................. User Name ................. Authentication Protocol ... Privacy Protocol .......... Storage Type .............. Row Status ................
Chapter 17: SNMPv3 Configuration message digest. The user is authenticated when the authentication protocol checks the message digest. With the SHA selection, you can configure a Privacy Protocol. N-None This value represents no authentication protocol. When messages are received, users are not authenticated. With the None selection, you cannot configure a Privacy Protocol. If you select None, go to step 9. If you select MD5 or SHA, the following prompt is displayed: Enter Authentication Password: 7.
AT-S60 Management Software User’s Guide 2. From the Configure SNMPv3 Table Menu, type 2 to select Configure SNMPv3 User Table. The SNMPv3 User Table is shown in Figure 102 on page 307. 3. From the SNMPv3 User Table, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Table Menu is shown in Figure 103 on page 311. 4. Type 2 to select Privacy Protocol & Password. The following prompt is displayed: Enter User (Security) Name: 5. Enter the User Name.
Chapter 17: SNMPv3 Configuration Modifying the Storage Type To modify the Storage Type in an SNMPv3 User Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in Configuring the SNMPv3 User Table on page 305. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 User Table Menu is shown in Figure 101 on page 306. 2. From the Configure SNMPv3 Table Menu, type 2 to select Configure SNMPv3 User Table.
AT-S60 Management Software User’s Guide Configuring the SNMPv3 View Table This section contains a description of the SNMPv3 View Table and how to create, delete, and modify table entries. Creating this table, allows you to specify a view using the following parameters: ❑ Subtree OID ❑ Subtree Mask ❑ MIB OID Table View To configure the SNMPv3 View Table, you need to be very familiar with the MIB tree. You can be very specific about the view a user can or cannot access—down to a column or row of the tree.
Chapter 17: SNMPv3 Configuration The Configure SNMPv3 View Table Menu is shown in Figure 104. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 View Table View Name ................. Subtree OID ............... Subtree Mask .............. View Type ................. Storage Type .............. Row Status ................ internet 1.3.6.
AT-S60 Management Software User’s Guide 5. Enter subtree that this view will or will not be permitted to display. You can enter either a numeric value in hex format or the equivalent text name. For example, the OID hex format for TCP/IP is: 1.3.6.1.2.1.6 The text format is for TCP/IP is: tcp The following prompt is displayed: Enter Subtree Mask (Hex format): 6. Enter a subtree mask. This is an optional parameter that is used to further refine the value in the View Subtree parameter.
Chapter 17: SNMPv3 Configuration 8. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 View Table to the configuration file. After making changes to an SNMPv3 View Table entry with a Volatile storage type, the S - Save Configuration Changes option does not appear on the Main Menu.
AT-S60 Management Software User’s Guide The following prompt is displayed: Enter View Subtree (OID format/Text Name): 5. Enter the subtree for this view. Do you want to delete this table entry? (Y/N): [Yes/No]-> 6. Enter Y to delete the view or N to save the view. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an SNMPv3 View Table Entry This section describes how to modify parameters in an SNMPv3 Notify Table entry.
Chapter 17: SNMPv3 Configuration The Modify SNMPv3 View Table Menu is shown in Figure 105. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 15-Jan-2004 Modify SNMPv3 View Table View Name ................. Subtree OID ............... Subtree Mask .............. View Type ................. Storage Type .............. Row Status ................ tcp 1.3.6.1.2.1.
AT-S60 Management Software User’s Guide This is an optional parameter that is used to further refine the value in the View Subtree parameter. This parameter is in binary format. The View Subtree parameter defines a MIB View and the Subtree Mask further restricts a user’s view, for example, to a specific row of the MIB tree. The value of the Subnet Mask parameter is dependent on the subtree you select. See RFC 2575 for detailed information about defining a subnet mask. 8.
Chapter 17: SNMPv3 Configuration The text format is for TCP/IP is: tcp The following prompt is displayed: Enter View Type [I-Included, E-Excluded]: 7. Choose one of the following view types: I - Included Enter this value to permit a user to see the subtree specified above. E - Excluded Enter this value to not permit a user to see the subtree specified above. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S60 Management Software User’s Guide 6. Enter the View Subtree for this View Name. The following prompt is displayed: Enter Storage Type [V-Volatile, N-Nonvolatile]: 7. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 View Table to the configuration file.
Chapter 17: SNMPv3 Configuration Configuring the SNMPv3 Access Table This section contains a description of the SNMPv3 Access Table and how to create, delete, and modify table entries. The SNMPv3 Access Table allows you to configure a security group. Each user must belong to a security group. After you have configured a security group, use the SecurityToGroup Table to assign users to security groups. See Creating an SNMPv3 SecurityToGroup Table Entry on page 340.
AT-S60 Management Software User’s Guide The Configure SNMPv3 Access Table Menu is shown in Figure 106. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 Access Table Group Name .... Context Prefix. Read View...... Write View .... Notify View ... softwareengineering internet tcp tcp Security Model . Security Level . Context Match .. Storage Type ... Row Status .....
Chapter 17: SNMPv3 Configuration Note The Context Prefix and the Context Match fields are a read only fields. The Context Prefix field is always set to null. The Context Match field is always set to exact. The following prompt is displayed: Enter Security Model [1-v1, 2-v2c, 3-v3]: 5. Select one of the following SNMP protocols as the Security Model for this Group Name. 1-v1 Select this value to associate the Group Name with the SNMPv1 protocol.
AT-S60 Management Software User’s Guide greatest level of security. You can select this value if you configured the Security Model parameter with the SNMPv3 protocol. The following prompt is displayed: Enter Read View Name: 7. Enter a value that you configured with the View Name parameter in the SNMPv3 View Table. A Read View Name allows the users assigned to this Group Name to view the information specified by the View Table entry. This value does not need to be unique.
Chapter 17: SNMPv3 Configuration Note The Row Status parameter is a read-only field in the Telnet and Local interfaces. The Active value indicates the SNMPv3 Access Table entry will take effect immediately. 11. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S60 Management Software User’s Guide Deleting an SNMPv3 Access Table Entry You may want to delete an entry from the SNMPv3 Access Table. After you delete an SNMPv3 Access Table, there is no way to undelete, or recover, it. To delete an entry in the SNMPv3 Access Table, perform the following procedure: 1. Follow steps 1 through 5 in the procedure described in Creating an SNMPv3 User Table Entry on page 305. Or, from the Main Menu type 5->1->1->8->5.
Chapter 17: SNMPv3 Configuration 6. Enter the Security Level of this Group Name. Select one of the following Security Levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol. This security level provides the least security. Note If you have selected SNMPv1 or SNMPv2c, N-NoAuthNoPriv is the only security level you can select.
AT-S60 Management Software User’s Guide Configure the values of the Read View Name, Write View Name, and Notify View Name parameters with values previously configured with the View Name parameter in the SNMPv3 View Table. This is the only way to associate a Group Name with these Views. See Creating an SNMPv3 View Table Entry on page 315.
Chapter 17: SNMPv3 Configuration The Modify SNMPv3 Access Table is shown in Figure 107. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 15-Jan-2004 Modify SNMPv3 Access Table Group Name .... Context Prefix. Read View...... Write View .... Notify View ... 1 2 3 4 - Set Set Set Set sales systemmanagers salespeople salespeople Security Model . Security Level . Context Match .. Storage Type ... Row Status .....
AT-S60 Management Software User’s Guide The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol. This security level provides the least security.
Chapter 17: SNMPv3 Configuration Modifying the Write View Name To modify the Write View Name parameter in an SNMPv3 Access Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in Creating an SNMPv3 User Table Entry on page 305. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table Menu is shown in Figure 101 on page 306. 2. From the Configure SNMPv3 Table Menu, type 4 to select Configure SNMPv3 Access Table.
AT-S60 Management Software User’s Guide The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol.
Chapter 17: SNMPv3 Configuration Modifying the Notify View Name To modify the Notify View Name parameter in an SNMPv3 Access Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in Creating an SNMPv3 User Table Entry on page 305. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table Menu is shown in Figure 101 on page 306. 2. From the Configure SNMPv3 Table Menu, type 4 to select Configure SNMPv3 Access Table.
AT-S60 Management Software User’s Guide The following prompt is displayed: Enter Security Level [N-NoAuthNoPriv, A-AuthNoPriv, P-AuthPriv]: 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol.
Chapter 17: SNMPv3 Configuration Modifying the Storage Type To modify the Storage Type parameter in an SNMPv3 Access Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in Creating an SNMPv3 User Table Entry on page 305. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table Menu is shown in Figure 101 on page 306. 2. From the Configure SNMPv3 Table Menu, type 4 to select Configure SNMPv3 Access Table.
AT-S60 Management Software User’s Guide 7. Enter the Security Level configured for this Group Name. You cannot change the value of the Security Level parameter. Select one of the following security levels: N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol. This security level provides the least security.
Chapter 17: SNMPv3 Configuration Configuring the SNMPv3 SecurityToGroup Table This section contains a description of the SNMPv3 SecurityToGroup Table and how to create, delete, and modify table entries. The SNMPv3 SecurityToGroup Table allows you to associate a User Name with a Group Name. The User Name is configured in the Configure SNMPv3 User Table Menu while the Group Name is configured in the Configure SNMPv3 Access Table Menu.
AT-S60 Management Software User’s Guide The Configure SNMPv3 SecurityToGroup Table Menu is shown in Figure 108. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Marketing Switch 17 User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
Chapter 17: SNMPv3 Configuration 3-v3 Select this value to associate the Group Name with the SNMPv3 protocol. The following prompt is displayed: Enter Group Name: 6. Enter a Group Name that you configured in the SNMPv3 Access Table. See. Creating an SNMPv3 Access Table Entry on page 324. There are four default values for this field: ❑ defaultV1GroupReadOnly ❑ defaultV1GroupReadWrite ❑ defaultV2cGroupReadOnly ❑ defaultV2cGroupReadWrite These values are reserved for SNMPv1 and SNMPv2c implementations.
AT-S60 Management Software User’s Guide Deleting an SNMPv3 SecurityToGroup Table Entry You may want to delete an entry from the SNMPv3 SecurityToGroup Table. When you delete an SNMPv3 SecurityToGroup Table entry, there is no way to undelete, or recover, it. To delete an entry in the SNMPv3 SecurityToGroup Table, perform the following procedure: 1. Follow steps 1 through 5 in the procedure described in Creating an SNMPv3 User Table Entry on page 305. Or, from the Main Menu type 5->1->1->8->5.
Chapter 17: SNMPv3 Configuration The following prompt is displayed: Do you want to delete this table entry? (Y/N): [Yes/No]-> 6. Enter Y to delete this SecurityToGroup entry or N to save it. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an SNMPv3 SecurityToGroup Table Entry This section describes how to modify parameters in an SNMPv3 SecurityToGroup Table entry.
AT-S60 Management Software User’s Guide The Modify SecurityToGroup Table is displayed as shown Figure 108. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Marketing Switch 17 User: Manager 00:14:33 15-Jan-2004 Modify SNMPv3 SecurityToGroup Table Security Model................. Security Name ................. Group Name .................... Storage Type .................. Row Status ....................
Chapter 17: SNMPv3 Configuration 3-v3 Select this value to associate the User Name with the SNMPv3 protocol. The following prompt is displayed: Enter Group Name: 7. Enter the new Group Name. This value must match a value configured in the Group Name parameter in the Configure SNMPv3 Access Table. See Creating an SNMPv3 Access Table Entry on page 324. 8. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S60 Management Software User’s Guide Select one of the following SNMP protocols: 1-v1 Select this value if this User Name is configured with the SNMPv1 protocol. 2-v2c Select this value if this User Name is configured with the SNMPv2c protocol. 3-v3 Select this value if this User Name is configured with the SNMPv3 protocol. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 7.
Chapter 17: SNMPv3 Configuration Configuring the SNMPv3 Notify Table This section contains a description of the SNMPv3 Notify Table Menu and how to create, delete, and modify table entries. The Configure SNMPv3 Notify Table Menu allows you to define a name for sending traps. In each Notify Table entry, you define if the switch sends a trap or an inform message. The two message types, trap and inform, have different packet formats.
AT-S60 Management Software User’s Guide The Configure SNMPv3 Notify Table Menu is shown in Figure 110. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Marketing Switch 17 User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 Notify Table Notify Name ...................... Notify Tag ....................... Notify Type ...................... Storage Type ..................... Row Status .......................
Chapter 17: SNMPv3 Configuration I-Inform Indicates this notify table is used to send inform messages. With this message type, the switch expects a response from the authoritative entity. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 7. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to save an entry in the SNMPv3 Notify Table to the configuration file.
AT-S60 Management Software User’s Guide Note To display a Group Name and its associated parameters from the Configure SNMPv3 SecurityToGroup Table Menu, type N to display the Next Page and P to display the previous page. 3. To delete an SNMPv3 Notify Table entry, type 2 to select Delete SNMPv3 Table Entry. The following prompt is displayed: Enter Notify Name: 4. Enter a Notify Name. The following prompt is displayed: Do you want to delete this table entry? (Y/N): [Yes/No]-> 5.
Chapter 17: SNMPv3 Configuration The Modify SNMPv3 Notify Table Menu is displayed as shown in Figure 111. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Marketing Switch 17 User: Manager 00:14:33 15-Jan-2004 Modify SNMPv3 Notify Table Notify Name ................... Notify Tag..................... Notify Type.................... Storage Type .................. Row Status ....................
AT-S60 Management Software User’s Guide Modifying a Notify Type To modify the Notify Type parameter in an SNMPv3 Notify Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in Creating an SNMPv3 User Table Entry on page 305. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table Menu is shown in Figure 101 on page 306. 2. From the Configure SNMPv3 Table Menu, type 6 to select Configure SNMPv3 Notify Table.
Chapter 17: SNMPv3 Configuration Modifying a Storage Type To modify the Storage Type parameter in an SNMPv3 Notify Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in Creating an SNMPv3 User Table Entry on page 305. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table Menu is shown in Figure 101 on page 306. 2. From the Configure SNMPv3 Table Menu, type 6 to select Configure SNMPv3 Notify Table.
AT-S60 Management Software User’s Guide Configuring the SNMPv3 Target Address Table This section contains a description of the SNMPv3 Target Address Table Menu and how to create, delete, and modify table entries. You use the SNMPv3 Target Address Table Menu to assign the IP address of a host that is used for generating notifications. The Configure SNMPv3 Target Address Table Menu is linked internally to the Configure SNMPv3 Notify Table through the Tag List parameter.
Chapter 17: SNMPv3 Configuration Creating an SNMPv3 Target Address Table Entry To create an entry in the Configure SNMPv3 Target Address Table Menu, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in Creating an SNMPv3 User Table Entry on page 305. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table Menu is shown in Figure 101 on page 306. 2. From the Configure SNMPv3 Table Menu, type 7 to select Configure SNMPv3 Target Address Table.
AT-S60 Management Software User’s Guide 5. Enter the IP address of the host. Use the following format for an IP address: XXX.XXX.XXX.XXX The following prompt is displayed: Enter UDP Port#: [0 to 65535]-> 162 6. Enter a UDP port. You can enter a UDP port in the range of 0 to 65,535. The default UDP port is 162. The following prompt is displayed: Enter Timeout (10mS): [0 to 2147483647]-> 1500 7. Enter a timeout value in milliseconds.
Chapter 17: SNMPv3 Configuration This name can consist of up to 32-alphanumeric characters. The value configured here must match the value configured with the Target Parameters Name parameter in the Configure SNMPv3 Target Parameters Table. The following prompt is displayed: Enter Storage Type [V-Volatile, N-NonVolatile]: 11.
AT-S60 Management Software User’s Guide The Configure SNMPv3 Target Address Table Menu is shown in Figure 114 on page 369. Note To display a Group Name and its associated parameters from the Configure SNMPv3 SecurityToGroup Table Menu, type N to display the Next Page and P to display the previous page. 3. To delete an SNMPv3 Target Address Table entry, type 2 to select Delete SNMPv3 Table Entry. The following prompt is displayed: Enter Target Address Name: 4. Enter a Target Address Name.
Chapter 17: SNMPv3 Configuration Modifying the Target IP Address To modify the target IP address in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in Creating an SNMPv3 User Table Entry on page 305. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table Menu is shown in Figure 101 on page 306. 2. From the Configure SNMPv3 Table Menu, type 7 to select Configure SNMPv3 Target Address Table.
AT-S60 Management Software User’s Guide 4. To change the Target IP Address, type 1 to select Set Target IP Address. The following prompt is displayed: Enter Target Address Name: 5. Enter a previously configured Target Address Name. This is the name of the SNMP manager, or host, that manages the SNMP activity on your switch. You can enter a name of up to 32alphanumeric characters. The following prompt is displayed: Enter IP Address: 6. Enter the IP address of the host.
Chapter 17: SNMPv3 Configuration This is the name of the SNMP manager, or host, that manages the SNMP activity on your switch. You can enter a name of up to 32alphanumeric characters. The following prompt is displayed: Enter UDP Port#: [0 to 65535]-> 162 6. Enter a UDP port. You can enter a UDP port in the range of 0 to 65,535. The default UDP port is 162. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S60 Management Software User’s Guide 6. Enter a timeout value in milliseconds. When an Inform message is generated, it requires a response from the switch. The timeout value determines how long the switch considers the Inform message an active message. This parameter applies to Inform messages only. The range is from 0 to 2,147,483,647 milliseconds. The default value is 1500 milliseconds. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 17: SNMPv3 Configuration 6. Enter the number of times the switch will retry, or resend, the Inform message. The range is 0 to 255 retries. The default is 3 retries. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Target Address Tag List To modify the Target Address Tag List parameter in an SNMPv3 Target Address Table entry, perform the following procedure. 1.
AT-S60 Management Software User’s Guide Modifying the Target Parameters Field To modify the Target Parameters field in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in Creating an SNMPv3 User Table Entry on page 305. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table Menu is shown in Figure 101 on page 306. 2. From the Configure SNMPv3 Table Menu, type 7 to select Configure SNMPv3 Target Address Table.
Chapter 17: SNMPv3 Configuration Modifying the Storage Type To modify the Storage Type parameter in an SNMPv3 Target Address Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in Creating an SNMPv3 User Table Entry on page 305. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table Menu is shown in Figure 101 on page 306. 2. From the Configure SNMPv3 Table Menu, type 7 to select Configure SNMPv3 Target Address Table.
AT-S60 Management Software User’s Guide 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 17: SNMPv3 Configuration Configuring the SNMPv3 Target Parameters Table This section contains a description of the SNMPv3 Target Parameters Table and how to create, delete, and modify table entries. The SNMPv3 Target Parameters Table links the user security information with the message notification information configured in the Configure SNMPv3 Notify Table Menu and Configure SNMPv3 Target Address Table Menu.
AT-S60 Management Software User’s Guide There are three functions you can perform with the Configure SNMPv3 Target Parameters Table Menu. ❑ Creating an SNMPv3 Target Parameters Table Entry on page 369 ❑ Deleting an SNMPv3 Target Parameters Table Entry on page 372 ❑ Modifying an SNMPv3 Target Parameters Table Entry on page 373 Creating an SNMPv3 Target Parameters Table Entry To create an entry in the Configure SNMPv3 Target Parameters Table, perform the following procedure. 1.
Chapter 17: SNMPv3 Configuration 3. To create an SNMPv3 Target Parameters Table, type 1 to select Create SNMPv3 Table Entry. The following prompt is displayed: Enter Target Parameters Name: 4. Enter a name of the Target Parameters. Enter a value of up to 32-alphanumeric characters. Note You are prompted to enter a value for the Message Processing Model parameter only if you select SNMPv1 or SNMPv2c as the Security Model.
AT-S60 Management Software User’s Guide 7. Select one of the following Security Levels: Note The value you configure for the Security Level must match the value configured for the User Name in the Configure SNMPv3 User Table Menu. See Creating an SNMPv3 User Table Entry on page 305. N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol.
Chapter 17: SNMPv3 Configuration entry with a NonVolatile storage type, the S - Save Configuration Changes option appears on the Main Menu, allowing you to save your changes. Note The Row Status parameter is a read-only field in the Telnet and Local interfaces. The Active value indicates the SNMPv3 Target Parameters Table entry will take effect immediately. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S60 Management Software User’s Guide 5. Enter Y to delete the SNMPv3 Target Address Table entry or N to save it. 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying an SNMPv3 Target Parameters Table Entry This section provides procedures for modifying parameters in an SNMPv3 Target Parameters Table entry. The parameter values configured in the Target Parameters Table must match those configured in the other tables.
Chapter 17: SNMPv3 Configuration Note You cannot modify an entry in the SNMPv3 Target Parameter Table that contains a value of “default” in the Target Parameters Name field. Modifying the Security Name (User Name) In the AT-S60 implementation of the SNMPv3 protocol, the Security Name and the User Name parameters are equivalent. In the SNMPv3 Target Parameters Table Menu, the Security Name and the User Name parameters are used interchangeably.
AT-S60 Management Software User’s Guide The Modify SNMPv3 Target Parameters Table Menu is shown in Figure 115. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Marketing Switch 17 User: Manager 00:14:33 15-Jan-2004 Modify SNMPv3 Target Parameters Table Target Parameters Name ... Message Processing Model . Security Model............ Security Name ............ Security Level ........... Storage Type ............. Row Status ...............
Chapter 17: SNMPv3 Configuration Modifying the Security Model For the Security or User Name you have selected, the value of the Security Model parameter in an SNMPv3 Target Parameter Table entry must match the value of the Security Model parameter in the SNMPv3 Access Table entry. Caution If the values of the Security Model parameter in the SNMPv3 User Table and the SNMPv3 Target Parameter Table entry do not match, notification messages are not generated on behalf of this User (Security) Name.
AT-S60 Management Software User’s Guide 2-v2c Select this value if this User Name is associated with the SNMPv2c protocol. 3-v3 Select this value if this User Name is associated with the SNMPv3 protocol. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 17: SNMPv3 Configuration Select one of the following Security Levels: Note The value you configure for the Security Level must match the value configured for the User Name in the Configure SNMPv3 User Table Menu. See Creating an SNMPv3 User Table Entry on page 305. N-NoAuthNoPriv This option represents no authentication and no privacy protocol. Select this security level if you do not want to authenticate SNMP users and you do not want to encrypt messages using a privacy protocol.
AT-S60 Management Software User’s Guide The Configure SNMPv3 Table Menu is shown in Figure 101 on page 306. 2. From the Configure SNMPv3 Table Menu, type 8 to select Configure SNMPv3 Target Address Table. The Configure SNMPv3 Target Parameters Table Menu is shown in Figure 114. 3. From the Configure SNMPv3 Target Parameters Table Menu, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Target Parameters Table Menu is shown in Figure 115 on page 375. 4.
Chapter 17: SNMPv3 Configuration Modifying the Storage Type To modify the Storage Type parameter in an SNMPv3 Target Parameter Table entry, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in Creating an SNMPv3 User Table Entry on page 305. Or, from the Main Menu type 5->1->1->8->5. The Configure SNMPv3 Table Menu is shown in Figure 101 on page 306. 2. From the Configure SNMPv3 Table Menu, type 8 to select Configure SNMPv3 Target Address Table.
AT-S60 Management Software User’s Guide Configuring the SNMPv3 Community Table This section contains a description of the SNMPv3 Community Table and how to create, delete, and modify table entries. The SNMPv3 Community Table allows you to create SNMPv1 and SNMPv2c Communities using the SNMPv3 Tables. Allied Telesyn does not recommend that you use the menu described in this section to configure SNMPv1 and SNMPv2c communities.
Chapter 17: SNMPv3 Configuration For each SNMPv3 Community Table entry, you can configure the following parameters: ❑ Community Index ❑ Community Name ❑ Security Name ❑ Transport Tag ❑ Storage Type In addition, you can display the entries configured with the Configure SNMPv1 & SNMPv2c Community Menu in the Configure SNMPv3 Community Table Menu. However, you cannot modify an SNMPv1 & SNMPv2c Community Table entry with the Configure SNMPv3 Community Table Menu.
AT-S60 Management Software User’s Guide The Configure SNMPv3 Community Table Menu is shown in Figure 116. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Marketing Switch 17 User: Manager 00:14:33 15-Jan-2004 Configure SNMPv3 Community Table Community Index ............... Community Name ................ Security Name ................. Transport Tag ................. Storage Type .................. Row Status ....................
Chapter 17: SNMPv3 Configuration Note Allied Telesyn recommends that you select SNMP Community Names carefully to ensure these names are known only to authorized personnel. The following prompt is displayed: Enter Security Name: 6. Enter the name of an SNMPv1 and SNMPv2c user. This name must be unique. Enter a value of up to 32alphanumeric characters. Note Do not use a value configured with the User Name parameter in the SNMPv3 User Table. The following prompt is displayed: Enter Transport Tag: 7.
AT-S60 Management Software User’s Guide Note The Row Status parameter is a read-only field in the Telnet and Local interfaces. The Active value indicates the SNMPv3 Community Table entry takes effect immediately. 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Deleting an SNMPv3 Community Table Entry You may want to delete an entry from the SNMPv3 Community Table.
Chapter 17: SNMPv3 Configuration Modifying an SNMPv3 Community Table Entry For each entry in the SNMPv3 Community Table, you can modify the following parameters: ❑ Community Name ❑ Security Name ❑ Transport Tag ❑ Storage Type However, you cannot modify the Community Index parameter.
AT-S60 Management Software User’s Guide The Modify SNMPv3 Community Table Menu is shown in Figure 117. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Marketing Switch 17 User: Manager 00:14:33 15-Jan-2004 Modify SNMPv3 Community Table Community Index ............... Community Name ................ Security Name ................. Transport Tag ................. Storage Type .................. Row Status ....................
Chapter 17: SNMPv3 Configuration 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes. Modifying the Security Name To modify the Security Name parameter in an SNMPv3 Community Table entry, perform the following procedure: 1. Follow steps 1 through 5 in the procedure described in Creating an SNMPv3 User Table Entry on page 305. Or, from the Main Menu type 5->1->1->8->5.
AT-S60 Management Software User’s Guide The Configure SNMPv3 Table Menu is displayed as shown in Figure 101 on page 306. 2. From the Configure SNMPv3 Table Menu, type 9 to select Configure SNMPv3 Community Table. The Configure SNMPv3 Community Table Menu is shown in Figure 116 on page 383. 3. From the Configure SNMPv3 Community Table, type 3 to select Modify SNMPv3 Table Entry. The Modify SNMPv3 Community Table Menu is shown in Figure 117 on page 387. 4.
Chapter 17: SNMPv3 Configuration The following prompt is displayed: Enter Community Index: 5. Enter the Community Index of the Storage Type you want to change. The following prompt is displayed: Enter Storage type [V-volatile, N-NonVolatile]: 6. Select one of the following storage types for this table entry: V - Volatile Select this storage type if you do not want the ability to an entry in the SNMPv3 Community Table to the configuration file.
AT-S60 Management Software User’s Guide Displaying SNMPv3 Table Menus The procedures in this section describe how to display the SNMPv3 Tables.
Chapter 17: SNMPv3 Configuration The Display SNMPv3 Table Menu is shown in Figure 118. Allied Telesyn AT-8400 Series - ATS60 V2.1.
AT-S60 Management Software User’s Guide Displaying the Display SNMPv3 View Table Menu This section describes how to display the Display SNMPv3 View Table Menu. For information about the SNMPv3 View Table parameters, see Creating an SNMPv3 View Table Entry on page 315. To display the Display SNMPv3 View Table Menu, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in Displaying the Display SNMPv3 User Table Menu on page 391. Or, from the Main Menu type 5->1->1->8->6.
Chapter 17: SNMPv3 Configuration Displaying the Display SNMPv3 Access Table Menu This section describes how to display the Display SNMPv3 Access Table Menu. For information about the SNMPv3 Access Table parameters, see Creating an SNMPv3 Access Table Entry on page 324. To display the Display SNMPv3 Access Table Menu, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in Displaying the Display SNMPv3 User Table Menu on page 391.
AT-S60 Management Software User’s Guide Displaying the Display SNMPv3 SecurityToGroup Table Menu This section describes how to display the Display SNMPv3 SecurityToGroup Table Menu. For more information about the parameters in the SNMPv3 SecurityToGroup Table Menu, see Creating an SNMPv3 SecurityToGroup Table Entry on page 340. To display the Display SNMPv3 SecurityToGroup Table Menu, perform the following procedure. 1.
Chapter 17: SNMPv3 Configuration Displaying the Display SNMPv3 Notify Table Menu This section describes how to display the Display SNMPv3 Notify Table Menu. For information about the SNMPv3 Notify Table parameters, see Creating an SNMPv3 Notify Table Entry on page 348. To display the Display SNMPv3 Notify Table Menu, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in Displaying the Display SNMPv3 User Table Menu on page 391.
AT-S60 Management Software User’s Guide Displaying the Display SNMPv3 Target Address Table Menu This section describes how to display the Display SNMPv3 Target Address Table Menu. For information about the SNMPv3 Target Address Table parameters, see Creating an SNMPv3 Target Address Table Entry on page 356. To display the Display SNMPv3 Target Address Table Menu, perform the following procedure. 1.
Chapter 17: SNMPv3 Configuration Displaying the Display SNMPv3 Target Parameters Table Menu This section describes how to display the Display SNMPv3 Target Parameters Table Menu. For information about of the SNMPv3 Target Parameters Table parameters, see Creating an SNMPv3 Target Parameters Table Entry on page 369. To display the Display SNMPv3 Target Parameters Table Menu, perform the following procedure. 1.
AT-S60 Management Software User’s Guide Displaying the Display SNMPv3 Community Table Menu This section describes how to display the Display SNMPv3 Community Table Menu. For information about the SNMPv3 Community Table parameters, see Creating an SNMPv3 Community Table Entry on page 382. To display the Display SNMPv3 Community Table Menu, perform the following procedure. 1. Follow steps 1 through 5 in the procedure described in Displaying the Display SNMPv3 User Table Menu on page 391.
Section IV VLANs The chapters in Section IV explain how to configure VLANs on an AT-8400 switch using a local or Telnet management session.
Chapter 18 Tagged and Port-based Virtual LANs This chapter contains basic information about virtual LANs (VLANs). It also contains procedures for creating, modifying, and deleting VLANs from a local or Telnet management session. There is also a procedure on how to change a switch’s VLAN operating mode.
Chapter 18: Virtual LANs VLAN Overview A VLAN is a group of ports on an Ethernet switch that form a logical Ethernet segment. The ports of a VLAN form an independent traffic domain where the unicast, multicast, and broadcast packets generated by the nodes of a VLAN remain within the VLAN. With VLANs, you can segment your network through the switch’s management software and so be able to group nodes with related functions into their own separate, logical LAN segments.
AT-S60 Management Software User’s Guide workstations physically, or having to change group memberships by moving cables from one switch port to another. A virtual LAN can also span more than one switch. This means that the end nodes of a VLAN do not need to be connected to the same switch and so are not restricted to being in the same physical location.
Chapter 18: Virtual LANs Port-based VLAN Overview As explained in the VLAN Overview section, a VLAN consists of a group of ports on one or more Ethernet switches that form an independent traffic domain. The unicast, broadcast, and multicast packets generated by the end nodes of a VLAN remain within the VLAN and do not cross over to the end nodes of other VLANs unless there is an interconnecting device, such as a router or Layer 3 switch.
AT-S60 Management Software User’s Guide If a VLAN consists only of ports located on one physical switch in your network, you would assign it a VID unique from all other VLANs in your network. If a VLAN spans multiple switches, then the VID for the VLAN on the different switches must be the same. In this manner, the switches are able to recognize and forward frames belonging to the same VLAN even though the VLAN spans multiple switches.
Chapter 18: Virtual LANs For example, assume that you were creating a port-based VLAN on a switch and you had assigned the VLAN the VID a value of 5. Consequently, the PVID for each port in the VLAN would need to be assigned the value of 5. Some switches and switch management programs require that you assign the PVID value for each port manually. However, the AT-S60 management software performs this task automatically.
AT-S60 Management Software User’s Guide ❑ The introduction of a router into your network could create security issues from unauthorized access to your network. ❑ A VLAN that spans several switches requires a port on each switch for the interconnection of the various parts of the VLAN. For example, a VLAN that spans three switches requires one port on each switch to interconnect the various sections of the VLAN.
Chapter 18: Virtual LANs Port-Based Examples What follows are two examples of port-based VLANs that illustrate the basic principles discussed earlier in this chapter. Example 1 Our first example is illustrated in Figure 127. It shows two port-based VLANs on an AT-8400 switch. Sales VLAN (VID 2) Production VLAN (VID 3) Server WAN Router Figure 127 Port-based VLAN - Example 1 The two VLANs are Sales and Production. They were assigned unique VIDs of 2 and 3, respectively, when they were created.
AT-S60 Management Software User’s Guide The table below lists the port assignments for the Sales and Production VLANs on the AT-8400 Series switch. AT-8400 Series switch Sales VLAN (VID 2) Production VLAN (VID 3) Slot 1: AT-8411TX Ports: 1 - 4, 8 (PVID=2) Slot 4: AT-8411TX Ports: 1, 8 (PVID=3) Slot 2: AT-8411TX Ports 1 - 2 (PVID=2) Slot 5: AT-8411TX Ports 1 - 3 (PVID=3) Each VLAN also has a port connected to the router. The router interconnects the VLANs.
Chapter 18: Virtual LANs Example 2 Figure 128 illustrates our second port-based example. The two VLANs, Sales and Production, now span two Ethernet switches, an AT-8400 and an AT-8024.
AT-S60 Management Software User’s Guide The table below lists the port assignments for the Sales and Production VLANs on the switches: AT-8400 Series switch AT-8024 Switch Sales VLAN (VID 2) Production VLAN (VID 3) Slot 1 Ports: 1-5 (PVID= 2) Slot 4 Ports: 1, 4 (PVID= 3) Slot 2 Ports: 1-2, 5 (PVID= 2) Slot 5 Ports: 4 (PVID= 3) Ports 1-7 (PVID=2) Ports 17-21 (PVID= 3) As mentioned earlier, a VLAN that spans more than one switch requires a data link(s) to connect its different parts together.
Chapter 18: Virtual LANs Tagged VLAN Overview The second type of VLAN supported by the AT-8400 Series switch is the tagged VLAN. Tagged VLANs use information inside tagged frames as they are received on the ports to determine VLAN membership. This contrasts with port-based VLANs, where the PVIDs assigned to the ports determine VLAN membership. The VLAN information within an Ethernet frame is referred to as a tag or tagged header.
AT-S60 Management Software User’s Guide The parts of a tagged VLAN are much the same as those for a port-based VLAN. They are: ❑ VLAN Name ❑ VLAN Identifier ❑ Tagged and Untagged Ports ❑ Port VLAN Identifier Note For explanations of VLAN name and VLAN identifier, refer to VLAN Name and VLAN Identifier on page 404. Tagged and Untagged Ports You need to specify which ports are members of the VLAN. In the case of a tagged VLAN, it is usually a combination of both untagged ports and tagged ports.
Chapter 18: Virtual LANs General Rules for Creating a Tagged VLAN Below is a summary of the rules to observe when creating a tagged VLAN. ❑ Each tagged VLAN must be assigned a unique VID. If a particular VLAN spans multiple switches or stacks, each part of the VLAN on the different switches or stacks must be assigned the same VID. ❑ A tagged port can be a member of multiple VLANs. ❑ An untagged port can be an untagged member of only one VLAN at a time.
AT-S60 Management Software User’s Guide Tagged VLAN Example Figure 129 illustrates how tagged ports can be used to interconnect IEEE 802.1Q-based products. Sales VLAN Production VLAN (VID 3) (VID 2) Legacy Server AT WAN IEEE 802.
Chapter 18: Virtual LANs This example is nearly identical to the port-based VLAN Example 2 earlier in this chapter. Tagged ports have been added to simplify network implementation and management.
AT-S60 Management Software User’s Guide Basic VLAN Mode Overview The Fast Ethernet Switches support a special VLAN configuration referred to as the Basic VLAN Mode. When the Basic VLAN Mode is activated, frames are forwarded based solely on MAC addresses. All VLAN information, including PVIDs assigned to ports and VLAN tags in tagged frames, is ignored. Tagged frames are analyzed only for priority level. Packets are passed through the switch unchanged.
Chapter 18: Virtual LANs Displaying VLANs The procedure in this section displays all the port-based and tagged VLANs on the AT-8400 Series switch. In addition, you can display the Management VLAN ID and the VLAN Mode. To view the VLANs, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Menu. The VLAN Menu is shown in Figure 130. Allied Telesyn AT-8400 Series - ATS60 V2.1.
AT-S60 Management Software User’s Guide 3. From the Display VLAN Menu, type 3 to select Display Port Based VLAN. The Display Port Based VLAN Menu is displayed. An example of the menu is shown in Figure 132. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 01-Jan-2004 Display Port Based VLAN VID VLAN Name VLAN Type Protocol Untagged(U)/Tagged Ports ---------------------------------------------------------------------1 Default_VLAN Port Based U: 11.1-8, 12.
Chapter 18: Virtual LANs If only the Protocol is GARP, then the corresponding tagged port in the menu was added by GVRP to an existing VLAN. An example of this is the Engineering VLAN in the menu Display Port Based VLAN Menu on page 419. Notice, port 11.5 was added as a dynamic port to the tagged Engineering VLAN. Tagged(T)/Untagged(U) This column lists the ports of the VLAN.
AT-S60 Management Software User’s Guide Creating a Port-based or Tagged VLAN To create a new port-based or tagged VLAN, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Menu. The VLAN Menu is shown in Figure 130 on page 418. 2. From the VLAN Menu, type 1 to select Configure VLAN. The Configure VLAN Menu is shown in Figure 133. Allied Telesyn AT-8400 Series - ATS60 V2.1.
Chapter 18: Virtual LANs 3. From the Configure VLAN menu, type 4 to select Configure PortBased VLAN. The Configure Port Based VLAN Menu is shown in Figure 134. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 High School Switch 142 User: Manager 00:14:33 01-Jan-2004 Configure Port-Based VLAN VIDVLAN Name VLAN Type Protocol Tagged(T)/Untagged(U) Ports ---------------------------------------------------------------------1 Default_VLAN Port Based U: 11.1-8, 12.8 T: 5.1, 6.3 12 Sales Port Based U: 1.1-8, 2.
AT-S60 Management Software User’s Guide After you have entered a name, the following prompt is displayed: Enter VLAN VID: [2 to 4094] 6. Enter a VID value for the new VLAN. The permitted range of the VID value is 2 to 4094. The management software uses the next available VID number on the switch as the default value. If the VLAN is to be unique in your network, then its VID must also be unique.
Chapter 18: Virtual LANs If this VLAN does not contain any untagged ports, leave this field empty. For information on entering ports, refer to Specifying Ports on page 34. After you have specified the untagged ports, the management software automatically creates the VLAN. The Configure Port Based VLAN Menu (Figure 134 on page 422) is updated with your new VLAN. 9. Check to see that the VLAN was created correctly and that it contains the appropriate ports. The new VLAN is now ready for use.
AT-S60 Management Software User’s Guide Example of Creating a Port-Based VLAN The following procedure creates the Sales VLAN illustrated in Port-Based Examples on page 408. This VLAN is assigned a VID of 2. It consists of seven untagged ports, Ports 1 to 4 and 8 from the AT-8411 TX line card in Slot 1 and Ports 1 and 2 from the AT-8411 TX line card in Slot 2. The VLAN does not contain any tagged ports. To create the example Sales VLAN, perform the following procedure: 1.
Chapter 18: Virtual LANs Example of Creating a Tagged VLAN The following procedure creates the Production VLAN in the AT-8400 Series switch illustrated in Tagged VLAN Example on page 415. This VLAN is assigned the VID 3. It consists of five untagged ports: Port 1 from the AT-8411 TX line card in slot 5 and Ports 1 to 4 from the AT-8411 line card in Slot 6. The VLAN also consists of two tagged ports: Port 8 from Slot 1, which gives the VLAN access to an IEEE 802.
AT-S60 Management Software User’s Guide Modifying a VLAN The section contains the procedure for adding or deleting ports from a tagged or port-based VLAN. To modify a VLAN, perform the following procedure: 1. From the Configure Port Based VLAN menu, type 3 to select Modify Port Based VLAN. The Modify Port Based VLAN menu is shown in Figure 135. Allied Telesyn AT-8400 Series - ATS60 V2.1.
Chapter 18: Virtual LANs Each menu selection is explained below. 1 - Add Ports to VLAN To add ports to a VLAN, do the following: a. Type 1 to select Add Ports to VLAN. The following prompt is displayed: Enter VLAN ID: [2 to 4094] -> b. Enter the VID of the VLAN you want to change. The following prompt is displayed: Enter Tagged Port-list to add: c. If you want to add one or more tagged ports to the VLAN, enter them at this prompt. If you are not adding tagged ports, press Return.
AT-S60 Management Software User’s Guide c. If you want to remove one or more tagged ports from the VLAN, enter the ports at this prompt. If you are not removing tagged ports, press Return. For information on entering ports, refer to Specifying Ports on page 34. The following prompt is displayed: Enter Untagged Port-list to delete: d. If you want to remove one or more untagged ports from the VLAN, enter them at this prompt. If you are not removing untagged ports, press Return.
Chapter 18: Virtual LANs 4 - Clear Ports from VLAN To remove all ports from the VLAN, do the following: a. Type 4 to select Clear Ports from VLAN. The following prompt is displayed: Enter VLAN ID: [2 to 4094] -> b. Enter the VID of the VLAN you want to change. All tagged and untagged ports are removed from the VLAN. c. After modifying a VLAN, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S60 Management Software User’s Guide Deleting a VLAN To delete a VLAN, perform the following procedure: 1. From the Configure Port Based VLAN menu, type 2 to select Delete Port Based VLAN. The following prompt is displayed: Enter VLAN ID: [2 to 4094] -> 2. Enter the VID of the VLAN you want to delete and press Return. Note You cannot delete the Default_VLAN, which has a VID of 1, or a dynamic GVRP VLAN. The following confirmation prompt is displayed: Do you want to delete this VLAN? [Yes/No] -> 3.
Chapter 18: Virtual LANs Setting a Switch’s VLAN Mode This section contains the procedure for setting a switch’s VLAN mode. You can configure a switch to support port-based and tagged VLANs or to operate in the Basic VLAN mode. Port-based and tagged VLANs and the Basic VLAN mode are described in earlier sections in this chapter. Note Changing a switch’s VLAN mode resets the switch. The switch does not forward traffic during the brief period required to reload the AT-S60 management software.
AT-S60 Management Software User’s Guide Specifying a Management VLAN The management VLAN is the VLAN through which an AT-8400 Series switch expects to receive management packets. This VLAN is important if you are using the enhanced stacking feature of the switch or if you are managing a switch remotely. Management packets are packets generated by a management workstation while managing a switch. The management card in the switch acts upon the packets only if they are received on the management VLAN.
Chapter 18: Virtual LANs Now let’s assume that you decided to create a VLAN called NMS with a VID of 24 for the sole purpose of remote network management. For this, you would need to create the NMS VLAN on each AT-8400 Series switch that you want to manage remotely, being sure to assign each NMS VLAN the VID of 24. You would need to be sure that the uplink and downlink ports connecting the switches together are untagged members of the NMS VLAN.
Chapter 19 Multiple VLAN Modes This chapter explains the Multiple VLAN modes and how to select a mode.
Chapter 19: Multiple VLAN Modes Multiple VLAN Mode Overview The Multiple VLAN modes simplify the task of configuring a switch in a network environment that requires a high degree of network segmentation. These modes are useful in isolating the traffic on each port from all other ports. They are fixed VLAN configurations that cannot be changed. When a Multiple VLAN mode is activated, the switch automatically places each port in a separate VLAN as an untagged port.
AT-S60 Management Software User’s Guide Note The Multiple VLAN modes are supported only in single switch (that is, an edge switch) environments. This means that cascading of switches while in a Multiple VLAN mode is not allowed. Activating a Multiple VLAN mode on a cascaded switch can possibly result in disconnection of network paths between switches unless the port used to link the switches is configured as the uplink port.
Chapter 19: Multiple VLAN Modes Table 12 802.1Q-Compliant Multiple VLAN Example VLAN Name VID Untagged Port Tagged Port Client_7 7 1.7 2.2 Client_8 8 1.8 2.2 Client_9 9 2.1 2.2 Client_10 10 2.2 Client_11 11 2.3 2.2 Note In 802.1Q Multiple VLAN mode, the device connected to the uplink port must be 802.1Q-compliant and must be able to handle tagged packets. Non-802.1Q Compliant Multiple VLANs The Non-802.
AT-S60 Management Software User’s Guide Table 13 Non-802.1Q Compliant Multiple VLAN Example VLAN Name VID Untagged Port Client_4 4 1.4, 2.2 Client_5 5 1.5, 2.2 Client_6 6 1.6, 2.2 Client_7 7 1.7, 2.2 Client_8 8 1.8, 2.2 Client_9 9 2.1, 2.2 Client_10 10 All ports Client_11 11 2.3, 2.2 Tagged Port Caution The non-802.1Q-Compliant Multiple VLAN mode does not protect the switch from VLAN leakage.
Chapter 19: Multiple VLAN Modes Selecting a VLAN Mode The following procedure explains how to select a VLAN mode on an AT-8400 Series Switch. Note You should create a backup file of the configuration of the switch before changing the switch to a Multiple VLAN mode. Changing the VLAN mode automatically deletes any port-based or tagged VLANs that you created on the switch. 1. From the Main Menu, type 2 to select VLAN Menu. The VLAN Menu is displayed as shown in Figure 133 on page 421. 2.
AT-S60 Management Software User’s Guide The following confirmation is displayed: Setting VLAN mode to Multiple VLAN. Please wait... The VLAN mode is changed. 7. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 19: Multiple VLAN Modes Changing the Uplink Port Once the switch is operating in a Multiple VLAN mode, you can always change the uplink port, if needed. You simply specify the new uplink port and the switch automatically reconfigures the VLANs. To change the uplink port, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Menu. The VLAN Menu is displayed as shown Figure 133 on page 421. 2. From the VLAN Menu, type 1 to select Configure VLAN.
AT-S60 Management Software User’s Guide Displaying VLAN Information To view the name, VID number, and member ports of the VLANs on a switch, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Menu. The VLAN Menu is displayed as shown in Figure 133 on page 421. 2. From the VLAN Menu, type 2 to select Display VLAN. The Display VLAN Menu is displayed as shown in Figure 131 on page 418. 3. From the Display VLAN menu, type 3 to select Display Port Based VLAN.
Chapter 20 GARP VLAN Registration Protocol This chapter describes the GARP VLAN Registration Protocol (GVRP).
AT-S60 Management Software User’s Guide GARP VLAN Registration Protocol (GVRP) Overview The GARP VLAN Registration Protocol (GVRP) allows network devices to share VLAN information. The main purpose of GVRP is to allow switches to automatically discover some of the VLAN information that would otherwise have to be manually configured in each switch. This is helpful in networks where VLANs span more than one switch.
Chapter 20: GARP VLAN Registration Protocol Figure 137 provides an example of how GVRP works.
AT-S60 Management Software User’s Guide it is not a member, it automatically adds the port to the VLAN as an tagged dynamic GVRP port. If the port is already a member of the VLAN, then no change is made. 5. Switch #3 sends a PDU out port 4 to Switch #2. 6. Switch #2 receives the PDU on port 3 and then adds the port as a tagged dynamic GVRP port to the dynamic GVRP_VLAN_11 VLAN. There is now a communications path for the end nodes of the Sales VLAN on Switches #1 and #3.
Chapter 20: GARP VLAN Registration Protocol ❑ You can convert dynamic GVRP VLANs and dynamic GVRP port assignments to static VLANs and static port assignments. The procedure for this is found in Modifying a VLAN on page 427. ❑ The default port settings on the switch for GVRP is active, meaning that the ports participate in GVRP. Allied Telesyn recommends disabling GVRP on those ports that are connected to GVRPinactive devices, meaning that they do not feature GVRP.
AT-S60 Management Software User’s Guide Generic Attribute Registration Protocol (GARP) Overview The following is a technical overview of GARP. An understanding of GARP may prove helpful when using GVRP. The purpose of the Generic Attribute Registration Protocol (GARP) is to provide a generic framework whereby devices in a bridged LAN, for example, end stations and switches, can register and de-register attribute values, such as VLAN Identifiers, with each other.
Chapter 20: GARP VLAN Registration Protocol The architecture of GARP is shown in Figure 138.
AT-S60 Management Software User’s Guide An instance of GID consists of the set of state machines that define the current registration and declaration state of all attribute values associated with the GARP Participant. Separate state machines exist for the Applicant and Registrar. This is shown in Figure 139. GID Attribute ...
Chapter 20: GARP VLAN Registration Protocol The Applicant is therefore looking after the interests of all would-be Participants. This allows the Registrar to be very simple. The job of the Registrar is to record whether an attribute is registered, in the process of being de-registered, or is not registered for an instance of GID. To control the Applicant state machine, an Applicant Administrative Control parameter is provided.
AT-S60 Management Software User’s Guide Configuring GVRP Use the following procedure to configure GVRP. The timers in the following menus are in increments of centi seconds which is a hundredth of a second. To configure GVRP, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Menu. The VLAN Menu is shown in Figure 130 on page 418. 2. From the VLAN Menu, type 3 to select Configure GARP-GVRP. The GARP-GVRP Menu is shown in Figure 140. Allied Telesyn AT-8400 Series - ATS60 V2.1.
Chapter 20: GARP VLAN Registration Protocol 6. Choose one of the following: E to enable GIP. D to disable GIP. Note Do not disable GIP if you intend to use GVRP. GIP is required to propagate VLAN information among the ports of the switch. Caution The following steps change the three GVRP timers. Please note that the settings for these timers must be the same on all GVRP-active network devices. 7. To change the value of the Join Timer, type 3.
AT-S60 Management Software User’s Guide Enabling or Disabling GVRP on a Port This procedure enables and disables GVRP on a switch port. The default setting for GVRP on a port is enabled. Only those ports where GVRP is enabled transmit PDUs. Note Allied Telesyn recommends disabling GVRP on unused ports and those ports that are connected to GVRP-inactive devices. This is to protect against unauthorized access to restricted areas of your network.
Chapter 20: GARP VLAN Registration Protocol 5. Enter a port or a list of ports. For information about how to specify ports, see Specifying Ports on page 34. The Configure GVRP Port Settings Menu is shown in Figure 142. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Production Switch 4 User: Manager 00:14:33 24-May-2004 Configure GVRP Port Settings Configuring Port 2.1-8 1 - Port Mode ............. Normal R - Return to Previous Menu Enter your selection? Figure 142 Configure GVRP Port Settings Menu 6.
AT-S60 Management Software User’s Guide 9. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 20: GARP VLAN Registration Protocol Displaying GVRP Parameters and Statistics To display GVRP counters, database, state machine, and GIP connected ports ring, perform the following procedure: 1. From the Main Menu, type 2 to select VLAN Menu. The VLAN Menu is shown in Figure 130 on page 418. 2. From the VLAN Menu, type 3 to select Configure GARP-GVRP. The GARP-GVRP Menu is shown in Figure 140 on page 453. 3. From the GARP-GVRP Menu, type O to select Other GVRP Parameters Menu.
AT-S60 Management Software User’s Guide GVRP Counters Option 1 - Display GVRP Counters in the Other GARP Port Parameters displays the GVRP Counters Menu (page 1) as shown in Figure 145. Allied Telesyn AT-8400 Series - ATS60 V2.1.
Chapter 20: GARP VLAN Registration Protocol Allied Telesyn AT-8400 Series - ATS60 V2.1.
AT-S60 Management Software User’s Guide Table 14 GVRP Counters Section IV: VLANs Parameter Meaning Transmit Discarded: GARP Disabled Number of GARP PDUs discarded because the GARP application was disabled. This counter is incremented when ports are added to or deleted from the GARP application arising from port movements in the underlying VLAN or STP.
Chapter 20: GARP VLAN Registration Protocol Table 14 GVRP Counters Section IV: VLANs Parameter Meaning Transmit GARP Messages: JoinEmpty Total number of GARP JoinEmpty messages transmitted for all attributes in the GARP application. Receive GARP Messages: JoinIn Total number of GARP JoinIn messages received for all attributes in the GARP application. Transmit GARP Messages: JoinIn Total number of GARP JoinIn messages transmitted for all attributes in the GARP application.
AT-S60 Management Software User’s Guide GVRP Database Option 2 - Display GVRP Database in the Other GARP Port Parameters displays the GVRP Database Menu as shown in Figure 147. Allied Telesyn AT-8400 Series - ATS60 V2.1.
Chapter 20: GARP VLAN Registration Protocol GIP Connected Ports Ring Option 3 - Display GIP Connected Ports Ring in the Other GARP Port Parameters displays the GIP Connected Ports Ring Menu as shown in Figure 148. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Production Switch 4 User: Manager 00:14:33 24-May-2004 GIP Connected Ports Ring GARP Application: GVRP GIP Context ID: 0, STP ID: 0 ------------------------------------------------------------1.2 -> 1.8 -> 4.
AT-S60 Management Software User’s Guide GVRP State Machine Option 4 - Display GVRP State Machine in the Other GARP Port Parameters displays the GVRP State Machine Menu (page 1) as shown in Figure 149. Allied Telesyn AT-8400 Series - ATS60 V2.1.
Chapter 20: GARP VLAN Registration Protocol Table 17 GVRP State Machine Parameters (Continued) Parameter Meaning App Applicant state machine for the GID index on that particular port.
AT-S60 Management Software User’s Guide Table 17 GVRP State Machine Parameters (Continued) Parameter Meaning App (Continued) Non-Participant Management state: “Von” Very Anxious Observer “Aon” Anxious Observer “Qon” Quiet Observer “Lon” Leaving Observer “Vpn” Very Anxious Passive Member “Apn” Anxious Passive Member “Qpn” Quiet Passive Member “Van” Very Anxious Active Member “Aan” Anxious Active Member “Qan” Quiet Active Member “Lan” Leaving Active Member The initialized state for t
Section V Security Features The chapters in Section V explain how to configure an AT-8400 switch with security features. The chapters include: ❑ Chapter 21: Port Security on page 469 ❑ Chapter 22: Web Server on page 477 ❑ Chapter 23: Encryption on page 484 ❑ Chapter 24: Public Key Infrastructure (PKI) on page 501 ❑ Chapter 25: Secure Sockets Layer (SSL) on page 523 ❑ Chapter 26: Secure Shell (SSH) on page 529 ❑ Chapter 27: TACACS+ and RADIUS Protocols on page 540 ❑ Chapter 28: 802.
Chapter 21 Port Security This chapter describes port security and provides the procedures for setting port security with a local or Telnet management session.
Chapter 21: Port Security Port Security Overview The port security feature can enhance the security of your network. You can use the feature to control which end nodes can forward frames through the switch. Note The port security feature cannot be used on a port that is configured as a supplicant or an authenticator of the port-based network access feature, described in 802.1x Port-based Access Network Control Overview on page 550.
AT-S60 Management Software User’s Guide When the Limited security mode is activated on a port, all dynamic MAC addresses learned by the port are deleted from the MAC address table. The port then begins to learn new addresses, up to the maximum allowed. A dynamic MAC address learned on a port operating in the Limited security mode is never timed out from the MAC address table, even when the corresponding end node is inactive.
Chapter 21: Port Security Security Violations and Intrusion Actions When you set a port’s security level, you can also set the action a port performs in the event it receives an invalid frame. This is referred to as intrusion (intruder) action. Before defining the intrusion actions, it can help to understand first what constitutes an invalid frame.
AT-S60 Management Software User’s Guide Configuring Port Security To configure port security, do the following: To set a switch’s port security level, perform the following procedure: 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 151. Allied Telesyn AT-8400 Series - ATS60 V2.1.
Chapter 21: Port Security 3. Type 1 to select Configure Port Security. The following prompt is shown: Enter port-list: 4. Enter the port(s) you want to configure. Then press Return. For information about how to specify ports, see Specifying Ports on page 34. The Configure Port Security Menu is shown in Figure 153. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 15-Jan-2004 Configure Port Security Configuring Port Security 3.1-2 1 - Security Mode ...............
AT-S60 Management Software User’s Guide If you selected one of the other security levels, several new menu options are added to the Configure Port Security menu, as shown in Figure 154. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 15-Jan-2004 Configure Port Security 3.1-2 1 2 3 4 - Security Mode ..................... Intrusion Action .................. Port Participating ................ MAC Limit .........................
Chapter 21: Port Security 9. If you selected the Limited security mode for the port, do the following to specify the maximum number of dynamic MAC addresses you want the port to be able to learn: a. Type 4 to select MAC Limit. The following prompt appears: Enter port security threshold: [1 to 256] -> 100 b. Enter the maximum number of dynamic MAC addresses you want the port to learn. The range is 1 to 256. The default is 100.
Chapter 22 Web Server The chapter provides an overview of the web server feature. In addition, it describes how to configure the switch as a secure web server as well as how to create self-signed and Certificate Authority (CA) certificates.
Chapter 22: Web Server Web Server Overview By default, the switch is configured as a non-secure web server. The web server feature allows you to configure the switch as a web server with advanced SSL security. In addition, you can use the web server feature to create self-signed and CA certificates. You create self-signed certificates for use within an organization. CA certificates are used between organizations, often over the Internet.
AT-S60 Management Software User’s Guide Configuring the Web Server for Security Features This procedure allows you to enable, disable, and configure the web server feature using a local or Telnet management session. In addition, you can enable the SSL protocol on the web server using this procedure. The default configuration for the switch is as a non-secure web server. Note Before you can configure the web server, you must disable it.
Chapter 22: Web Server 5. Type 1 to select Status to enable or disable the web server. To configure the web server, you need to first disable it. Toggle between the following values: Enabled - enables the web server. This is the default setting. Disabled - disables the web server. 6. Type 2 to select Mode to determine the mode of the web server.
AT-S60 Management Software User’s Guide Configuring SSL Certificates The high-level configuration procedures included in this section describe: ❑ Configuring Self-Signed Certificates on page 481 ❑ Configuring CA Certificates on page 482 You configure self-signed certificates to create certificates that are used within your organization, often within your own network. You configure Certificate Authority (CA) certificates for use over the Internet.
Chapter 22: Web Server Warning Using this command creates a certificate that is only suitable for secure switch management via the GUI. A pop-up message appears in the browser window warning that the certificate is not issued by a trusted authority. For details, see Chapter 24: Web Server page 477. 6. Load self-signed switch certificate to the certificate database. To load the signed switch certificate onto the switch, see Adding Certificates to the Database on page 513.
AT-S60 Management Software User’s Guide 6. Use TFTP to upload an enrollment request. See Downloading Files on page 172. 7. Email enrollment request file to a Certificate Authority such as VeriSign. 8. Certificate Authority issues a CA certificate for your switch. 9. Add certificate to the certificate database on the switch. See Adding Certificates to the Database on page 513. 10. Repeat steps 7 through 9 as needed, depending on the certificate chain for your switch.
Chapter 23 Encryption This chapter contains a description of encryption and procedures for creating keys for encryption on a local or Telnet management session on an AT-8400 Series switch. It contains the following sections: ❑ Encryption Overview on page 485 ❑ Data Encryption on page 486 ❑ Data Authentication on page 489 ❑ Key Exchange Algorithms on page 490 ❑ Configuring Keys for Encryption on page 491 Note The Encryption feature appears in the AT-S60 version 2.1.0 software only.
AT-S60 Management Software User’s Guide Encryption Overview This chapter describes the data security services available on the switch, how the services are provided, the switch network functions which use these services, and how to monitor the services. The encryption, or ENCO, feature provides encryption to other switch software modules (referred to as user modules).
Chapter 23: Encryption Data Encryption Data encryption for switches is driven by the need for organizations to keep sensitive data private and secure. Data encryption operates by applying an encryption algorithm and key to the original data (the plaintext) to convert it into an encrypted form (the ciphertext). The ciphertext produced by encryption is a function of the algorithm used and the key.
AT-S60 Management Software User’s Guide by a 64-bit Initialization Vector (IV). This is the DES mode used for the switch’s data encryption process. ❑ Cipher FeedBack (CFB) is an additive-stream-cipher method which uses DES to generate a pseudo-random binary stream that is combined with the plaintext to produce the ciphertext. The ciphertext is then fed back to form a portion of the next DES input block. ❑ Output FeedBack (OFB) combines the first IV with the plaintext to form ciphertext.
Chapter 23: Encryption digital signature. The signature station publishes its public key, and then signs its messages by encrypting them with its private key. To verify the source of a message, the receiver decrypts the messages with the published public key. If the message that results is valid, then the signing station is authenticated as the source of the message. The most common asymmetrical encryption algorithm is RSA.
AT-S60 Management Software User’s Guide Data Authentication Data authentication for switches is driven by the need for organizations to verify that sensitive data has not been altered. Data authentication operates by calculating a Message Authentication Code (MAC), commonly referred to as a hash, of the original data and appending it to the message. The MAC produced is a function of the algorithm used and the key.
Chapter 23: Encryption Key Exchange Algorithms Key exchange algorithms are used by switches to securely generate and exchange encryption and authentication keys with other switches. Without key exchange algorithms, encryption and authentication session keys must be manually changed by the system administrator. Often, it is not practical to change the session keys manually. Key exchange algorithms enable switches to re-generate session keys automatically and on a frequent basis.
AT-S60 Management Software User’s Guide Configuring Keys for Encryption Use the following procedures to configure, modify, export, and import keys for encryption. ❑ Configuring a Distinguished Name and Keys on page 491 ❑ Modifying and Deleting Keys on page 495 ❑ Exporting Keys on page 497 ❑ Importing Keys on page 498 For an comprehensive procedure that describes all the procedures necessary for configuring keys for encryption, see Configuring SSL Certificates on page 481.
Chapter 23: Encryption The Keys/Certificate Configuration Menu is shown in Figure 156. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 30-Apr-2004 Keys/Certificate Configuration 1 - Distinguished Name ............... 2 - Key Management 3 - Public Key Infrastructure (PKI) Configuration R - Return to Previous Menu Enter your selection? Figure 156 Keys/Certificate Configuration Menu 3.
AT-S60 Management Software User’s Guide The Key Management Menu is shown in Figure 157. Allied Telesyn AT-8400 Series - ATS60 V2.1.
Chapter 23: Encryption The Create Key Menu is shown in Figure 158. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 30-Apr-2004 Create Key 1 2 3 4 5 - Key ID ............. Key Type ........... Key Length ......... Key Description ....
AT-S60 Management Software User’s Guide 10. Type 4 to create a key description. The following prompt is displayed: Enter new Description -> 11. Enter a description of the web server the key is used to protect, such as webserver46. You can enter up to 127 alphanumeric values including spaces. Control characters are not permitted. 12. Type 5 to generate a key. To save the data you configured in the above steps, you must generate a key. The following message is displayed: Key generation will take some time.
Chapter 23: Encryption 7. To delete a key, select 2 - Delete Key from the Key Management menu. The following message is displayed: Enter Key Id to delete -> [0 to 65535] -> 0 8. Enter the Key Id that you want to delete. The following message appears: Key deletion will take some time. Please wait...
AT-S60 Management Software User’s Guide Exporting Keys The following procedure allows you to export a key to a file. When you export RSA-Private keys, only the public key is output to a file. Use the following procedure to export RSA- Public keys: Note You cannot export RSA-Private keys. 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 151 on page 473. 2. From the Security menu, select the Keys/Certificate Configuration menu.
Chapter 23: Encryption Note Key Type is a read-only field. You cannot change this value. 7. To specify the format of the key, type 3 to select Key File Format. 8. Chose one of the following options by pressing 3 repeatedly: HEX - Indicates an internal format for storing files. Select this value for SSL configuration. This is the default. SSH - Indicates a format for a Secure Shell (SSH) environment. Select this value for a SSH server or client. SSH2 - Indicates a format for a Secure Shell 2 environment.
AT-S60 Management Software User’s Guide The Import Key From File Menu is shown in Figure 160. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 30-Apr-2004 Import Key From File Menu 1 2 3 4 5 - Key ID ............ 0 Key Type .......... RSA-Public Key File Format ... HEX Key File Name ..... Export Key To File R - Return to Previous Menu Enter your selection? Figure 160 Import Key From File Menu 4.
Chapter 23: Encryption 10. Type 5 to select Import Key From File to import a key to the switch from an external file. The following message is displayed: Key Import in Progress. Please wait...Done After you receive this message, the key is added to the Key Management database. See the Key Management Menu in Figure 157 on page 493.
Chapter 24 Public Key Infrastructure (PKI) This chapter describes the Public Key Infrastructure (PKI) feature and provides procedures for configuring certificates for web server security. This chapter contains the following sections: ❑ Public Key Infrastructure Overview on page 502 ❑ PKI Implementation on page 507 ❑ Configuring Certificates on page 508 ❑ Generating Enrollment Requests on page 521 Note The PKI feature appears in the AT-S60 version 2.1.0 software only.
Chapter 24: Public Key Infrastructure (PKI) Public Key Infrastructure Overview This chapter describes the Public Key Infrastructure (PKI) feature, Allied Telesyn’s implementation of the feature, and how to configure PKI for web server security. The PKI feature is part of the switch’s suite of security modules, and consists of a set of tools for managing and using certificates.
AT-S60 Management Software User’s Guide Message Encryption Digital Signatures One of the two main services provided by public key encryption is the exchange of encrypted messages. For example, user 1 can send a secure message to user 2 by encrypting it with user 2’s public key. Only user 2 can decrypt it, because only user 2 has access to the corresponding private key. The second main service provided by public key encryption is digital signing.
Chapter 24: Public Key Infrastructure (PKI) An X.509 v3 certificate consists of: ❑ A serial number, which distinguishes the certificate from all others issued by that issuer. This serial number is used to identify the certificate in a Certificate Revocation List, if necessary. ❑ The owner’s identity details, such as name, company and address. ❑ The owner’s public key, and information about the algorithm with which it was produced. ❑ The identity details of the organization which issued the certificate.
AT-S60 Management Software User’s Guide Certification Authorities A Certification Authority is an entity which issues, updates, revokes and otherwise manages public keys and their certificates. A CA receives requests for certification, validates the requester’s identity according to the CA’s requirements, and issues the certificate, signed with one of the CA’s keys.
Chapter 24: Public Key Infrastructure (PKI) Root CA Certificates A root CA must sign its own certificate. The root CA is the most critical link in the certification chain, because the validity of all certificates issued by any CA in the hierarchy depends on the root CA’s validity. Therefore, every device which uses the root CA’s certificate must verify it out of band.
AT-S60 Management Software User’s Guide PKI Implementation The following sections discuss Allied Telesyn’s implementation of PKI for the AT-8400 Series Switch.
Chapter 24: Public Key Infrastructure (PKI) Configuring Certificates Use the procedures in this section to create a certificate, add it to a certificate database, delete a certificate, modify a certificate or view a certificate. The following procedures are provided: ❑ Creating Certificates on page 508 ❑ Adding Certificates to the Database on page 513 ❑ Deleting and Modifying Certificates on page 515 ❑ Viewing Certificates on page 518 There are two ways of obtaining certificates.
AT-S60 Management Software User’s Guide The Public Key Infrastructure (PKI) Certification Menu is shown in Figure 161. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 30-Apr-2004 Public Key Infrastructure (PKI) Configuration 1 - Maximum Number of Certificates....... 256 2 - X509 Certificate Management 3 - Generate Enrollment Request R - Return to Previous Menu Enter your selection? Figure 161 Public Key Infrastructure (PKI) Configuration Menu 4.
Chapter 24: Public Key Infrastructure (PKI) The X509 Certificate Management Menu is shown in Figure 162. Allied Telesyn AT-8400 Series - ATS60 V2.1.
AT-S60 Management Software User’s Guide The Create Self-Signed Certificate Menu is shown in Figure 163. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 30-Apr-2004 Create Self-Signed Certificate 1 2 3 4 5 6 - Certificate Name............. Key Pair ID.................. 0 Format....................... DER Serial Number................ 0 Subject DN...................
Chapter 24: Public Key Infrastructure (PKI) 10. Type 3 - Format to select the type of encoding format the certificate is to use. You can toggle between the following values: DER - Indicates the certificate contents are in a binary format. This is the default. PEM - Indicates the certificate are in the Privacy Enhanced Mail (PEM) format which is an ASCII format. 11. Type 4 - Serial Number to assign a certificate a serial number.
AT-S60 Management Software User’s Guide Country names are generally given in the form of the two-letter ISO 3166 code for the country, for example, us, de, or nz. An example of a distinguished name for Janet Bloggs who works in Operations at Arctic Company in Fairbanks, Alaska is: cn=Janet Bloggs, ou=Operations, o=Arctic Company, l=Fairbanks, s=Alaska, c=us 14. Type 6 to create the certificate you have defined in the previous steps.
Chapter 24: Public Key Infrastructure (PKI) The X509 Certificate Management Menu is shown in Figure 162 on page 510. 5. From the X509 Certificate Management menu, type 2 to select Add Certificate. The Add Certificate Menu is shown in Figure 164. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 30-Apr-2004 Add Certificate Menu 1 2 3 4 5 - Certificate Name ............. State ........................ Trusted Type ......................... EE File Name ...........
AT-S60 Management Software User’s Guide The filename is the Certificate Name with the *.cer extension. For example, if you assign the Certificate Name as webserver127, the filename of the certificate is webserver127.cer. Note To display the filenames of the certificates, see Displaying System Configuration Files on page 159. 10. Type 5 - Add Certificate to add the certificate to the certificate database. A wait message is displayed.
Chapter 24: Public Key Infrastructure (PKI) The following message is displayed: Enter a certificate name -> 8. Enter the name of the certificate you want to modify. Then press Return. The Modify Certificate Menu is shown in Figure 165. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 30-Apr-2004 Modify Certificate Menu 1 2 3 4 - Certificate Name................. testcertificate State ........................... Trusted Type ............................
AT-S60 Management Software User’s Guide 11. Type 4 - Modify Certificate to update your changes in the certificate database. The following message is displayed: Please wait while certificate is updated...Done. 12. After making changes, type R to until you return to the Main Menu. Then type S to select Save Configuration Changes.
Chapter 24: Public Key Infrastructure (PKI) Viewing Certificates To view the details of a certificate, perform the following procedure: 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 151 on page 473. 2. From the Security menu, select the Keys/Certificate Configuration menu. The Keys/Certificate Configuration Menu is shown in Figure 156 on page 492. 3. From the Keys/Certificate menu, select 3 - Public Key Infrastructure (PKI) Configuration.
AT-S60 Management Software User’s Guide The View Certificate Details Menu (page 1) is shown in Figure 166. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 15-Jan-2004 View Certificate Details Certificate Details: Name ............... State .............. Manually Trusted ... Type ............... Source ............. Version ............ Serial Number ...... Signature Alg ...... Public Key Alg ..... Not Valid Before ... Not Valid After ....
Chapter 24: Public Key Infrastructure (PKI) 7. The following fields are displayed: Name - lists the name of the certificate. State - Indicates the certificate is Trusted or Untrusted. Manually Trusted - Indicates you verified the certificate is from a trusted or untrusted authority. Type - Indicates the type of the certificate. The options are EE, SELF, and CA. Source - Indicates the certificate was created on the switch. Version - Indicates the version number of the software.
AT-S60 Management Software User’s Guide Generating Enrollment Requests To request a certificate from a Certificate Authority, you need to generate an enrollment request. By generating an enrollment request, you create a file with a .csr extension. After you have generated an enrollment request file, upload the file to a CA. For a complete list of all the steps to configure the switch to obtain a CA certificate, see Configuring CA Certificates on page 482.
Chapter 24: Public Key Infrastructure (PKI) 5. Type 1 - Request Name. The following message is displayed: Enter Enrollment Request Name -> 6. Enter up to 127 alphanumeric characters for an enrollment request name. The name you enter is used to create the filename of the enrollment request. The full filename consists of the enrollment request name followed by .csr extension. For example, if you enter certificate75 as the enrollment request name, the filename is certificate75.csr. 7. Type 2 - KeyPair ID.
Chapter 25 Secure Sockets Layer (SSL) The chapter contains information about Secure Sockets Layer (SSL) as well as a procedure for configuring this protocol on a switch using a local or Telnet management session. It contains the following sections: ❑ Secure Sockets Layer Overview on page 524 ❑ Configuring SSL on page 528 Note The SSL feature appears in the AT-S60 version 2.1.0 software only.
Chapter 25: Secure Sockets Layer (SSL) Secure Sockets Layer Overview This chapter describes the Secure Sockets Layer (SSL) feature, a security protocol that provides a secure and private TCP connection between a client and server. You can configure the SSL feature using a local or Telnet management session. SSL can be used with many higher layer protocols including HTTP, File Transfer Protocol (FTP) and Net News Transfer Protocol (NNTP). Most web browsers and servers support SSL.
AT-S60 Management Software User’s Guide SSL Encryption SSL uses encryption to ensure the security of data transmission. Encryption is a process that uses an algorithm to encode data so it can only be accessed by a trusted device. An encrypted message remains confidential. All application data messages are authenticated by SSL with a message authentication code (MAC). The MAC is a checksum that is created by the sender and is sent as part of the encrypted message.
Chapter 25: Secure Sockets Layer (SSL) The Change Cipher Spec message informs the receiving party that all subsequent messages are encrypted using previously negotiated security options. The parties use the strongest cryptographic systems that they both support. The Alert message is used if the client or server detects an error. Alert messages also inform the other end that the session is about to close. In addition, the Alert message contains a severity rating and a description of the alert.
AT-S60 Management Software User’s Guide SSL and Enhanced Stacking Secure Sockets Layer (SSL) is supported in an enhanced stack, but only when all switches in the stack are using the feature. A web server can operate in one of two modes— HTTP or HTTPS. When a switch’s web server is operating in HTTP, management packets are transmitted in plaintext. When it operates in HTTPS, management packets are sent encrypted.
Chapter 25: Secure Sockets Layer (SSL) Configuring SSL This section describes how to configure SSL. This procedure is part of a comprehensive procedure to create certificates on the switch. See Configuring SSL Certificates on page 481 for a list of all the procedures you must complete to create certificates on the switch. To configure the SSL protocol, perform the following procedure: 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 151 on page 473. 2.
Chapter 26 Secure Shell (SSH) The chapter contains overview information about the Secure Shell (SSH) protocol as well a procedure for configuring this protocol on a switch using a local or Telnet management session. It contains the following sections: ❑ SSH Overview on page 530 ❑ SSH Overall Configuration on page 534 ❑ Configuring SSH on page 535 ❑ Displaying SSH Information on page 538 Note The SSH feature appears in the AT-S60 version 2.1.0 software only.
Chapter 26: Secure Shell (SSH) SSH Overview This chapter describes the Secure Shell (SSH) protocol, including: ❑ Support for Secure Shell on the switch ❑ How to configure the switch to act as a SSH server ❑ How to use Secure Shell to manage the switch. To implement SSH on your switch, you need to configure the switch as an SSH server, install a SSH client on a management PC, and login to the client.
AT-S60 Management Software User’s Guide ❑ RSA public keys with lengths of 512 to 1536 bits are supported. Keys are stored in a format compatible with other Secure Shell implementations, and mechanisms are provided to copy keys to and from the switch. ❑ Compression of SSH traffic. Note DES is not supported by SSH 2.0.
Chapter 26: Secure Shell (SSH) SSH Clients The SSH protocol provides a secure connection between the switch and SSH clients. Once you have configured the SSH server, you need to install SSH client software on your management PC. The AT-S60 software supports both SSH1 and SSH2 clients. You can download client software from the Internet. Two popular SSH clients are PuTTY and CYGWIN. To install SSH client software, follow the directions from the vendor.
AT-S60 Management Software User’s Guide This is shown in Figure 170. The figure shows an SSH management workstation that is managing a slave switch of an enhanced stack. The packets exchanged between the slave switch and the master switch are transmitted in plain text and those exchanged between the master switch and the SSH management workstation are encrypted.
Chapter 26: Secure Shell (SSH) SSH Overall Configuration Configuring the SSH server requires you to perform several procedures. The information in this section lists the procedures you need to complete to configure the SSH feature, including the server and client configuration. Since SSH is a complex feature, you need to perform all the steps in the following procedure. To configure the switch as an SSH server and configure SSH clients, perform the following procedure: 1.
AT-S60 Management Software User’s Guide Configuring SSH This section describes how to configure the switch as an SSH server. For a description of all the steps required to configure an SSH server, see SSH Overall Configuration on page 534. Before you begin this procedure, you need to configure a host and server keys for SSH. See Configuring Keys for Encryption on page 491. The minimum bit size of the server key is 512 bits. The recommended bit size for a server key is 768 bits.
Chapter 26: Secure Shell (SSH) The Secure Shell (SSH) Menu is shown in Figure 171. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Engineering Switch 142 User: Manager 00:14:33 30-Apr-2004 Secure Shell (SSH) 1 2 3 4 5 - SSH Server Status ....... Host Key ID.............. Server Key ID ........... Server Key Expiry Time .. Login Timeout ...........
AT-S60 Management Software User’s Guide This timer determines how often the server key is regenerated. Naturally, a server key is regenerated for security purposes. A server key is only valid for the time period configured in the Server Key Expiry (Expiration) Time timer. Allied Telesyn International recommends you set this field to 1. With this setting, a new key is generated every hour. The default is 0 hours which means the server key never expires. The range is 0 to 5 hours. 8.
Chapter 26: Secure Shell (SSH) Displaying SSH Information To display SSH server information, perform the following procedure: 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 151 on page 473. 2. From the Security menu, select the Secure Shell (SSH) menu. The Secure Shell (SSH) Menu is shown in Figure 171 on page 536. 3. From the Secure Shell (SSH) menu, type 6 to select Show Server information to display the SSH Server data.
AT-S60 Management Software User’s Guide ❑ Server Port: Indicates the well-known port for SSH. The default is port 22. ❑ Host Key ID: Indicates the host key ID defined for SSH. ❑ Host Key Bits: Indicates the number of bits in the host key. ❑ Server Key ID: Indicates the server key ID defined for SSH. ❑ Server Key Bits: Indicates the number of bits in the server key. ❑ Server Key Expiry: Indicates the length of time, in hours, until the server key is regenerated.
Chapter 27 TACACS+ and RADIUS Protocols This chapter explains how you can use the two authentication protocols TACACS+ and RADIUS to control who can log onto a switch to manage it.
AT-S60 Management Software User’s Guide TACACS+ and RADIUS Overview The AT-S60 software has two standard management login accounts: Manager and Operator. The Manager account lets you change a switch’s parameter settings while the Operator account only lets you view the settings. Each account has its own password. The Manager account has a default password of “friend” and the Operator account has a default password “operator.
Chapter 27: TACACS+ and RADIUS Protocols Authorization defines what a user can do once logged in to a switch. You assign an authorization level to each user name and password combination that you create on the server software. The access level is either Manager or Operator. The final function of the TACACS+ protocol is accounting, which is used to keep track of user activity on network devices. The AT-8400 Series switch does not support this function.
AT-S60 Management Software User’s Guide Note This manual does not explain how to configure TACACS+ or RADIUS server software. For server configuration, refer to the documentation that came with the software. By default, authentication protocol is disabled on an AT-8400 Series switch. Once you activate it, you need to provide the following information: ❑ Which authentication protocol you want to use. Only one authentication protocol can be active on a switch at a time.
Chapter 27: TACACS+ and RADIUS Protocols Enabling TACACS+ or RADIUS To enable or disable the server-based authentication feature on the switch and to configure the TACACS+ and RADIUS settings, perform the following procedure: 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 151 on page 473. 2. From the Security Menu, select Server Based Authentication. The Authentication Menu is shown in Figure 173. Allied Telesyn AT-8400 Series - ATS60 V2.1.
AT-S60 Management Software User’s Guide Configuring TACACS+ To configure TACACS+, perform the following procedure: 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 151 on page 473. 2. From the Security Menu, select Server Based Authentication. The Authentication Menu is shown in Figure 173 on page 544. 3. Type 3 to select TACACS+ Configuration. The TACACS+ Client Configuration Menu is shown in Figure 174. Allied Telesyn AT-8400 Series - ATS60 V2.1.
Chapter 27: TACACS+ and RADIUS Protocols However, if you are specifying only one TACACS+ server or if the servers have difference encryption secrets, then respond with Yes to this prompt. The following prompt is displayed: Enter per-server secret [max 40 characters] -> Use this prompt to enter the encryption secret for the TACACS+ server whose IP address you are specifying.
AT-S60 Management Software User’s Guide Configuring RADIUS To configure RADIUS, perform the following procedure: 1. From the Main Menu, type 6 to select Security Menu. The Security Menu is shown in Figure 151 on page 473. 2. From the Security Menu, select Server Based Authentication. The Authentication Menu is shown in Figure 173 on page 544. 3. Type 4 to select RADIUS Configuration. The RADIUS Client Configuration Menu is shown in Figure 175. Allied Telesyn AT-8400 Series - ATS60 V2.1.
Chapter 27: TACACS+ and RADIUS Protocols the server cannot respond. If the timeout expires and the server hasn’t responded, the switch queries the next RADIUS server in the list. If there aren’t any more servers in the list, then the switch defaults to the standard Manager and Operator accounts. The default is 30 seconds. The range is 1 to 60 seconds.
Chapter 28 802.1x Port-based Network Access Control This chapter explains 802.1x Port-based Network Access Control and how you can use this feature to restrict access to the network ports on the switch. The following sections are provided: ❑ 802.
Chapter 28: 802.1x Port-based Access Control 802.1x Port-based Access Network Control Overview The AT-S60 management software has several different methods for protecting your network and its resources from unauthorized access. This chapter explains yet another method of securing your network using the port-based access control (IEEE 802.1x) feature.This feature uses the RADIUS protocol to control who can send traffic through and receive traffic from a port.
AT-S60 Management Software User’s Guide ❑ Authentication server - The authentication server is the network device that has the RADIUS server software. This is the device that does the actual authenticating of the user names and password from the supplicants. The AT-8400 switch does not authenticate the username and passwords from the clients. Instead, the switch acts as an intermediary between a supplicant and the authentication server during the authentication process. Note Ports under 802.
Chapter 28: 802.1x Port-based Access Control 7. When the supplicant sends an EAPOL-Logoff message, the switch removes the supplicant’s MAC address from the MAC address table, preventing the supplicant from sending or receiving any further traffic from the port. Port Roles In order to implement this feature, you need to specify the roles of the ports on the switch.
AT-S60 Management Software User’s Guide 1 AT-841 1 2 AT-841 1 RDY 3 AT-841 1 RDY 4 AT-841 1 RDY 5 AT-841 1 RDY RDY 6 M AT-840 RS-23 TERM 2 INAL PORT 7 1 PWR AT-841 1 8 9 10 11 12 PWR MGMT FLT MSTR FAN A WAIT/ REMOV E FAN B RESET LNK EJEC 10 T ACT 100 LNK EJEC 10 T ACT 100 LNK EJEC 10 T ACT 100 LNK EJEC 10 T ACT 100 LNK EJEC 10 T ACT 100 LNK 10 T EJEC ACT 100 Port 1.8 in Authenticator Role Port 7.8 in None Role Supplicant with 802.
Chapter 28: 802.1x Port-based Access Control The supplicant role is shown in Figure 178 on page 554. Port 3.2 on Switch B has been set to the supplicant role. Now, whenever Switch B is power cycled or reset and initiates a link with Switch A it will have to log on by providing a username and password. (You enter this information when you configure the port for the supplicant role.
AT-S60 Management Software User’s Guide Authentication Server The authentication server verifies the supplicant’s details passed to it by the authenticator. This implementation of 802.1x control requires that a port acting as an authenticator must communicate with a RADIUS authentication server. The RADIUS server must be capable of receiving and deciphering EAP in RADIUS packets. See Figure 179. The supported encryption mechanisms for communication with the RADIUS server are EAP-MD5.
Chapter 28: 802.1x Port-based Access Control RADIUS Accounting The AT-S60 management software supports RADIUS accounting for ports set to the Authenticator role. This feature allows the switch to send information to the RADIUS server about the status of its supplicants. You can view this information on the RADIUS server to monitor network activity and use.
AT-S60 Management Software User’s Guide Enabling and Disabling Port-based Access Control To globally enable or disable port-based access control, perform the following procedure. Note Enabling or disabling port-based access control can only be performed in a local management session. Note Before activating this feature, you must have the RADIUS EAP specified and enabled as the authentication method. This is discussed in Enabling TACACS+ or RADIUS on page 544. 1.
Chapter 28: 802.1x Port-based Access Control 4. Type E to enable port-based access control, or D to disable portbased access control. If you select E, the following message appears: This change has an impact on port security limited mode and MAC address table! 5. Press any key to continue. 6. After making changes, type R until you return to the Main Menu. Then type S to select Save Configuration Changes.
AT-S60 Management Software User’s Guide Setting the Port Access Role Use this procedure to configure a port with an access role of authenticator or supplicant. For information about authenticators and supplicants, see the 802.1x Port-based Access Network Control Overview on page 550. The number of ports you assign as authenticators and supplicants is only limited by the number of ports on a card. In addition, you can assign both authenticators and supplicants to one line card.
Chapter 28: 802.1x Port-based Access Control The Port Access Control Menu is shown in Figure 181. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Production Switch 142 User: Manager 00:14:33 25-Jan-2004 Configure Port Access Role Configuring Port 3.1 1 - Port Role ........... None R - Return to Previous Menu Enter your selection? Figure 181 Configure Port Access Role Menu 5. Type 1 to select Port Role. The following prompt is displayed: Enter new Port Role [N-None, A-Authenticator, S-Supplicant] -> 6.
AT-S60 Management Software User’s Guide Configuring Authenticator Parameters After you have enabled port-based access control and configured a port as an authenticator, use this procedure to configure the authenticator parameters. The procedure in Setting the Port Access Role on page 559 describes how to configure a port as an authenticator. For information about the role of an authenticator, see the 802.1x Port-based Access Network Control Overview on page 550.
Chapter 28: 802.1x Port-based Access Control 3. From the Port Access Control menu, type 4 to select Configure Authenticator. The Configure Authenticator Menu is shown in Figure 182. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Production Switch 142 User: Manager 00:14:33 25-Jan-2004 Configure Authenticator 1 - Configure Authenticator Port Access Parameters 2 - Display Authenticator Port Access Parameters R - Return to Previous Menu Enter your selection? Figure 182 Configure Authenticator Menu 4.
AT-S60 Management Software User’s Guide The Configure Authenticator Port Access Parameters Menu is shown in Figure 183. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Production Switch 142 User: Manager 00:14:37 25-Jan-2004 Configure Authenticator Port Access Parameters Configuring Port 1.3 1 2 3 4 5 6 7 - Port Control ........ Quiet Period ........ Tx Period ........... Reauth Period ....... Supplicant Timeout .. Server Timeout ...... Max Requests ........
Chapter 28: 802.1x Port-based Access Control ❑ Force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the interface 2 - Quiet Period Sets the number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client. The default value is 60 seconds. The range is 0 to 65,535 seconds.
AT-S60 Management Software User’s Guide Configuring Supplicant Parameters After you have enabled port-based access control and configured a port as a supplicant, use this procedure in this section to configure the supplicant parameters. The procedure in Setting the Port Access Role on page 559 describes how to configure a port as a supplicant. For information about the role of a supplicant, see the 802.1x Port-based Access Network Control Overview on page 550.
Chapter 28: 802.1x Port-based Access Control The Configure Supplicant Menu is shown in Figure 184. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Production Switch 142 User: Manager 00:14:33 25-Jan-2004 Configure Supplicant 1 - Configure Supplicant Port Access Parameters 2 - Display Supplicant Port Access Parameters R - Return to Previous Menu Enter your selection? Figure 184 Configure Supplicant Menu 4. Type 1 to select Configure Supplicant Port Access Parameters to configure supplicant parameters.
AT-S60 Management Software User’s Guide 6. Select the parameter that you want to modify. They are described below: 1 - Auth Period: This is the initialization time used by the authentication timer. The value is in seconds. The default is 30 seconds. The range is 1 to 300 seconds. 2 - Held Period: This is the initialization value for the supplicant held timer. The value is in seconds. The default is 60 seconds. The range is 0 to 65,535 seconds.
Chapter 28: 802.1x Port-based Access Control Configuring RADIUS Accounting The AT-S60 management software supports RADIUS accounting for ports operating in the Authenticator role. The accounting information sent by the switch to a RADIUS server includes the date and time when clients log on and log off, as well as the number of packets sent and received by a port during a client session. For background information on this feature, refer to RADIUS Accounting on page 556.
AT-S60 Management Software User’s Guide 5. Select a status for the RADIUS Accounting feature. Choose from the following options: E - Enables RADIUS accounting on the switch. D - Disables RADIUS accounting on the switch. The default is Disable. 6. To specify the UDP port for RADIUS accounting, type 2 to select Radius Accounting Port. The following prompt is displayed: Enter new value: [1 to 65535] -> 1813 7. Enter a new value for the UDP for RADIUS accounting. The default is port 1813.
Chapter 28: 802.1x Port-based Access Control Choose from the following selections: E - Select E to enable the switch to send interim accounting updates to the RADIUS server. If you enable this feature, use the next option in the menu, RADIUS Accounting Update Interval, to specify the intervals at which the switch is to send the accounting updates. D - Select D to disable the interim accounting updates from being sent to the RADIUS server. The default is disabled. 12.
AT-S60 Management Software User’s Guide Displaying Port-based Access Control Status There are three ways to display port-based access control status. You can display: ❑ Port roles assigned to all ports ❑ All Authenticator ports and their associated parameters ❑ All Supplicant ports and their associated parameters Each type of display provides different parameters. The advantage of displaying the individual authenticator and supplicant port information is that more information is given.
Chapter 28: 802.1x Port-based Access Control The Display Port Access Status menu is shown in Figure 187. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Production Switch 142 User: Manager 00:14:33 22-Mar-2004 Display Port Access Status Port PortRole State Additional Info --------------------------------------------------------------6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.
AT-S60 Management Software User’s Guide When you configure a port with a Supplicant role, the Status field can have the following values: Acquired Authenticated Authenticating Connecting Disconnected Held Logoff Note Consult IEEE std 8021X-2001 for Port-Based Network Access Control for detailed information regarding the above mentioned values in the Status field.
Chapter 28: 802.1x Port-based Access Control The Display Authenticator Port Access Parameters Menu is shown in Figure 188. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Production Switch 142 User: Manager 00:14:33 25-Jan-2004 Display Authenticator Port Access Parameters Port PortCtrl QuietP TxP ReAuthP SuppTO SvrTO MaxReq --------------------------------------------------------------4.1 Auto 650 8.8 Auto 650 9.
AT-S60 Management Software User’s Guide The Display Supplicant Port Access Parameters Menu is shown in Figure 189. Allied Telesyn AT-8400 Series - ATS60 V2.1.0 Production Switch 142 User: Manager 00:14:33 22-Mar-2004 Display Supplicant Port Access Parameters Port Auth Held Max Start Period Period Start Period Name Supplicant Supplicant Name Password -----------------------------------------------------------------6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.
Section VI Web Browser Management The chapters in Section IV explain how to manage an AT-8400 switch using a web browser.
AT-S80 User’s Guide ❑ Chapter 45: TACACS+ and RADIUS Protocols on page 796 ❑ Chapter 46: 802.
Chapter 29 Starting a Web Browser Management Session This chapter contains the procedure for starting a management session on an AT-8400 Series switch using a web browser, such as Microsoft Internet Explorer or Netscape Navigator.
AT-S60 Management Software User’s Guide Starting a Web Browser Management Session This section explains how to start a web browser management session, bookmark the IP address of the switch, and quit out of a web browser management session. To start a web browser management session with the AT-S60 software, there must be at least one AT-8400 Series switch on your network that has been assigned an IP address. The switch with the IP address is referred to as the master switch.
Chapter 29: Starting a Web Browser Management Session 2. Enter the IP address of the switch in the URL field of the browser, as shown in Figure 190. Switch’s IP Address Figure 190 Entering a Switch’s IP Address in the URL Field 3. When prompted, enter a user name and password. For information about login ids, see Management Access Levels on page 33. You cannot change the user names. However, you can change the passwords, as explained in Configuring the Management Passwords on page 65.
AT-S60 Management Software User’s Guide The main menu is on the left side of the Home Page. It consists of the following menus: ❑ Configuration ❑ Monitoring ❑ Logout Note The main menu includes an Enhanced Stacking option when enhanced stacking is implemented. Browser Tools You can use the browser’s bookmark feature to record the IP address of the switch. Note After 10 minutes of inactivity, a web browser management session times out.
Chapter 30 Basic Switch Parameters This chapter provides the following procedures for configuring basic switch parameters using a web browser management session: ❑ Configuring an IP Address and Switch Name on page 583 ❑ Setting the System Time on page 588 ❑ Activating the BOOTP and DHCP Services on page 591 ❑ Displaying System Information on page 592 ❑ Configuring SNMPv1 and SNMPv2c Protocols on page 595 ❑ Resetting a Switch on page 604 ❑ Pinging a Remote System on page 605 ❑ Returning the AT-S60 Software
AT-S60 Management Software User’s Guide Configuring an IP Address and Switch Name This procedure describes the parameters in the Administration section of the Configuration Menu. Information about the Configuration and MAC Address Aging Time parameters are discussed later in this guide. Note For guidelines on when to assign an IP address, subnet address, and gateway address to an AT-8400 Series switch, refer to Assigning an IP Address to a Switch on page 46.
Chapter 30: Basic Switch Parameters The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192. Figure 192 Configuration System Page, General Tab Note Save Changes is only displayed when you make a change to the default configuration.
AT-S60 Management Software User’s Guide 2. Change the following parameters as desired: System Name This parameter specifies a name for the switch (for example, Sales Ethernet switch). Entering a value for this parameter is optional. Note Allied Telesyn International recommends that you assign a name to each switch because switch names help you identify the various switches in your network. Knowing a switch’s name ensures you perform a configuration procedure on the correct switch.
Chapter 30: Basic Switch Parameters Manager Password Manager Confirm Password These parameters are used to change the administrator’s login password for the switch. The password can be from 0 to 20 characters in length. The same password is used for both local and remote management sessions. To create a new password, enter the new password into both fields. The default password is “friend.
AT-S60 Management Software User’s Guide 3. After you have set the parameters, click Apply. Your changes are activated on the switch. 4. To save your changes, click Save Changes. Note Changing any of the above parameters, including the IP address and subnet mask, is immediately activated on the switch. Changing the IP address of the switch can cause the loss of the remote management session. You can restart the management session using the switch’s new IP address.
Chapter 30: Basic Switch Parameters Setting the System Time To set system time manually on the switch, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. Select the System Time Tab. The System Time Tab is shown in Figure 193. Figure 193 Configuration System Page, System Time Tab 3. In the System Time section, specify the time and date for the switch.
AT-S60 Management Software User’s Guide 5. In the Additional Time Parameters section you can specify the UTC offset and enable or disable daylight savings time: UTC Offset - Specify a difference between the UTC and local time. The default is 0 hours. The range is -12 to +12 hours. Daylight Savings Time - Click Enabled to enable or Disabled to disable the switch’s ability to adjust the system time to daylight savings time. 6. Click Apply. Your changes are activated on the switch. 7.
Chapter 30: Basic Switch Parameters Setting Up SNTP When you set up SNTP, the switch polls an SNTP or NTP server for the time. SNTP is a reduced version of the Network Time Protocol (NTP). However, it is important to note that SNTP servers and clients are interoperable with NTP servers and clients. Note For more information about SNTP, refer to Setting the System Time on page 59. To set up SNTP, perform the following procedure: 1. From the Home Page, select Configuration.
AT-S60 Management Software User’s Guide Activating the BOOTP and DHCP Services For background information on BOOTP and DHCP, refer to the section Activating the BootP and DHCP Services on page 57. To activate or deactivate the BOOTP and DHCP protocols on the switch from a web browser management session, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2.
Chapter 30: Basic Switch Parameters Displaying System Information To view system information you access the Monitoring Page. The parameters on this page are strictly for viewing purposes only. You cannot change any of the values from this page. To view basic information about the switch, perform the following procedure: 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194.
AT-S60 Management Software User’s Guide The sections in the Tab are defined below. General This section displays the basic switch information. The values cannot be changed at this menu. For the procedure to change the values of the System Name, Administrator, Comments, IP Address, Subnet Mask, and Default Gateway parameters, see Configuring an IP Address and Switch Name on page 583.
Chapter 30: Basic Switch Parameters ❑ Switch Mode - Defines the switch’s current VLAN mode. If this parameter displays “Tagged,” the switch supports port-based and tagged VLANs. If this parameter displays “Basic,” the switch is operating in the Basic VLAN Mode. For information about VLANs, refer to the overview sections in Chapter 18, Tagged and Portbased Virtual LANs on page 401.
AT-S60 Management Software User’s Guide Configuring SNMPv1 and SNMPv2c Protocols This section provides instructions on how to create SNMPv1 and SNMPv2c communities that have access to the switch. In addition, a procedure that permits you to modify current SNMPv1 and SNMPv2c community parameters is provided as well as a procedure to delete SNMPv1 and SNMPv2c community access.
Chapter 30: Basic Switch Parameters The SNMP Tab is shown in Figure 195. Figure 195 Configuration System Page, SNMP Tab 3. To enable SNMP Access for the SNMPv1 and SNMPv2c protocols, click the box next to Enable SNMP Access. Use this parameter to enable the switch to be remotely managed with an SNMP application program. Note If the check box in the Enable SNMP Access box is empty, the switch cannot be managed through SNMP. This is the default. 4.
AT-S60 Management Software User’s Guide 6. To configure SNMPv1 and SNMPv2 communities, click Configure in the SNMPv1 & SNMPv2c section of the web page. The SNMPv1 & SNMPv2c Communities Page is shown in Figure 196. Figure 196 SNMPv1 & SNMPv2c Communities Page 7. To create a SNMPv1 and SNMPv2c community, click Add.
Chapter 30: Basic Switch Parameters The Add New SNMPv1 & SNMPv2c Community Page is shown in Figure 197. Figure 197 Add New SNMPv1 & SNMPv2c Community Page 8. Configure the following parameters: Community Name Enter an SNMP community name that consists of up to 15 alphanumeric characters. Status Click Enable to enable the SNMP community. Click Disable to disable the SNMP community.
AT-S60 Management Software User’s Guide Access Mode Click Read Only to allow read access to the SNMP community. To allow read-write access to the SNMP community, click Read-Write. Open Access Click this option to allow any SNMP manager to access the switch. Manager IP Address1 through Manager IP Address 8 Enter an IP Address of a switch that is permitted SNMP manager access to the current switch. You can enter up to 8 Manager IP Addresses.
Chapter 30: Basic Switch Parameters Figure 198 Modify SNMPv1 & SNMPv2c Community Page 5. Modify the following parameters: Status Click Enable to enable the SNMP community. Click Disable to disable the SNMP community. Access Mode Click Read Only to allow read access to the SNMP community. Click Read-Write to allow read-write access to the SNMP community. Allow Any Station Click this option to allow any SNMP manager to access the switch.
AT-S60 Management Software User’s Guide Manager IP Address1 through Manager IP Address 8 Enter an IP Address of a switch that is permitted SNMP manager access to the current switch. You can enter up to 8 Manager IP Addresses. Trap Receiver IP Address 1 through Trap Receiver IP Address 8 Use the above selections to specify the IP addresses of up to 8 trap receivers on your network that can receive traps from the switch. 6. Click Apply to update the SNMPv1 and SNMPv2c Modify Web Page. 7.
Chapter 30: Basic Switch Parameters The SNMP Monitoring Tab is shown in Figure 199. Figure 199 SNMP Monitoring Tab 3. Click View in the SNMPv1 & SNMPv2c section of the SNMP Monitoring Tab.
AT-S60 Management Software User’s Guide The Monitoring, SNMPv1 & SNMPv2c Communities Page is shown in Figure 200.
Chapter 30: Basic Switch Parameters Resetting a Switch To reset a switch, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. Click the Reset button at the bottom of the page. A confirmation prompt is displayed. 3. Click OK to reset the switch or Cancel to cancel the procedure. Resetting the switch ends your web browser management session.
AT-S60 Management Software User’s Guide Pinging a Remote System You can instruct the switch to ping a node on your network. This procedure is useful in determining whether a valid link exists between the switch and another device. To ping a network device, perform the following procedure: 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the Ping Client Tab.
Chapter 30: Basic Switch Parameters Returning the AT-S60 Software to the Factory Default Values The procedure in this section returns all AT-S60 software parameters, except the IP address, subnet mask, and gateway address, to their default values. This procedure also deletes any VLANs that you have created on the switch. Note The AT-S60 software default values are described in Appendix A, AT-S60 Default Settings on page 820.
AT-S60 Management Software User’s Guide 3. Click the Reboot Switch After Setting Defaults checkbox. 4. Click Apply. 5. Follow the online prompts. Note For information about TFTP file uploads and downloads, see Chapter 31: File Downloads and Uploads on page 608.
Chapter 31 File Downloads and Uploads This chapter contains the procedure for downloading a new AT-S60 image file onto the switch using a web browser management session. In addition, it contains procedures for uploading and downloading system files.
AT-S60 Management Software User’s Guide Downloading a File This procedure explains how to download a file from a TFTP server on your network to the switch using the web browser interface. You can download any of the following files: ❑ AT-S60 image file ❑ Configuration file ❑ Public key ❑ CA certificate ❑ Certificate enrollment request Note The public key and CA certificate are only supported on the version of AT-S60 management software that features SSL, PKI, and SSH security.
Chapter 31: File Downloads and Uploads ❑ Installing a new AT-S60 software image does not change the current configuration of a switch (for instance, IP address, subnet mask, and virtual LANs). If you want to return a switch to its default configuration values, see Returning the AT-S60 Software to the Factory Default Values on page 606. Caution The switch will stop forwarding Ethernet traffic after it has downloaded an AT-S60 image file and begun to initialize the software. Some network traffic may be lost.
AT-S60 Management Software User’s Guide 3. In the Server IP Address field, enter the IP address of the network node that contains the TFTP server software. 4. In the Operation field, click Download. 5. In the Server Filename field, enter the name of the file that resides on the TFTP server. This file is downloaded to the switch. 6. In the Local Filename field, enter a name for the file. This is the filename that appears on the switch. If you are downloading the AT-S60 image file, enter “ats60.
Chapter 31: File Downloads and Uploads Uploading a File This procedure explains how to upload a file from the switch’s file system to a TFTP server on your network using the web browser interface.
AT-S60 Management Software User’s Guide 4. In the Operation field, click Upload. 5. In the Server Filename field, enter a name for the file. This is the name of the file on the TFTP server. 6. In the Local Filename field, enter the name of the file in the switch’s file system that you want to upload to the TFTP server. Note The File Type options are not used when uploading a file. 7. Click Apply. The management software will notify you once the upload is complete.
Chapter 32 Enhanced Stacking This chapter introduces enhanced stacking, describes how to assign enhanced stacking status to an AT-8400 Series Switch, and describes how to select a remote switch using a web browser management session.
AT-S60 Management Software User’s Guide Overview Using a web browser management session, you can view and set the enhanced stacking status of the switch. In addition, you can view and manage other switches in an enhanced stack. For detailed information about enhanced stacking, see Enhanced Stacking Overview on page 76. The enhanced stacking status of the switch can be master, slave, or unavailable.
Chapter 32: Enhanced Stacking Setting a Switch’s Enhanced Stacking Status To adjust a switch’s enhanced stacking status, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. From the Configuration menu, select the Layer 2 option. The Layer 2 Page is displayed with the MAC Address Tab selected by default, as shown in Figure 212 on page 634. 3.
AT-S60 Management Software User’s Guide Selecting a Switch in an Enhanced Stack You can use the AT-S60 software to access a remote switch from a master switch. The remote switch can be either a slave or a master. When you start a web browser management session on the master switch, you are addressing only the master switch. Consequently, the management tasks that you perform only affect the master switch. To manage a remote switch in the same subnet, you need to select it from the master switch.
Chapter 32: Enhanced Stacking The master switch polls the network for all remote switches in the same subnet and displays a list of the switches in the Enhanced Stacking Page. See Figure 205. Figure 205 Enhanced Stacking Page To sort the switches in the list by switch name or MAC address, click on the column headers. By default, the list is sorted by MAC addresses. To refresh the list, click Refresh. This instructs the master switch to poll the subnet for all available switches again. 2.
AT-S60 Management Software User’s Guide The Home Page for the remote switch you selected is displayed. An example is shown in Figure 206. You can now manage the remote switch. Figure 206 AT-S39 Home Page For information about the remote switch you selected, consult the appropriate Allied Telesyn documentation. Returning to the Master Switch When you have finished managing a remote switch, select the Disconnect option on the Home Page of the remote switch.
Chapter 33 Port Parameters The procedures in this chapter allow you to view and change the parameter settings for the individual ports on a switch using a web browser management session. The duplex mode and port speed are examples of port parameters that you can modify.
AT-S60 Management Software User’s Guide Configuring Port Parameters This procedure describes how to configure one or more ports on an AT-8400 switch. It is important to note that when you select multiple ports for configuration, you are making the same configuration changes on all of the ports. To configure the parameter settings for a port or ports on a switch, perform the following procedure: 1. From the Home Page, select Configuration.
Chapter 33: Port Parameters Caution Use caution when you update the port that is connected to your management workstation and is communicating with the switch. When you make changes to this port, you could inadvertently lose your management session. 4. Click Modify. The Port Configuration Page is shown in Figure 208. Figure 208 Port Configuration Page Note Clicking the Defaults button returns the port settings to the default values which are listed in Appendix A, AT-S60 Default Settings on page 820. 5.
AT-S60 Management Software User’s Guide To select a value, click the circle next it. Possible values are: ❑ Auto-Negotiate: Select Auto-Negotiation to set both speed and duplex mode for the port automatically. This is the default setting. ❑ 10 Mbps - Half Duplex: Select this value to set the port or ports to a speed of 10 Mbps and half-duplex mode. ❑ 10 Mbps - Full Duplex: Select this value to set the port or ports to a speed of 10 Mbps and full-duplex mode.
Chapter 33: Port Parameters ❑ High - Indicates high priority has been assigned to the port. As a result, all tagged and untagged packets are sent to the high priority queue. Media Type Use this parameter to select the media type on an AT-8413 line card. The Media Type parameter is only available when you configure the Speed and Duplex parameter with one of the following settings: 10_Half, 10_Full, 100_Half, 100_Full, or 1GB_Full.
AT-S60 Management Software User’s Guide Back Pressure You can use this selection only if the port or ports you specified are operating at half-duplex mode. When you specify that a port is in this mode and it has a packet that is pending transmission, then the software suspends the JAM pattern before sending the packet. After the packet is sent, the JAM pattern resumes. To select a value, click the circle next it. Possible values are: ❑ Enabled - Indicates back pressure is activated on this port.
Chapter 33: Port Parameters Displaying Port Status and Statistics The procedures in this section display the operating status of the ports on a switch and port statistics. You can view a port’s operating speed, duplex mode, MDI/MDI-X configuration, and more. You can also view the operating status of any GBIC modules installed. Displaying Port Status To display the status of a port, perform the following procedure: 1. From the Home Page, select Monitoring.
AT-S60 Management Software User’s Guide 3. Click on a port. You can select more than one port at a time when you want to display port status. However, you can select only one port when displaying statistics. After you select a port, it turns white. (To deselect a port, click it again.) 4. Click Status to display the port’s operating status. The Port Status Page is shown in Figure 210. Figure 210 Port Status Page The information on this page is for viewing purposes only.
Chapter 33: Port Parameters The columns on the page are described below: Port Indicates the port number in the following format: slot number. port number Name Indicates the name of the port. The default name is the port number. Media Indicates the type of port. See the following: ❑ TP (for twisted pair) indicates one of the following: — An RJ-45 port on an AT-8411 line card.
AT-S60 Management Software User’s Guide ❑ Down - indicates that the port and the end node have not established a valid link. Neg The status of Auto-Negotiation on the port. Possible values are: ❑ Auto - Indicates that the port is using Auto-Negotiation to set operating speed and duplex mode. ❑ Manual - Indicates that the operating speed and duplex mode have been set manually. MDI/X The operating configuration of the port. Possible values are Auto, MDI, MDI-X.
Chapter 33: Port Parameters STP State The current operating status of the port. Possible values are: ❑ Forwarding - The port is sending and receiving Ethernet frames. This is the normal state for a switch port. ❑ Disabled - STP operations have been disabled on the port. ❑ Blocking - This is the standby mode. The port does not participate in frame relay. The forwarding process discards received frames and does not submit forwarded frames for transmission.
AT-S60 Management Software User’s Guide You can select only one port when displaying statistics. After you select a port, it turns white. (To deselect a port, click it again.) 4. Click Statistics. The Port Statistics Page is shown in Figure 211. Figure 211 Port Statistics Page Note To view the status of the port, click Status. The information on this page is described below: Bytes Received Number of bytes received on the port. Frames Received Number of frames received on the port.
Chapter 33: Port Parameters Bytes Sent Number of bytes transmitted from the port. Frames Sent Number of frames transmitted from the port. Broadcast Frames Sent Number of broadcast frames transmitted from the port. Multicast Frames Sent Number of multicast frames transmitted from the port. Jabber Number of received packets in which the packet data is greater than MAXFRAMESIZE and the packet has an invalid CRC.
Chapter 34 MAC Address Table This chapter describes how to display the dynamic and static addresses in the MAC address table using a web browser management session. It contains the following procedures: ❑ Displaying the MAC Address Table on page 634 ❑ Adding Static Unicast and Multicast MAC Addresses on page 637 ❑ Deleting MAC Addresses on page 639 ❑ Changing the Aging Time on page 640 Note For background information on MAC addresses, refer to MAC Address Overview on page 116.
Chapter 34: MAC Address Table Displaying the MAC Address Table To view the MAC address table, perform the following procedure: 1. From the Home Page, select either Configuration or Monitoring. If you select Configuration, the Configuration System Page is displayed with the General Tab displayed by default, as shown in Figure 192 on page 584. 2. Select the Layer 2 option. The Layer 2 Page is displayed with the MAC Address Tab shown by default.
AT-S60 Management Software User’s Guide View Static MAC Addresses This option displays only the static MAC addresses. Static MAC addresses are addresses that you entered manually into the MAC address table. View IP Multicast Addresses This option displays the multicast MAC addresses. View MAC Addresses on Port(s) This option is used to display the MAC addresses learned on a particular port. For information about how to specify ports, see Specifying Ports on page 34.
Chapter 34: MAC Address Table The MAC addresses are displayed in a table. The columns in the table are: VLAN ID The VID of the VLAN to which the port is an untagged member. MAC ADDRESS The MAC addresses of the nodes connected to the port. PORT The port on the switch where the MAC address was learned or assigned. See Specifying Ports on page 34. TYPE The MAC address type. The type can be either static or dynamic. 4. Click Close. The MAC Addresses Table Page is displayed as shown in Figure 212 on page 634.
AT-S60 Management Software User’s Guide Adding Static Unicast and Multicast MAC Addresses This section contains the procedure for assigning a static unicast or multicast address to ports on the switch. You can assign up to 255 static MAC addresses per port. Note When you add a static multicast address you must assign the address to all ports on the switch that belong to the multicast group. This includes the ports connected to the multicast application server and the host nodes.
Chapter 34: MAC Address Table 5. In the Port Number field, enter the port number that is to be assigned the MAC address. You can specify more than one port. For information about specifying ports, see Specifying Ports on page 34. 6. In the VLAN ID field, enter the VLAN ID for the specified port. The range of VLAN IDs is 1 to 4094, with 1 as the default VLAN ID. 7. Click Apply. The MAC Addresses Table Page is displayed as shown in Figure 212 on page 634. 8.
AT-S60 Management Software User’s Guide Deleting MAC Addresses To delete a static, dynamic, or multicast MAC address from the switch, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. From the Configuration menu, select the Layer 2 option. The Layer 2 Page is displayed with the MAC Address Tab selected by default, as shown in Figure 212 on page 634. 3.
Chapter 34: MAC Address Table Changing the Aging Time The switch uses the aging time to delete inactive dynamic MAC addresses from the MAC address table. When the switch detects that no packets have been sent to or received from a particular MAC address in the table after the period specified by the aging time, the switch deletes the address. This prevents the table from becoming full of node addresses that are inactive. The default setting for the aging time is 300 seconds (5 minutes).
Chapter 35 Port Trunking This chapter explains how to configure a port trunk using a web browser management session. This chapter contains the following procedures: ❑ Creating or Deleting a Port Trunk on page 642 ❑ Modifying a Port Trunk on page 645 ❑ Displaying the Port Trunks on page 647 Note For background information on port trunking, refer to Port Trunking Overview on page 128.
Chapter 35: Port Trunking Creating or Deleting a Port Trunk The following procedures allow you to create or delete a port trunk using the web browser management session. Creating a Port Trunk To create a port trunk, perform the following procedure: Caution Configure the software for ports on the switch and the end node before you connect the cables of a port trunk. Connecting the cables prior to configuring the ports can create loops in your network topology. Loops can result in broadcast storms.
AT-S60 Management Software User’s Guide 4. Click Add. The Add New Trunk Page is shown in Figure 216. Figure 216 Add New Trunk Page 5. Enter the name of the trunk in the Trunk Name box. 6. Click on the ports you want to include in the trunk. Selected ports turn white. To deselect a port, click it again. 7. Scroll down the page. 8. Click Apply. You are returned to the Port Trunking Page. It is updated with the new trunk port information. The new port trunk is immediately activated on the switch. 9.
Chapter 35: Port Trunking 10. Configure the ports on the remote switch for port trunking. You can now connect the data cables to the ports of the trunk on the switch. Deleting a Port Trunk To delete a port trunk, perform the following procedure: Caution Before you delete a trunk in software, disconnect the cables from the ports. Deleting the trunk without disconnecting the data cables can create a loop in your network topology. This situation can result in broadcast storms. 1.
AT-S60 Management Software User’s Guide Modifying a Port Trunk This procedure allows you to modify a port trunk using a web browser management session. To modify a port trunk, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. From Configuration menu, select the Layer 1 option.
Chapter 35: Port Trunking The Modify Trunk Page is shown in Figure 217. Figure 217 Modify Trunk Page 5. Click on the ports to select them for port trunking. Selected ports turn white. Click again to deselect a port. 6. Scroll down the page and click Apply. 7. The Port Trunking Page opens as shown in Figure 215 on page 642. Your changes are immediately activated on the switch. 8. To save your changes, return to the General Tab and click Save Changes. Your changes are saved on the switch.
AT-S60 Management Software User’s Guide Displaying the Port Trunks This procedure allows you to view the port trunk settings using a web browser management session. To display the port trunks, perform the following procedure: 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the Layer 1 option.
Chapter 36 Port Mirroring This chapter explains how to configure a port mirror using a web browser management session. This chapter contains the following procedures: ❑ Creating a Port Mirror on page 649 ❑ Deleting a Port Mirror on page 651 ❑ Modifying a Port Mirror on page 652 ❑ Displaying the Port Mirror List on page 654 Note For background information on port mirroring, refer to Port Mirroring Overview on page 143.
AT-S60 Management Software User’s Guide Creating or Deleting a Port Mirror Use the following procedures to create, delete, or modify a port mirror. For information about how ports are specified, see Specifying Ports on page 34. After you have made your changes, you need to save them on the Configuration System Page. Creating a Port Mirror To create a port mirror, perform the following procedure: 1. From the Home Page, select Configuration.
Chapter 36: Port Mirroring The Add New Mirror Page is displayed as shown in Figure 220. Figure 220 Add New Mirror Page 5. Click the ports in the graphical switch image. Click once for S, which stands for the source mirror port. Click twice for D, which stands for destination mirror port. Click three times to deselect a port. 6. Click Apply. The Port Mirroring Tab is displayed. It reflects the changes you made in Step 6. The port mirror is immediately activated on the switch.
AT-S60 Management Software User’s Guide Deleting a Port Mirror Use this procedure to delete a port mirror using a web browser management session. 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. Select the Layer 1 option. The Layer 1 Page is displayed with the Port Settings Tab selected by default, as shown in Figure 207 on page 621. 3. Select the Port Mirroring Tab.
Chapter 36: Port Mirroring Modifying a Port Mirror To change the source mirror port or the destination mirror port on an existing port mirror, perform the following procedure. 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. Select the Layer 1 option. The Layer 1 Page is displayed with the Port Settings Tab selected by default, as shown in Figure 207 on page 621. 3.
AT-S60 Management Software User’s Guide 5. Configure the mirror ports: ❑ Click once to select S for source mirror port. ❑ Click twice to select D for destination mirror port. To change the destination mirror port to another port, deselect the current destination port mirror by clicking it off. Then you can select a new destination port mirror. 6. Click Apply. Your changes are activated on the switch. The Port Mirroring Page opens with the new ports.
Chapter 36: Port Mirroring Displaying the Port Mirror List This procedure allows you to view the list of port mirrors using a web browser management session. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the Layer 1 option. The Layer 1 Page is displayed with the Port Settings Tab selected by default, as shown in Figure 209 on page 626. 3. Select the Port Mirroring Tab.
Chapter 37 Event Log This chapter describes how to configure the Event Log using a web browser management session. It includes the following procedures: ❑ Enabling or Disabling the Event Log on page 656 ❑ Displaying Events on page 658 ❑ Saving the Event Log on page 660 ❑ Clearing the Event Log on page 661 Note For background information on this feature, refer to Event Log Overview on page 204.
Chapter 37: Event Log Enabling or Disabling the Event Log Allied Telesyn recommends setting the switch’s date and time if you intend to use the Event Log. If you do not set the switch’s date and time, the switch does not log the entries with the correct date and time. For instructions, see Setting the System Time on page 59. To enable or disable the Event Log, do the following: 1. From the Home Page, select Configuration.
AT-S60 Management Software User’s Guide If you enable the log, the system immediately begins to add events to the log. The default is enabled. 4. For Log Full Action, click either Wrap or Halt. Wrap: Indicates the log deletes old entries as it adds new entries once it reaches its maximum capacity of 4,000 events. The default is Wrap. Halt: Indicates the log stops adding new entries once it reaches maximum capacity. 5. Click Apply. 6. To save your changes, return to the General Tab and click Save Changes.
Chapter 37: Event Log Displaying Events To view the Event Log, do the following: 1. From the Home Page, click either Configuration or Monitoring. The System page is displayed with the General tab selected by default, as shown in Figure 192 on page 584. 2. From the System page, select the Event Log tab. The Event Log tab is shown in Figure 223 on page 656. 3. Configure the following options which are located at the bottom of the web page: Severity Selections Displays events of a selected severity.
AT-S60 Management Software User’s Guide Figure 224 shows an example of the Event Log in the Full display mode. The Normal display mode does not include the Filename, Line Number, and Event ID items. Figure 224 Event Log Example The columns in the log are described below: ❑ S (Severity) - The event’s severity. Table 7 on page 209 defines the different severity levels. ❑ Date/Time - The date and time the event occurred. ❑ Event ID - A unique number that identifies the event.
Chapter 37: Event Log Saving the Event Log You can save the Event Log as a file in the file system. Once you save the Event Log as a file, you can view it or download it to your management workstation. For information about the AT-S60 file system, refer to Chapter 10, File System Configuration. To save the Event Log, do the following: 1. Perform steps 1 to 3 in Displaying Events on page 658 using the Configuration tab and not the Monitoring tab. 2. In the Save Filename field, enter a name for the file.
AT-S60 Management Software User’s Guide Clearing the Event Log To clear all events from the log, perform the following procedure: 1. From the Home Page, click Configuration. The System page is displayed with the General tab selected by default, as shown in Figure 192 on page 584. 2. From the System page, select the Event Log tab. The Event Log tab is shown in Figure 223 on page 656. 3. In Log Settings, click Clear Log. 4. Click Apply. The log, if enabled, learns new events immediately.
Chapter 38 IGMP Snooping This chapter describes how to configure the IGMP snooping feature on the switch. It contains the following procedures: ❑ Configuring IGMP Snooping on page 663 ❑ Displaying a List of Host Nodes and Multicast Routers on page 666 Note For background information on this feature, refer to IGMP Snooping Overview on page 219.
AT-S60 Management Software User’s Guide Configuring IGMP Snooping To configure IGMP snooping from a web browser management session, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. Select the IGMP Tab. The Configuration IGMP Tab is shown in Figure 225. Figure 225 Configuration System Page, IGMP Tab 3. Adjust the IGMP parameters as necessary.
Chapter 38: IGMP Snooping Select the Single-Host/Port (Edge) setting when there is only one host node connected to each port on the switch.
AT-S60 Management Software User’s Guide If the switch does not detect any queries from a multicast router during the specified time interval, it assumes that the router is no longer active on the port. Maximum Multicast Groups Specifies the maximum number of multicast groups the switch learns. The range is 1 to 256 groups. The default is 64 multicast groups. This parameter is useful with networks that contain a large number of multicast groups.
Chapter 38: IGMP Snooping Displaying a List of Host Nodes and Multicast Routers You can use the AT-S60 software to display a list of the multicast groups on a switch, as well as the host nodes. In addition, you can view the multicast routers. A multicast router receives multicast packets from a multicast application and transmits the packets to host nodes. To view host nodes and multicast routers, perform the following procedure: 1. From the Home Page, select Monitoring.
AT-S60 Management Software User’s Guide The View Multicast Hosts List Page is shown in Figure 227. Figure 227 View Multicast Hosts List Page This page displays the following information: Multicast Group The multicast address of the group. VLAN ID The VID of the VLAN in which the port is an untagged member. Member Port/Trunk ID This column displays host members present on either a port or a trunk of the switch. Host IP The IP address(es) of the host node(s) connected to the port.
Chapter 38: IGMP Snooping The View Multicast Routers List Page is shown in Figure 228. Figure 228 View Multicast Routers List Page The page displays the following information: Port/Trunk ID This column displays router members present on either a port or a trunk of the switch. VLAN ID The VID of the VLAN in which the port is an untagged member. Router IP The IP address of the port on the router.
Chapter 39 STP, RSTP, and MSTP This chapter explains how to configure STP, RSTP, and MSTP parameters on an AT-8400 chassis using a web browser management session.
Chapter 39: STP, RSTP, and MSTP Enabling STP, RSTP, or MSTP The AT-8400 Series switch can support the three spanning tree protocols STP, RSTP, and MSTP. However, only one spanning tree protocol can be active on the switch at a time. So before you can enable a spanning tree protocol, you must first select it as the active spanning tree protocol. Once selected, you can then enable or disable it.
AT-S60 Management Software User’s Guide Note If you do not want to change the active spanning tree protocol and just want to enable or disable it, go to Step 5. 4. To change the active spanning tree protocol on the switch, click STP, RSTP, or MSTP in the Active Protocol Version section of the tab. The default is RSTP. Note Only one spanning tree protocol can be active on the switch at a time. 5. To enable or disable the active spanning tree protocol on the switch, click the Enable Spanning Tree check box.
Chapter 39: STP, RSTP, and MSTP Configuring and Modifying STP To configure and modify STP, perform the following procedure: Caution The bridge provides default STP parameters that are adequate for most networks. Changing the STP parameters without prior experience and an understanding of how STP works may have a negative effect on your network. Consult the IEEE 802.1d standard before changing any of the STP parameters. 1.
AT-S60 Management Software User’s Guide . Figure 231 Expanded STP Spanning Tree Tab 3. In the Configure STP Parameters section, adjust the bridge STP settings as needed. The parameters are described below. Bridge Priority The priority number for the bridge. This number is used in determining the root bridge for STP. The bridge with the lowest priority number is selected as the root bridge.
Chapter 39: STP, RSTP, and MSTP parameter can be from 0 (zero) to 15, with 0 having the highest priority. For a list of the increments, refer to Table 9, Bridge Priority Value Increments on page 231 Bridge Hello Time The time interval between generating and sending configuration messages by the bridge. This parameter can be from 1 to 10 seconds. The default is 2 seconds.
AT-S60 Management Software User’s Guide The STP Settings Page is shown in Figure 232. Figure 232 STP Settings Page 6. Adjust the settings as desired. The parameters are described below. Port Priority This parameter is used as a tie breaker when two or more ports are determined to have equal costs to the root bridge. The default value for priority is 128. The range is 0-15, with 0 having the highest priority.
Chapter 39: STP, RSTP, and MSTP Configuring and Modifying RSTP To configure and modify RSTP, perform the following procedure: Caution The bridge provides default RSTP parameters that are adequate for most networks. Changing them without prior experience and an understanding of how RSTP works might have a negative effect on your network. Consult the IEEE 802.1w standard before changing any of the RSTP parameters. 1. Follow the steps in the procedure described in Enabling STP, RSTP, or MSTP on page 670. 2.
AT-S60 Management Software User’s Guide Figure 233 Expanded RSTP Spanning Tree Tab 4. In the Configure RSTP Parameters section, adjust the parameters as desired. The parameters are defined below. Force Version This selection determines whether the bridge operates with RSTP or in an STP-compatible mode. The default is RSTP. If you select RSTP, the bridge operates all ports in RSTP, except for those ports that receive STP BPDU packets. If you select Force STP Compatible, the bridge operates all ports in STP.
Chapter 39: STP, RSTP, and MSTP bridges have the same priority value, the bridge with the numerically lowest MAC address becomes the root bridge. When a root bridge goes off-line, the bridge with the next priority number automatically takes over as the root bridge. This parameter can be from 0 (zero) to 15, with 0 having the highest priority.
AT-S60 Management Software User’s Guide Root Priority Indicates the bridge priority value on the root bridge. The bridge priority value is used by spanning tree to select the root bridge for the spanning tree domain. The bridge with the lowest value is assigned as the root bridge. This is a read-only parameter. 5. After you have made your changes, click Apply. 6. To adjust a port’s RSTP settings, click on the port in the switch image and click Modify. You can select more than one port at a time.
Chapter 39: STP, RSTP, and MSTP Each time an RSTP port is reset by receiving STP BPDUs, you need to reset the RSTP port, allowing it to send RSTP BPDUs. Note MCHECK is only valid when the RSTP mode is enabled. This option does not apply when the switch is in STP mode. Point-to-Point This parameter defines whether the port is functioning as a pointto-point port. The default setting is Auto Detect, which sets port cost depending on the speed of the port.
AT-S60 Management Software User’s Guide Configuring and Modifying MSTP The procedures for configuring and modifying MSTP are provided in this section.
Chapter 39: STP, RSTP, and MSTP The expanded MSTP Spanning Tree Tab is displayed as shown in Figure 235.
AT-S60 Management Software User’s Guide Note This procedure explains the Configure MSTP Parameters section of the page. The CIST/MSTI Table is explained in Adding, Removing, or Modifying VLAN Associations to MSTIs on page 687. The graphic image of the switch is described in Configuring MSTP Port Parameters on page 689. 8. In the Configure MSTP Parameters section, adjust the parameters as needed. The parameters are described below.
Chapter 39: STP, RSTP, and MSTP All bridges in a single-instance bridged LAN use this aging time to test the age of stored configuration messages called bridge protocol data units (BPDUs). For example, if you use the default of 20, all bridges delete current configuration messages after 20 seconds. The range of this parameter is from 6 to 40 seconds. The default is 20 seconds.
AT-S60 Management Software User’s Guide Creating, Deleting, or Modifying MSTI IDs To create, delete, or modify MSTI IDs, perform one of the following procedures. Creating an MSTI ID To create an MSTI ID, do the following: 1. Display the Spanning Tree Expanded Page for MSTP by performing Steps 1 through 4 in the procedure Configuring MSTP Parameters on page 681. 2. In the CIST/MSTI Table section of the tab, click Add. The Add New MSTI Page is displayed as shown in Figure 236.
Chapter 39: STP, RSTP, and MSTP Deleting an MSTI ID To delete an MSTI ID, do the following: 1. Display the Spanning Tree Expanded Page for MSTP by performing Steps 1 through 4 in the procedure Configuring MSTP Parameters on page 681. 2. In the CIST/MSTI Table section of the tab, click the circle next to the MSTI ID you want to delete. You can select only one MSTI ID at a time. 3. Click Remove. 4. A confirmation prompt is displayed. 5. Click OK to delete the MSTI or Cancel to cancel the procedure. 6.
AT-S60 Management Software User’s Guide 4. In the Priority field, enter a new MSTI Priority value. This parameter is used in selecting a regional root for the MSTI. The range is 0 (zero) to 61,440 in increments of 4,096, with 0 being the highest priority. For a list of the increments, refer to Table 9, Bridge Priority Value Increments on page 231. The default is 0. 5. Click Apply. To save your changes, return to the General Tab and click Save Changes. The changes you made are saved on the switch. 6.
Chapter 39: STP, RSTP, and MSTP Modifying a VLAN Association To modify a VLAN association, do the following: 1. Display the Spanning Tree Expanded Page for MSTP by performing Steps 1 through 4 in the procedure Configuring MSTP Parameters on page 681. 2. In the CIST/MSTI Table section of the tab, the VLAN Associations field, modify the VIDs of the VLANS that you no longer want to be associated with this MSTI. You can specify more than one VID at a time (e.g., 2,4,7). 3. Click Apply.
AT-S60 Management Software User’s Guide Configuring MSTP Port Parameters To configure MSTP port parameters, perform the following procedure: 1. Perform Steps 1 through 4 in the procedure Configuring MSTP Parameters on page 681 to display the expanded Spanning Tree Page for MSTP. 2. In the diagram of the switch at the bottom of the MSTP Spanning Tree Expanded Page, click the ports you want to configure. You can select more than one port at a time. 3. Click Modify.
Chapter 39: STP, RSTP, and MSTP Edge Port This parameter defines whether the port is functioning as an edge port. For an explanation of this parameter, refer to Point-to-Point Ports and Edge Ports on page 234. Point-to-Point This parameter defines whether the port is functioning as a pointto-point port. For an explanation of this parameter, refer to Pointto-Point Ports and Edge Ports on page 234.
AT-S60 Management Software User’s Guide Displaying STP, RSTP, or MSTP Settings To display spanning tree parameter settings, perform the following procedure: 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the Layer 2 option. The Monitoring Layer 2 Page is displayed with the MAC Address Tab selected by default, as shown Figure 212 on page 634. 3. Select the Spanning Tree Tab.
Chapter 39: STP, RSTP, and MSTP Figure 240 shows an example of the Monitor STP Parameters Tab. The contents of this tab differs depending on which spanning tree protocol is active on the switch. The information in this page is for viewing purposes only. Figure 240 Monitoring Layer 2 Page, Spanning Tree Tab 5. To view port settings, click a port on the switch and click Settings. You can select more than one port.
AT-S60 Management Software User’s Guide The STP Settings Page is shown in Figure 241. Figure 241 STP Settings Page 6. Click OK.
Chapter 40 SNMPv3 Protocol This chapter provides the following procedures for configuring basic switch parameters using a web browser management session: ❑ Configuring the SNMPv3 Protocol on page 695 ❑ Enabling the SNMP Protocol on page 696 ❑ Configuring the SNMPv3 User Table on page 698 ❑ Configuring the SNMPv3 View Table on page 705 ❑ Configuring the SNMPv3 Access Table on page 710 ❑ Configuring the SNMPv3 SecurityToGroup Table on page 717 ❑ Configuring the SNMPv3 Notify Table on page 722 ❑ Configuring
AT-S60 Management Software User’s Guide Configuring the SNMPv3 Protocol To configure the SNMPv3 protocol, you need to configure the SNMPv3 tables. To enable a manager to access the SNMPv3 protocol on the switch, you need to enable the SNMP protocol.
Chapter 40: SNMPv3 Protocol Enabling the SNMP Protocol In order to allow an NMS (an SNMP manager) to access the switch, you need to enable SNMP access. In addition, to allow the switch to send a trap when it receives a request message, you need to enable authentication failure traps. This section provides a procedure to accomplish both of these tasks. To enable SNMP access and authentication failure traps, perform the following procedure. 1. From the Home Page, select Configuration.
AT-S60 Management Software User’s Guide Use this parameter to enable the switch to be remotely managed with an SNMP application program. Note If the check box in the Enable SNMP Access box is empty, the switch cannot be managed through SNMP. This is the default. 4. To enable authentication failure traps to be sent on behalf of the switch, click the box next to Enable Authentication Failure Trap. 5. Click Apply to update the User Table. 6.
Chapter 40: SNMPv3 Protocol Configuring the SNMPv3 User Table You can create, delete, and modify an SNMPv3 User Table entry. See the following procedures: ❑ Creating a User Table Entry on page 698 ❑ Deleting a User Table Entry on page 701 ❑ Modifying a User Table Entry on page 702 For reference information about the SNMPv3 User Table, see Configuring the SNMPv3 User Table on page 305. Creating a User Table Entry To create an entry in the SNMPv3 User Table, perform the following procedure. 1.
AT-S60 Management Software User’s Guide The SNMPv3 User Table Page is shown in Figure 243. Figure 243 SNMPv3 User Table Page 4. Click the Add button to add a new SNMPv3 User Table entry. The Add New SNMPv3 User Page is shown in Figure 244 Figure 244 Add New SNMPv3 User Page 5. In the User Name field, enter a name, or logon id, that consists of up to 32 alphanumeric characters.
Chapter 40: SNMPv3 Protocol 6. In the Authentication Protocol field, enter an authentication protocol. This is an optional parameter. Select one of the following: None This value represents no authentication protocol. When messages are received, users are not authenticated. With the None selection, you cannot configure a Privacy Protocol. MD5 This value represents the MD5 authentication protocol. With this selection, users are authenticated with the MD5 authentication protocol after a message is received.
AT-S60 Management Software User’s Guide 10. In the Privacy Password field, enter a privacy password of up to 32 alphanumeric characters. 11. In the Confirm Privacy Password field, re-enter the privacy password. 12. In the Storage Type field, enter one of the following storage options for this table entry: Volatile Select this storage type if you do not want the ability to save an entry in the User Table to the configuration file.
Chapter 40: SNMPv3 Protocol 5. To save your changes, return to the General Tab and click Save Changes. Modifying a User Table Entry To modify an entry SNMPv3 User Table, perform the following procedure. 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. Select the SNMP Tab. The SNMP Tab is shown in Figure 195 on page 596. 3.
AT-S60 Management Software User’s Guide Select one of the following: None This value represents no authentication protocol. When messages are received, users are not authenticated. With the None selection, you cannot configure a Privacy Protocol. MD5 This value represents the MD5 authentication protocol. With this selection, users are authenticated with the MD5 authentication protocol after a message is received. With this selection, you can configure a Privacy Protocol.
Chapter 40: SNMPv3 Protocol DES Select this value to make the DES privacy (or encryption) protocol the privacy protocol for this User Table entry. With this selection, messages transmitted between the host and the switch are encrypted with the DES protocol. 9. In the Privacy Password field, enter a privacy password of up to 32 alphanumeric characters. 10. In the Confirm Privacy Password field, re-enter the privacy password. 11.
AT-S60 Management Software User’s Guide Configuring the SNMPv3 View Table You can create, delete, and modify an SNMPv3 View Table entry. See the following procedures: ❑ Creating a View Table Entry on page 705 ❑ Deleting a View Table Entry on page 707 ❑ Modifying a View Table Entry on page 708 For reference information about the SNMPv3 View Table, see Configuring the SNMPv3 View Table on page 705.
Chapter 40: SNMPv3 Protocol 4. To create a new SNMPv3 View Table entry click Add. The Add New SNMPv3 View Page is shown in Figure 247. Figure 247 Add New SNMPv3 View Page 5. In the View Name field, enter a descriptive name of this view. Assign a name that reflects the subtree OID, for example, “internet.” Enter a unique name of up to 32 alphanumeric characters. Note The “defaultViewAll” value is the default entry for the SNMPv1 and SNMPv2c configuration.
AT-S60 Management Software User’s Guide The View Subtree parameter defines a MIB View and the Subtree Mask further restricts a user’s view, for example, to a specific row of the MIB tree. The value of the Subnet Mask parameter is dependent on the subtree you select. See RFC 2575 for detailed information about defining a subnet mask. 8. In the View Type field, enter one of the following view types: Included Enter this value to permit the user to see the subtree specified above.
Chapter 40: SNMPv3 Protocol 3. In the SNMPv3 section of the page, click the circle next to Configure View Table. Then click Configure. 4. The SNMPv3 View Table Page is shown in Figure 246 on page 705. 5. Click the circle next to the View Table entry that you want to delete. Then click Remove. A warning message is displayed. Click OK to remove the View Table entry. 6. To save your changes, return to the General Tab and click Save Changes.
AT-S60 Management Software User’s Guide 5. In the Subtree Mask field, enter a subtree mask in hexidecimal format. This is an optional parameter that is used to further refine the value in the View Subtree parameter. This parameter is in binary format. The View Subtree parameter defines a MIB View and the Subtree Mask further restricts a user’s view, for example, to a specific row of the MIB tree. The value of the Subnet Mask parameter is dependent on the subtree you select.
Chapter 40: SNMPv3 Protocol Configuring the SNMPv3 Access Table You can create, delete, and modify an SNMPv3 Access Table entry. See the following procedures: ❑ Creating an Access Table on page 710 ❑ Deleting an Access Table Entry on page 714 ❑ Modifying an Access Table Entry on page 714 For reference information about the SNMPv3 Access Table, see Configuring the SNMPv3 Access Table on page 710. Creating an Access Table To create an entry in the SNMPv3 Access Table, perform the following procedure. 1.
AT-S60 Management Software User’s Guide The Add New SNMPv3 Access Page is shown in Figure 250. Figure 250 Add New SNMPv3 Access Page 5. In the Group Name field, enter a descriptive name of the group. The Group Name can consist of up to 32 alphanumeric characters. You are not required to enter a unique value here because the SNMPv3 Access Table entry is indexed with the Group Name, Security Model, and Security Level parameter values.
Chapter 40: SNMPv3 Protocol This parameter allows the users assigned to this Group Name to view the information specified by the View Table entry. This value does not need to be unique. 7. In the Write View Name field, enter a value that you configured with the View Name parameter in the SNMPv3 View Table. This parameter allows the users assigned to this Security Group to write, or modify, the information in the specified View Table. This value does not need to be unique. 8.
AT-S60 Management Software User’s Guide SNMP users, but you do not want to encrypt messages using a privacy protocol. You can select this value if you configured the Security Model parameter with the SNMPv3 protocol. Privacy This option represents authentication and the privacy protocol. Select this security level to allow authentication and encryption. This level provides the greatest level of security. You can select this value if you configured the Security Model parameter with the SNMPv3 protocol.
Chapter 40: SNMPv3 Protocol Deleting an Access Table Entry To delete an entry in the SNMPv3 Access Table, perform the following procedure. 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. Select the SNMP Tab. The SNMP Tab is shown in Figure 195 on page 596. 3. In the SNMPv3 section of the page, click the circle next to Configure Access Table.
AT-S60 Management Software User’s Guide The Modify SNMPv3 Access Page is shown in Figure 251. Figure 251 Modify SNMPv3 Access Page Note The Context Prefix field is a read-only field. The Context Prefix field is always set to null. 6. In the Read View Name field, enter a value that you configured with the View Name parameter in the View Table. This parameter allows the users assigned to this Group Name to view the information specified by the View Table entry. This value does not need to be unique. 7.
Chapter 40: SNMPv3 Protocol Note The Context Match field is a read only field. The Context Match field is always set to Exact. 9. In the Storage Type field, select one of the following storage types for this table entry: Volatile Select this storage type if you do not want the ability to save an entry in the Access Table to the configuration file. After making changes to an Access Table entry with a Volatile storage type, Save Changes does not appear on the General Tab.
AT-S60 Management Software User’s Guide Configuring the SNMPv3 SecurityToGroup Table You can create, delete, and modify an SNMPv3 SecurityToGroup Table entry. See the following procedures: ❑ Creating a SecurityToGroup Table Entry on page 717 ❑ Deleting a SecurityToGroup Table Entry on page 719 ❑ Modifying a SecurityToGroup Table Entry on page 720 For reference information about the SNMPv3Configuring the SNMPv3 SecurityToGroup Table on page 717.
Chapter 40: SNMPv3 Protocol 4. To create an SNMPv3 SecurityToGroup Table entry, click Add. The Add New SNMPv3 SecurityToGroup Page is shown in Figure 253. Figure 253 Add New SNMPv3 SecurityToGroup Page 5. In the Security Model field, select the SNMP protocol that was configured for this User Name. Choose from the following: v1 Select this value to associate the User Name with the SNMPv1 protocol. v2c Select this value to associate the User Name with the SNMPv2c protocol.
AT-S60 Management Software User’s Guide There are four default values for this field that are reserved for SNMPv1 and SNMPv2c implementations: ❑ defaultV1GroupReadOnly ❑ defaultV1GroupReadWrite ❑ defaultV2cGroupReadOnly ❑ defaultV2cGroupReadWrite 8. In the Storage Type field, select one of the following storage types for this table entry: Volatile Select this storage type if you do not want the ability to save an entry in the SecurityToGroup Table to the configuration file.
Chapter 40: SNMPv3 Protocol The SNMPv3 SecurityToGroup Table Page is shown in Figure 252 on page 717. 4. Click the circle next to the SecurityToGroup Table entry that you want to delete. Then click Remove. A warning message is displayed. Click OK to remove the SNMPv3 SecurityToGroup Table entry. 5. To save your changes, return to the General Tab and click Save Changes. Modifying a SecurityToGroup Table Entry To modify an entry SNMPv3 SecurityToGroup Table, perform the following procedure. 1.
AT-S60 Management Software User’s Guide 5. In the Group Name field, enter a Group Name that you configured in the SNMPv3 Access Table. See Creating an Access Table on page 710. There are four default values for this field that are reserved for SNMPv1 and SNMPv2c implementations: ❑ defaultV1GroupReadOnly ❑ defaultV1GroupReadWrite ❑ defaultV2cGroupReadOnly ❑ defaultV2cGroupReadWrite 6.
Chapter 40: SNMPv3 Protocol Configuring the SNMPv3 Notify Table You can create, delete, and modify an SNMPv3 Notify Table entry. See the following procedures: ❑ Creating a Notify Table Entry on page 722 ❑ Deleting a Notify Table Entry on page 724 ❑ Modifying a Notify Table Entry on page 724 For reference information about the SNMPv3 Notify Table, see Configuring the SNMPv3 Notify Table on page 722.
AT-S60 Management Software User’s Guide 4. To create an SNMPv3 Notify Table entry, click Add. The Add New SNMPv3 Notify Page is shown in Figure 256. Figure 256 Add New SNMPv3 Notify Page 5. In the Notify Name field, enter the name associated with this trap message. Enter a descriptive name of up to 32 alphanumeric characters. For example, you might want to define a trap message for hardware engineering and enter a value of “hardwareengineeringtrap” for the Notify Name. 6.
Chapter 40: SNMPv3 Protocol NonVolatile Select this storage type if you want the ability to save an entry in the Notify Table to the configuration file. After making changes to a Notify Table entry with a NonVolatile storage type, Save Changes appears on the General Tab. Note The Row Status parameter is a read-only field in the Web interface. The Active value indicates the SNMPv3 Notify Table entry takes effect immediately. 9. Click Apply to update the SNMPv3 Notify Table. 10.
AT-S60 Management Software User’s Guide 3. In the SNMPv3 section of the page, click the circle next to Configure Notify Table. Then click Configure at the bottom of the page. The SNMPv3 Notify Table Page is shown in Figure 255 on page 722. 4. Click the circle next to the table entry that you want to change. Then click Modify. The Modify SNMPv3 Notify Page is shown in Figure 257 Figure 257 Modify SNMPv3 Notify Page 5. In the Notify Tag field, enter a description name of the Notify Tag.
Chapter 40: SNMPv3 Protocol NonVolatile Select this storage type if you want the ability to save an entry in the Notify Table to the configuration file. After making changes to an Notify Table entry with a NonVolatile storage type, Save Changes appears on the Configuration Tab. Note The Row Status parameter is a read-only field in the Web interface. The Active value indicates the SNMPv3 Notify Table entry takes effect immediately. 8. Click Apply to update the SNMPv3 Notify Table. 9.
AT-S60 Management Software User’s Guide Configuring the SNMPv3 Target Address Table You can create, delete, and modify an SNMPv3 Target Address Table entry. See the following procedures: ❑ Creating a Target Address Table Entry on page 727 ❑ Deleting a Target Address Table Entry on page 730 ❑ Modifying Target Address Table Entry on page 730 For reference information about the SNMPv3 Target Address Table, see Configuring the SNMPv3 Target Address Table on page 727.
Chapter 40: SNMPv3 Protocol Figure 258 SNMPv3 Target Address Table Page 4. To create an SNMPv3 Target Address Table entry, click Add. The Add New SNMPv3 Target Address Table Page is shown in Figure 259.
AT-S60 Management Software User’s Guide 5. In the Target Address Name field, enter the name of the SNMP manager, or host, that manages the SNMP activity on your switch. You can enter a name of up to 32 alphanumeric characters. 6. In the IP Address field, enter the IP address of the host. Use the following format for an IP address: XXX.XXX.XXX.XXX 7. In the UDP Port Number field, enter a UDP port number. You can enter a UDP port in the range of 0 to 65,535. The default UDP port is 162. 8.
Chapter 40: SNMPv3 Protocol NonVolatile Select this storage type if you want the ability to save an entry in the Target Address Table to the configuration file. After making changes to a Target Address Table entry with a NonVolatile storage type, Save Changes appears on the General Tab. Note The Row Status parameter is a read-only field in the Web interface. The Active value indicates the SNMPv3 Target Address Table entry takes effect immediately. 13. Click Apply to update the SNMPv3 Target Address Table.
AT-S60 Management Software User’s Guide The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. Select the SNMP Tab. The SNMP Tab is shown in Figure 195 on page 596. 3. In the SNMPv3 section of the page, click the circle next to Configure Target Address Table. Then click Configure at the bottom of the page. The SNMPv3 Target Address Table Page is shown in Figure 258 on page 728. 4.
Chapter 40: SNMPv3 Protocol When an Inform message is generated, it requires a response from the switch. The timeout value determines how long the switch considers the Inform message an active message. This parameter applies to Inform messages only. The range is from 0 to 2,147,483,647 milliseconds. The default value is 1500 milliseconds. 9. In the Retries field, enter the number of times the switch retries, or resends, an Inform message.
AT-S60 Management Software User’s Guide Configuring the SNMPv3 Target Parameters Table You can create, delete, and modify an SNMPv3 Target Parameters Table entry. See the following procedures: ❑ Creating a Target Address Table Entry on page 727 ❑ Deleting a Target Address Table Entry on page 730 ❑ Modifying Target Address Table Entry on page 730 For reference information about the SNMPv3 Target Parameters Table, see Configuring the SNMPv3 Target Parameters Table on page 733.
Chapter 40: SNMPv3 Protocol 4. To create an SNMPv3 Target Parameters Table entry, click Add. The Add New SNMPv3 Target Parameter Table Page is shown in Figure 262. Figure 262 Add New SNMPv3 Target Parameters Table Page 5. In the Target Parameters Name field, enter a name of the SNMP manager or host. Enter a value of up to 32 alphanumeric characters. Note Enter a value for the Message Processing Model parameter only if you select SNMPv1 or SNMPv2c as the Security Model.
AT-S60 Management Software User’s Guide v3 Select this value to process messages with the SNMPv3 protocol. 7. In the Security Model field, select one of the following SNMP protocols as the Security Model for this Security Name, or User Name. v1 Select this value to associate the Security Name, or User Name, with the SNMPv1 protocol. v2c Select this value to associate the Security Name, or User Name, with the SNMPv2c protocol.
Chapter 40: SNMPv3 Protocol This level provides the greatest level of security. You can select this value if you configured the Security Model parameter with the SNMPv3 protocol. 10. In the Storage Type parameter, select one of the following storage types for this table entry: Volatile Select this storage type if you do not want the ability to save an entry in the Target Parameters Table to the configuration file.
AT-S60 Management Software User’s Guide A warning message is displayed. Click OK to remove the Target Parameters Table entry. 5. To save your changes, return to the General Tab and click Save Changes. Modifying a Target Parameters Table Entry To modify an SNMPv3 Target Parameters Table entry, perform the following procedure. 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2.
Chapter 40: SNMPv3 Protocol Note Enter a value for the Message Processing Model field only if you select SNMPv1 or SNMPv2c as the Security Model. If you select the SNMPv3 protocol as the Security Model, then the switch automatically assigns the Message Processing Model to SNMPv3. 5. In the Message Processing Model field, enter a Security Model that is used to process messages. Select one of the following SNMP protocols: v1 Select this value to process messages with the SNMPv1 protocol.
AT-S60 Management Software User’s Guide Note If you have selected SNMPv1 or SNMPv2c as the Security Model, you must select No Authentication/Privacy as the Security Level. Authentication This option represents authentication, but no privacy protocol. Select this security level if you want to authenticate SNMP users, but you do not want to encrypt messages using a privacy protocol. You can select this value if you configured the Security Model parameter with the SNMPv3 protocol.
Chapter 40: SNMPv3 Protocol Configuring the SNMPv3 Community Table You can create, delete, and modify an SNMPv3 Community Table entry. See the following procedures: ❑ Creating an SNMPv3 Community Table Entry on page 740 ❑ Deleting an SNMPv3 Community Table Entry on page 743 ❑ Modifying an SNMPv3 Community Table Entry on page 743 For reference information about the SNMPv3 Community Table, see Configuring the SNMPv3 Community Table on page 740.
AT-S60 Management Software User’s Guide Figure 264 SNMPv3 Community Table Page 4. To create an SNMPv3 Community Table entry, click Add. The Add New SNMPv3 Community Table Page is shown in Figure 265.
Chapter 40: SNMPv3 Protocol 5. In the Community Index field, enter a numerical value for this Community. This parameter is used to index the other parameters in an SNMPv3 Community Table entry. Enter a value of up to 32alphanumeric characters. 6. In the Community Name field, enter a Community Name of up to 64-alphanumeric characters. The value of the Community Name parameter acts as a password for the SNMPv3 Community Table entry. This parameter is case sensitive.
AT-S60 Management Software User’s Guide making changes to an SNMPv3 Community Table entry with a NonVolatile storage type, Save Changes appears on the General Tab. Note The Row Status parameter is a read-only field in the Web interface. The Active value indicates the SNMPv3 Community Table entry takes effect immediately. 10. Click Apply to update the SNMPv3 Community Table. 11. To save your changes, return to the General Tab and click Save Changes.
Chapter 40: SNMPv3 Protocol 3. In the SNMPv3 section of the page, click the circle next to Configure Community Table. Then click Configure at the bottom of the page. The SNMPv3 Community Table Page is shown in Figure 264 on page 741. 4. Click the circle next to the SNMPv3 Community Table entry that you want to change. Then click Modify. The Modify SNMPv3 Community Table Page is shown in Figure 266. Figure 266 Modify SNMPv3 Community Table Page 5.
AT-S60 Management Software User’s Guide Note Do not use a value configured with the User Name parameter in the SNMPv3 User Table. 7. In the Transport Tag field, enter a name of up to 32 alphanumeric characters. The Transport Tag parameter links an SNMPv3 Community Table entry with an SNMPv3 Target Address Table entry. Add the value you configure for the Transport Tag parameter to the Tag List parameter in the Target Address Table as desired. See Creating a Target Address Table Entry on page 727. 8.
Chapter 40: SNMPv3 Protocol Displaying SNMPv3 Tables This section contains procedures to display the SNMPv3 Tables.
AT-S60 Management Software User’s Guide Displaying User Table Entries To display entries in the SNMPv3 User Table, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the SNMP Tab. The SNMP Monitoring Tab is shown in Figure 199 on page 602. 3. From the SNMP Monitoring Tab, click the circle next to View User Table. 4. Click View at the bottom of the page.
Chapter 40: SNMPv3 Protocol Displaying View Table Entries To display entries in the SNMPv3 View Table, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the SNMP Tab. The SNMP Monitoring Tab is shown in Figure 195 on page 596. 3. From the SNMP Monitoring Tab, click the circle next to View View Table. 4. Click View at the bottom of the page.
AT-S60 Management Software User’s Guide Displaying Access Table Entries To display entries in the SNMPv3 Access Table, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the SNMP Tab. The SNMP Monitoring Tab is shown in Figure 195 on page 596. 3. From the SNMP Monitoring Tab, click the circle next to View Access Table. 4.
Chapter 40: SNMPv3 Protocol Displaying SecurityToGroup Table Entries To display entries in the SNMPv3 SecurityToGroup Table, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the SNMP Tab. The SNMP Monitoring Tab is shown in Figure 195 on page 596. 3. From the SNMP Monitoring Tab, click the circle next to the View SecurityToGroup Table. 4.
AT-S60 Management Software User’s Guide Displaying Notify Table Entries To display entries in the SNMPv3 Notify Table, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the SNMP Tab. The SNMP Monitoring Tab is shown in Figure 195 on page 596. 3. From the SNMP Monitoring Tab, click the circle next to View Notify Table. 4.
Chapter 40: SNMPv3 Protocol Displaying Target Address Table Entries To display entries in the SNMPv3 Target Address Table, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the SNMP Tab. The SNMP Monitoring Tab is shown in Figure 195 on page 596. 3. From the SNMP Monitoring Tab, click the circle next to View Target Address Table. 4.
AT-S60 Management Software User’s Guide Displaying Target Parameters Table Entries To display entries in the SNMPv3 Target Parameters Table, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the SNMP Tab. The SNMP Monitoring Tab is shown in Figure 195 on page 596. 3. From the SNMP Monitoring Tab, click the circle next to the View Target Parameters Table.
Chapter 40: SNMPv3 Protocol Displaying SNMPv3 Community Table Entries To display entries in the SNMPv3 Community Table, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the SNMP Tab. The SNMP Monitoring Tab is shown in Figure 195 on page 596. 3. From the SNMP Monitoring Tab, click the circle next to the View Community Table. 4.
Chapter 41 Port-based VLANs This chapter explains how to create, modify, and delete VLANs using a web browser management session. In addition, this chapter explains how to change a switch’s VLAN operating mode.
Chapter 41: Port-based VLANs Creating a Port Based VLAN To create a new port-based or tagged VLAN, perform the following procedure. Before you create a VLAN, you may want to set the VLAN mode for a switch. See Setting the Switch’s VLAN Mode on page 765. 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. From the Configuration menu, select the Layer 2 option.
AT-S60 Management Software User’s Guide Figure 276 Port-Based VLANs Page 5. Click Add. The Add New VLAN Page is shown in Figure 277.
Chapter 41: Port-based VLANs 6. In the VID field, enter a VID value for the new VLAN. The range of the VID value is 2 to 4094. The default is the next available VID number on the switch. If this is a unique VLAN in your network, its VID must be unique as well. However, if the VLAN is to be part of a larger VLAN that spans multiple switches, assign the same VID value on each switch.
AT-S60 Management Software User’s Guide Note The untagged ports that you assign to the new VLAN are automatically removed from their current VLAN assignment. To save your changes, return to the General Tab and click Save Changes. The changes you made are saved on the switch.
Chapter 41: Port-based VLANs Modifying a Port-Based VLAN To modify a port-based or tagged VLAN, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. From the Configuration menu, select the Layer 2 option. The Layer 2 Page is displayed with the MAC Address Tab selected by default, as shown in Figure 212 on page 634. 3. Select the VLAN Tab.
AT-S60 Management Software User’s Guide The Modify VLAN Page is displayed as shown in Figure 278. Figure 278 Modify VLAN Page 7. Modify the VLAN parameters by referring to Step 7 through Step 8 in the previous procedure, Creating a Port Based VLAN on page 756. When you modify a VLAN, observe the following guidelines: ❑ You cannot change the VID of a VLAN. ❑ You cannot change the name of any VLAN. 8. After making the desired changes, click Apply. The modified VLAN is now ready for network operations.
Chapter 41: Port-based VLANs Deleting a VLAN To delete a port-based or tagged VLAN from the switch, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. From the Configuration menu, select the Layer 2 option. The Layer 2 Page is displayed with the MAC Address Tab selected by default, as shown in Figure 212 on page 634. 3. Select the VLAN Tab.
AT-S60 Management Software User’s Guide Displaying VLANs To display all the existing VLANs on a switch, perform the following procedure: 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the Layer 2 option. The Monitoring Layer 2 Page is displayed with the MAC Address Tab selected by default, as shown Figure 212 on page 634. 3. Select the VLAN Tab.
Chapter 41: Port-based VLANs The Port-Based VLANs Page is shown in Figure 280. Figure 280 Monitoring, Port-Based VLANs Page The VLANs are displayed in a table. The columns in the table are: VLAN ID VID value for the VLAN. Name Name of the VLAN. Type The VLAN type: port-based or tagged. Protocol The only option is GVRP. Tagged(T)/Untagged(U) Ports Which ports are tagged (T) and which are untagged (U).
AT-S60 Management Software User’s Guide Setting the Switch’s VLAN Mode This section contains the procedure for setting a switch’s VLAN mode. You can configure a switch to support port-based and tagged VLANs or to operate in the Basic VLAN mode. A change to VLAN status is not activated until you reset the switch. Note Refer to Chapter 18, Tagged and Port-based Virtual LANs on page 401, for descriptions of port-based and tagged VLANs and the Basic VLAN mode.
Chapter 42 GARP VLAN Registration Protocol This chapter about web server security contains the following procedures: ❑ Configuring GVRP on page 767 ❑ Resetting GVRP to the Defaults on page 769 ❑ Modifying the GVRP Port Configuration on page 770 ❑ Displaying the GVRP Settings on page 771 Note For background information on GVRP, refer to Chapter 20: GARP VLAN Registration Protocol on page 766.
AT-S60 Management Software User’s Guide Configuring GVRP To configure GVRP, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. From the Configuration menu, select the Layer 2 option. The Layer 2 Page is displayed with the MAC Address Tab selected by default, as shown in Figure 212 on page 634. 3. Select the GVRP Tab. The GVRP Tab is shown in Figure 281.
Chapter 42: GARP VLAN Registration Protocol 4. Configure the following parameters: Enable GVRP Click in this box to enable GVRP. Leave Time Sets the duration of the Leave Period timer. The range is from 30 to180 centiseconds and the default is 60. Join Time Sets the duration of the Join Period timer. The range is from 10 to 60 centiseconds and the default is 20. Enable GIP Enables the operation of GIP.
AT-S60 Management Software User’s Guide Resetting GVRP to the Defaults To reset GVRP to the defaults: 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. From the Configuration menu, select the Layer 2 option. The Layer 2 Page is displayed with the MAC Address Tab selected by default, as shown in Figure 212 on page 634. 3. Select the GVRP Tab. The GVRP Tab is shown in Figure 281 on page 767.
Chapter 42: GARP VLAN Registration Protocol Modifying the GVRP Port Configuration To modify the GVRP port configuration: 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. From the Configuration menu, select the Layer 2 option. The Layer 2 Page is displayed with the MAC Address Tab selected by default, as shown in Figure 212 on page 634. 3. Select the GVRP Tab.
AT-S60 Management Software User’s Guide Displaying the GVRP Settings The procedures in this section allow you to display the various GVRP settings.
Chapter 42: GARP VLAN Registration Protocol The GVRP Tab is shown in Figure 283. Figure 283 Monitoring Layer 2 Page, GVRP Tab 4. To view the port configuration, click the circle next to View Port Configuration in the View GVRP Parameters section of the page. Then click View.
AT-S60 Management Software User’s Guide The GVRP Port Configuration Page is shown in Figure 284. Figure 284 GVRP Port Configuration Page Displaying the GVRP Counters To display the GVRP Port Counters, perform the following procedure: 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the Layer 2 option.
Chapter 42: GARP VLAN Registration Protocol The GVRP Counters Page is shown in Figure 285. Figure 285 GVRP Counters Page The information on this page is described below: Receive: Total GARP Packets Total number of GARP packets (PDUs) received by this GARP application. Transmit: Total GARP Packets Total number of GARP packets (PDUs) transmitted by this GARP application. Receive: Invalid GARP Packets Number of invalid GARP packets (PDUs) received by this GARP application.
AT-S60 Management Software User’s Guide Transmit Discarded: GARPDisabled Number of GARP packets (PDUs) discarded because the GARP application was disabled. This counter is incremented when ports are added to or deleted from the GARP application arising from port movements in the underlying VLAN or STP. Receive Discarded: Port Not Listening Number of GARP packets (PDUs) discarded because the port that the packets were received on was not listening, that is, MODE=NONE has been set on the port.
Chapter 42: GARP VLAN Registration Protocol Transmit GARP Messages: JoinIn Total number of GARP JoinIn messages transmitted for all attributes in the GARP application. Receive GARP Messages: LeaveEmpty Total number of GARP LeaveEmpty messages received for all attributes in the GARP application. Transmit GARP Messages: LeaveEmpty Total number of GARP LeaveEmpty messages transmitted for all attributes in the GARP application.
AT-S60 Management Software User’s Guide The GVRP Database Page is shown in Figure 286. Figure 286 GVRP Database Page The information on this page is described in Table 18. Table 18 GARP Database Parameters Section VI: Web Browser Management Parameter Meaning GID index Value of the GID index corresponding to the attribute. GID indexes begin at 0. If the GARP application has no attributes presently registered, “No attributes have been registered” is displayed. VLAN ID Value of the attribute.
Chapter 42: GARP VLAN Registration Protocol Displaying GIP Connected Ports Ring To display the GIP Connected Ports Ring information, perform the following procedure. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the Layer 2 option. The Monitoring Layer 2 Page is displayed with the MAC Address Tab selected by default, as shown Figure 212 on page 634. 3. Select the GVRP Tab.
AT-S60 Management Software User’s Guide The information on this page is described in Table 19. Table 19 GIP Connected Ports Ring Parameters Displaying GVRP State Machine Parameter Meaning GARP Application Identifies the GARP application, that is, “GVRP.” GIP Context ID A number assigned to the instance for the GIP context. STP ID Present if the GARP application is GVRP; identifies the STP that has these ports connected in the GIP connected ring. Ring Ring of connected ports.
Chapter 42: GARP VLAN Registration Protocol The GVRP State Machine Page is shown in Figure 288. Figure 288 GVRP State Machine Page The information on this page is described in Table 20. Table 20 GVRP State Machine Parameters Section VI: Web Browser Management Parameter Meaning Port Port number on the switch; this port belongs to the GARP application. If the GARP application has no ports, “No ports have been assigned” is displayed.
AT-S60 Management Software User’s Guide Table 20 GVRP State Machine Parameters (Continued) Parameter Meaning App Applicant state machine for the GID index on that particular port.
Chapter 42: GARP VLAN Registration Protocol Table 20 GVRP State Machine Parameters (Continued) Parameter Meaning App (Continued) Non-Participant Management state: “Von” Very Anxious Observer “Aon” Anxious Observer “Qon” Quiet Observer “Lon” Leaving Observer “Vpn” Very Anxious Passive Member “Apn” Anxious Passive Member “Qpn” Quiet Passive Member “Van” Very Anxious Active Member “Aan” Anxious Active Member “Qan” Quiet Active Member “Lan” Leaving Active Member The initialized state f
Chapter 43 Port Security This chapter explain how to display the port security status using a web browser management session. It contains the following procedure: ❑ Displaying the Port Security Level on page 784 Note For background information on port security, refer to Port Security Overview on page 470. Note You cannot set up port security from a web browser management session. To set port security, use a local or Telnet management session.
Chapter 43: Port Security Displaying the Port Security Level To display the switch’s port security levels, perform the following procedure: 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the Layer 2 option. The Monitoring Layer 2 Page is displayed with the MAC Address Tab selected by default, as shown Figure 212 on page 634. 3. Select the Port Security Tab.
AT-S60 Management Software User’s Guide 4. Click on the ports to display their security status. After you click on a port, it turns white. You can select multiple ports to display. (To deselect a port, click it again.) 5. Click View. The Security for Ports Page is shown in Figure 290. This page displays the current security levels of the ports you selected.
Chapter 43: Port Security ❑ Lock all ports: The Lock All Ports security level causes the switch to immediately stop learning new dynamic MAC addresses on behalf of the specified port. For detailed information about the security mode parameter, see Port Security Overview on page 470. Intruder Action Indicates the action taken by the port if the security on the port is violated.
Chapter 44 Web Server Security This chapter about web server security contains the following procedures: ❑ Displaying the Encryption Keys on page 788 ❑ Displaying the PKI Settings on page 790 ❑ Displaying the SSL Settings on page 794 Note For background information on encryption, refer to Encryption Overview on page 485. For background information on PKI, refer to Public Key Infrastructure Overview on page 502. For information about SSL, refer to Secure Sockets Layer Overview on page 524.
Chapter 44: Web Server Security Displaying the Encryption Keys To display the encryption keys, perform the following procedure: Note You cannot set up the encryption keys from a web browser management session. To set the encryption keys, use a local or Telnet management session. For more information, see Configuring Keys for Encryption on page 491. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592.
AT-S60 Management Software User’s Guide The following information is displayed: Key ID The identification number for the key. Algorithm The encryption algorithm for the key. The only option is RSA. Length The length of the key in bytes. Digest CRC value of the MD5 digest of the key data. Description The name or description of the key. 4. To view the latest list of keys, click Refresh.
Chapter 44: Web Server Security Displaying the PKI Settings To display the PKI settings, perform the following procedure: Note You cannot set up PKI from a web browser management session. To set up PKI, use a local or Telnet management session. For more information, see Chapter 24, Public Key Infrastructure (PKI) on page 501. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2.
AT-S60 Management Software User’s Guide The PKI Tab is shown in Figure 292. Figure 292 Monitoring Security Page, PKI Tab The following information is displayed: Name The name of the PKI certificate. State Shows whether or not the certificate is automatically trusted. MTrust Indicates you verified the certificate is from a trusted authority or from an untrusted authority. Type The certificate type: CA, EE, or Self. Source Indicates the certificate was created on the switch.
Chapter 44: Web Server Security 5. To view detailed information about the certificate, select the certificate and then click View. The Certificate Page is shown in Figure 293. Figure 293 Certificate Page The following fields are displayed: Name - Lists the name of the certificate. State - Indicates the certificate is Trusted or Untrusted. Manually Trusted - Indicates you verified the certificate is from a trusted authority or from an untrusted authority. Type - Indicates the type of the certificate.
AT-S60 Management Software User’s Guide Subject - Lists the Subject Distinguished Name. Issuer - Lists the Distinguished Name of the issuer of the certificate. MD5 Fingerprint - The MD5 digest of the certificate. This value provides a unique sequence for each certificate consisting of 16 bytes. SHA1 Fingerprint - The Secure Hash Algorithm digest of the certificate. This value provides a unique sequence for each certificate consisting of 20 bytes.
Chapter 44: Web Server Security Displaying the SSL Settings To view the SSL settings, perform the following procedure: Note You cannot set up SSL from a web browser management session. To set up SSL, use a local or Telnet management session. For more information, see Configuring SSL on page 528. 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the Layer 2 option.
AT-S60 Management Software User’s Guide The following information is displayed: Maximum Number of Sessions The maximum number of SSL sessions allowed in the cache. The cache is used to speed up the SSL connections by removing previous sessions if possible. Session Cache Timeout The maximum time that a session is retained in the cache.
Chapter 45 TACACS+ and RADIUS Protocols This chapter contains instructions on how to configure the authentication protocols. This chapter contains the following procedure: ❑ Enabling TACACS+ or RADIUS on page 797 ❑ Configuring TACACS+ on page 799 ❑ Configuring RADIUS on page 801 ❑ Displaying the TACACS+ Settings on page 803 ❑ Displaying the RADIUS Settings on page 805 Note For background information on the authentication protocols, refer to TACACS+ and RADIUS Overview on page 541.
AT-S60 Management Software User’s Guide Enabling TACACS+ or RADIUS To configure the authentication protocols, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. Select the Server-based Authentication Tab. The Server-based Authentication Tab is shown in Figure 295. Figure 295 Configuration System Page, Server-based Authentication Tab 3.
Chapter 45: TACACS+ and RADIUS Protocols 5. Click Apply. 6. To save your changes, return to the General Tab and click Save Changes. The changes you made are saved on the switch.
AT-S60 Management Software User’s Guide Configuring TACACS+ To configure TACACS+, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. Select the Server-based Authentication Tab. The Server-based Authentication Tab is displayed as shown in Figure 295 on page 797. 3. Click the check circle next to TACACS+ Configuration and click Configure.
Chapter 45: TACACS+ and RADIUS Protocols Global Server Timeout This parameter specifies the maximum amount of time the switch waits for a response from a TACACS+ server before assuming the server cannot respond. If the timeout expires and the server has not responded, the switch queries the next TACACS+ server in the list. If there aren’t any more servers, then the switch defaults to the standard Manager and Operator accounts. The default is 30 seconds. The range is from 1 to 30 seconds.
AT-S60 Management Software User’s Guide Configuring RADIUS To configure RADIUS, perform the following procedure: 1. From the Home Page, select Configuration. The Configuration System Page is displayed with the General Tab selected by default, as shown in Figure 192 on page 584. 2. Select the Server-based Authentication Tab. The Server-based Authentication Tab is displayed as shown in Figure 295 on page 797. 3. Click the check circle next to RADIUS Configuration and click Configure.
Chapter 45: TACACS+ and RADIUS Protocols IP Address, Port #, and Encryption Key Use these fields to specify the IP address, UDP port number, and encryption key of each RADIUS server. You can specify up to a maximum of three servers. You can leave the encryption field blank if you entered the server’s key in the Global Secret field. 5. After you have finished configuring the parameters, click Apply. 6. To save your changes, return to the General Tab and click Save Changes.
AT-S60 Management Software User’s Guide Displaying the TACACS+ Settings To display the TACACS+ RADIUS settings, perform the following procedure: 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the Server-based Authentication Tab. The Server-based Authentication Tab is shown in Figure 298. Figure 298 Monitoring System Page, Server-based Authentication Tab 3.
Chapter 45: TACACS+ and RADIUS Protocols The TACACS+ Client Configuration Page is shown in Figure 299. Figure 299 TACACS+ Client Configuration Page 5. Click Cancel to close the page.
AT-S60 Management Software User’s Guide Displaying the RADIUS Settings To display the RADIUS settings, perform the following procedure: 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab selected by default, as shown in Figure 194 on page 592. 2. Select the Server-based Authentication Tab. The Server-based Authentication Tab is shown in Figure 298 on page 803. 3. Click on RADIUS Settings. 4. Click View.
Chapter 46 802.1x Port-based Network Access Control This chapter describes how to configure and display port-based access control information using a web browser management session. It contains the following procedures: ❑ Configuring Port Access on page 807 ❑ Displaying 802.1x Port-Based Access Control Information on page 816 Note For background information on this feature, refer to Chapter 28: 802.1x Port-based Access Network Control Overview on page 550.
AT-S60 Management Software User’s Guide Configuring Port Access The 802.1x Port-based Access Control feature uses the RADIUS authentication protocol. Before you configure port-based access on the switch, you must first configure RADIUS with EAP. See Chapter 45: TACACS+ and RADIUS Protocols. To configure the port-based access feature, there are several tasks you need to accomplish. First, you enable port-based access on the switch. Then you have the option of enabling RADIUS accounting as well.
Chapter 46: 802.1x Port-based Network Access Control Figure 301 802.1x Port Access Tab 4. Click the Enable Port Access check box. A check in the box means the feature is activated on the switch. No check means the feature is disabled. Port Access is disabled by default. Note Authentication Method - RADIUS EAP is the only selection.
AT-S60 Management Software User’s Guide 5. After setting the parameters, click Apply. Your changes are activated on the switch. 6. To save your changes, return to the General Tab and click Save Changes. Configuring RADIUS Accounting This section describes how to configure the RADIUS accounting feature from a web browser management session. For background information, refer to Configuring RADIUS Accounting on page 568.
Chapter 46: 802.1x Port-based Network Access Control Enable Update Controls whether the switch is to send interim accounting updates to the RADIUS server. The default is disabled. If you enable this feature, use the next option to specify the intervals at which the switch is to send the accounting updates. Update Interval Specifies the intervals at which the switch is to send interim accounting updates to the RADIUS server. The range is 30 to 300 seconds. The default is 60 seconds. 5.
AT-S60 Management Software User’s Guide The Port Role Configuration Page is displayed, as shown in Figure 302. Figure 302 Port Role Configuration Page 5. To assign a role to a port, click the circle next to None, Authenticator, or Supplicant. None - The port is does not participate in access control. This is the default. A - The port performs the role of authenticating the supplicants that are connected to the port. S - The port becomes a Supplicant to the Authenticator port. 6. Click Apply.
Chapter 46: 802.1x Port-based Network Access Control The Configuration 802.1x Port Access Tab is displayed as shown in Figure 301 on page 808. Note You must set the port role as authenticator before you can configure an authenticator port. See Setting the Port Role on page 810. 4. Click on an authenticator port or ports and click Settings. The Authenticator Parameters Page is displayed, as shown in Figure 303. Figure 303 Authenticator Parameters Page 5.
AT-S60 Management Software User’s Guide ❑ Force-authorized: Disables 802.1X port-based authentication and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1X-based authentication of the client. ❑ Force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate.
Chapter 46: 802.1x Port-based Network Access Control Configuring a Supplicant Port This section provides a procedure to configure the supplicant port settings using a web browser management session. Before you can configure supplicant settings, you need to set the role of the port on the switch to supplicant. See Setting the Port Role on page 810. To configure a supplicant port, perform the following procedure: 1. On the Home Page, select Configuration.
AT-S60 Management Software User’s Guide 5. Configure the following parameters: Auth Period - This is the initialization time used by the authentication timer. The value is in seconds. The default is 30 seconds. The range is 1 to 300 seconds. Max Start - This parameter determines the maximum number of successive EAPOL Start messages that are sent before the Supplicant assumes there is no Authenticator. The value is in whole numbers. The default is 3 messages. The range is from 1 to 10 messages.
Chapter 46: 802.1x Port-based Network Access Control Displaying 802.1x Port-Based Access Control Information To view host nodes and multicast routers, perform the following procedure: 1. From the Home Page, select Monitoring. The Monitoring System Page is displayed with the General Tab shown by default. 2. Select the Layer 1 option. The Layer 1 Page is displayed with the Port Settings Tab shown by default. 3. Select the 802.1x Port Access Tab. The 802.1x Port Access Tab is displayed as shown in Figure 305.
AT-S60 Management Software User’s Guide 4. To display the status of the port, click the port or ports to select it and click Status. Or, to display the port access settings, go to step 5. Note All the ports must have the same port role (authenticator or supplicant) to view the status of multiple ports. A Port Status Page is displayed, as shown in Figure 306. Figure 306 Port Access Port Status Page 5. To display the port access settings, select a port or ports and click Settings.
Chapter 46: 802.1x Port-based Network Access Control For authenticator port(s), the Authenticator Port Parameters Page is displayed, as shown in Figure 307. Figure 307 Authenticator Port Parameters Page For a description of the parameters displayed on the above page, refer to Configuring an Authenticator Port on page 811. For supplicant port(s), the Supplicant Port Parameters Page is displayed, as shown in Figure 308.
AT-S60 Management Software User’s Guide For a description of the parameters displayed on the Supplicant Port Parameters page, refer to Configuring a Supplicant Port on page 814.
Appendix A AT-S60 Default Settings This appendix lists the AT-S60 factory default settings.
AT-S60 Management Software User’s Guide Basic Switch Default Settings This section lists the default settings for basic switch parameters.
Appendix A: AT-S60 Default Settings Management Interface Setting Default Operator Password operator (case-sensitive) Console Disconnect Timer Interval 10 minutes Negotiation Auto (see Note) STP State Forwarding Security Mode Automatic Note For the AT-8412/SC FX and AT-8412/MT FX line cards, the default setting for Negotiation is Manual. For all the other line cards, the default setting for Negotiation is Auto.
AT-S60 Management Software User’s Guide Switch Administration Default Settings System Software Default Settings The following table describes the switch administration default settings. Administration Setting Default IP Address 0.0.0.0 Subnet Mask 0.0.0.0 Gateway Address 0.0.0.0 System Name None Administrator None Comments None BOOTP/DHCP Disabled Console Baud Rate 9600 bps MAC Address Aging Time 300 seconds The following table lists the system software default settings.
Appendix A: AT-S60 Default Settings Enhanced Stacking Default Setting The following table lists the Enhanced Stacking default setting.
AT-S60 Management Software User’s Guide Event Log Settings This section lists the default settings for the Event Log feature.
Appendix A: AT-S60 Default Settings IGMP Snooping Default Settings The following table lists the IGMP Snooping default settings.
AT-S60 Management Software User’s Guide PKI Default Settings The following table lists the PKI default settings, including the generate enrollment request settings.
Appendix A: AT-S60 Default Settings Port Configuration Default Settings The following table lists the port configuration default settings.
AT-S60 Management Software User’s Guide Port Security Default Settings The following table lists the port security default settings.
Appendix A: AT-S60 Default Settings Server-Based Authentication Default Settings This section describes the server-based authentication, RADIUS, and TACACS+ client default settings. Server-Based Authentication Default Settings RADIUS Default Settings TACACS+ Client Default Settings The following table describes the server-based authentication default settings.
AT-S60 Management Software User’s Guide SNMP Default Settings This section lists the default settings for the SNMPv1 and SNMPv2c protocols. There are no default settings for the SNMPv3 protocol. The following table describes the SNMPv1 and SNMPv2c default settings.
Appendix A: AT-S60 Default Settings SSH Default Settings The following table lists the SSH and the SSH server default settings.
AT-S60 Management Software User’s Guide SSL Default Settings The following table lists the SSL default settings.
Appendix A: AT-S60 Default Settings STP, RSTP, and MSTP Default Settings This section provides the STP switch, STP, RSTP, and MSTP default settings. Spanning Tree Switch Settings STP Default Settings The following table describes the Spanning Tree Protocol default settings for the switch. STP Switch Setting Default Spanning Tree Status Disabled Active Protocol Version RSTP The following table describes the STP default settings.
AT-S60 Management Software User’s Guide RSTP Default Settings MSTP Default Settings The following table describes the RSTP default settings. RSTP Setting Default Force Version RSTP Bridge Priority 32768 Bridge Hello Time 2 Bridge Forwarding 15 Bridge Max Age 20 Edge Port Yes Point-to-Point Auto Detect (Port) Cost Automatic Update (Port) Priority 128 The following table describes the MSTP default settings.
Appendix A: AT-S60 Default Settings MSTP Setting Default Internal Cost Auto Update Port Priority 128 836
AT-S60 Management Software User’s Guide VLAN Default Settings This section provides VLAN, GARP, and GVRP default settings. VLAN Default Settings GARP and GVRP Default Settings The following table lists the VLAN default settings. VLAN Setting Default Default VLAN Name Default_VLAN (all ports) Management VLAN ID 1 (Default_VLAN) VLAN Mode User Configured Uplink Port None The following table lists the GARP and GVRP default settings.
Appendix A: AT-S60 Default Settings Web Server Default Settings The following table lists the Web Server default settings.
AT-S60 Management Software User’s Guide 802.1x Port-Based Network Access Control Default Settings The following table describes the 802.1x Port Access Control default settings. 802.
Appendix B SNMPv3 Configuration Examples This appendix provides two examples of SNMPv3 configuration using the SNMPv3 Table menus. In addition, a worksheet is provided which you can use as an aid when configuring the SNMPv3 protocol.
AT-S60 Management Software User’s Guide SNMPv3 Configuration Examples This appendix provides SNMPv3 configuration examples for the following types of users: ❑ a Manager ❑ an Operator In addition an SNMPv3 Configuration Table is provided to record your SNMPv3 configuration. For more information about the SNMPv3 protocol, see Chapter 17: SNMPv3 Configuration on page 293. SNMPv3 Manager Configuration This section provides a sample configuration for a Manager with a User Name of systemadmin24.
Appendix B: SNMPv3 Configuration Examples Configure SNMPv3 SecurityToGroup Table User Name:systemadmin24 Security Model:v3 Group Name: Managers Storage Type: NonVolatile Configure SNMPv3 Notify Table Notify Name: sysadminTrap Notify Tag: sysadminTag Notify Type: Trap Storage Type: NonVolatile Configure SNMPv3 Target Address Table Target Address Name: host451 Target IP Address: 198.35.11.
AT-S60 Management Software User’s Guide Configure SNMPv3 View Table Menu View Name: internet View Subtree OID: 1.3.6.1 (or internet) Subtree Mask: View Type: Included Storage Type: NonVolatile Configure SNMPv3 Access Table Group Name: Operators Security Model: SNMPv3 Security Level: Authentication Read View Name: internet Write View Name: Notify View Name: SNMPv3 Worksheet This section provides a table that you can use as a worksheet when configuring SNMPv3.
Appendix B: SNMPv3 Configuration Examples SNMPv3 Parameters (Continued) SNMPv3 Access Table Menu Group Name Security Model Security Level Read View Name Write View Name Notify View Name Storage Type SNMPv3 SecurityToGroup Table User Name Security Model Group Name Storage Type SNMPv3 Notify Table Notify Name Notify Tag Notify Type Storage Type SNMPv3 Target Address Table Target Address Name Target IP Address UDP Port Timeout Retries Tag List Target Parms Name 844
AT-S60 Management Software User’s Guide SNMPv3 Parameters (Continued) Storage Type SNMPv3 Target Parameters Table Target Parameters Name User (Security) Name Security Model Security Level Storage Type 845
Index 802.
AT-S60 Management Software User’s Guide B back pressure parameter 108, 625, 828 Basic VLAN mode defined 417 setting 432, 765 baud rate parameter 40 Boot Protocol (BootP) activating 57, 591 defined 57 bootloader version number 68 BOOTP/DHCP parameter 49, 586, 823 BPDU.
Index configuration name 264 configuration name parameter 278, 683, 835 console baud rate parameter 50, 823 console disconnect timer interval parameter 66, 822 console startup mode parameter 74, 823 console startup mode, configuring 74 CoS. See Class of Service (CoS) CRL.
AT-S60 Management Software User’s Guide file system, overview 153 files downloading 172, 180 naming 154 uploading 187, 194 flow control parameter 40, 104, 108, 625, 629, 828 force version parameter default 835 Multiple Spanning Tree Protocol (MSTP) 277, 683 Rapid Spanning Tree Protocol (RSTP) 249, 677 format parameter 522, 827 forwarding delay parameter 835 forwarding delay, described 233 G GARP Information Declaration (GID), diagram 451 GARP Information Propagation (GIP), defined 449 GARP VLAN Registratio
Index HTTP 478 HTTPS 478 log full action parameter 825 login timeout parameter 537, 832 I IEEE 802.1d standard 242, 248, 672, 676 IGMP snooping status parameter 222, 663, 826 IGMP snooping.
AT-S60 Management Software User’s Guide MCHECK parameter 254, 290, 679 MD5 authentication algorithm 489 MD5 authentication protocol 295 Message Authentication Code (MAC), described 489 message encryption 503 MIB Subtree view 297 MIB tree diagram 297 RFC 296 MIB view 296 MIBs viewing 295 MIBs, supported 32 mode (web server) parameter 480 mode parameter 838 MSTI association to a VLAN creating 286 removing 286 MSTI ID association to a VLAN adding 687 modifying 688 MSTI priority, defined 266 MSTI.
Index non-802.1Q compliant multiple VLANs 438 overview 436 uplink port, changing 442 N negotiation parameter 104, 109, 622, 822, 828 none port role 552 NonVolatile storage, described 297 O OFB.
AT-S60 Management Software User’s Guide Rapid Spanning Tree Protocol (RSTP) 253, 679 Spanning Tree Protocol (STP) 246, 675 port priority, defined 232 port role parameter 560, 810, 839 port security Automatic level 470, 785 configuring 473 defined 470 displaying 784 Limited level 470 Lock All Ports level 786 Locked level 471 overview 470 Secured level 471, 785 security violations 472 port security intrusion actions 472, 786 port security violations 472, 786 port speed parameter 104, 109, 622 port statistics
Index configuring 248, 676 disabling 240, 274, 670 edge port, configuring 253, 680 enabling 240, 274, 670 force version 249, 677 MCHECK 254, 290, 679 overview 229 parameters, displaying 691 point-to-point ports configuring 253, 680 described 235 diagram 235 port cost 253, 679 port parameters, configuring 252, 254, 677 port priority 253, 679 port settings, displaying 691 port state, displaying 254 port status, displaying 254 Rapid Spanning Tree Protocol (STP) bridge parameters, configuring 248 reg (registra
AT-S60 Management Software User’s Guide slave switch assigning 79, 615 defined 79, 615 SNMP community configuring 88, 595 deleting 91, 601 displaying 100, 601 enabling 86, 595 modifying 92, 599 SNMP community access configuring 696 enabling 696 SNMP management session 32, 64 SNMP status parameter 87, 831 SNMP.
Index storage type 380 user name 374 SNMPv3 Target Parameters Table, described 302 SNMPv3 trap 297 SNMPv3 User Table entry creating 305, 698 deleting 309, 701 displaying 391, 747 modifying 702 authentication protocol 310 authentication protocol password 310 privacy protocol 312 privacy protocol password 312 SNMPv3 User Table, described 301 SNMPv3 View Table entry 319, 321 creating 315, 705 deleting 318, 707 displaying 393, 748 modifying 708 storage type, modifying 322 SNMPv3 View Table, described 301 snoop
AT-S60 Management Software User’s Guide system configuration file copying 162 creating 158 renaming 162 setting 156 viewing 159 See also system files system files copying 162 deleting 163 displaying 165 downloading 180 renaming 162 uploading 188 See also system configuration file system name parameter 49, 585, 823 system name, configuring 49, 585 system software default settings 823 system time parameter 61, 588, 822 system time, setting 59, 588 T TAC global secret parameter 546, 830 TAC server order param
Index Virtual LANs (VLANs) associating to MSTI IDs 687 VLAN and MSTI associations 263 VLAN ID parameter 463, 777 VLAN identifier (VID) 404, 423, 758 VLAN mode parameter 440, 837 VLAN, port-based. See port-based VLAN VLAN, tagged. See tagged VLAN VLAN. See virtual LAN (VLAN) Volatile storage 297 W web browser management session defined 31 disabling 64 limitations 31 quitting 581 starting 579 web server configuring 479 overview 478 web server mode parameter 480 web server status parameter 480, 838 X X.
