Management Software AT-S63 ◆ Features Guide For Stand-alone AT-9400 Switches and AT-9400Ts Stacks AT-S63 Version 2.2.0 for AT-9400 Layer 2+ Switches AT-S63 Version 4.1.0 for AT-9400 Basic Layer 3 Switches 613-001022 Rev.
Copyright 2009 Allied Telesis, Inc. All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesis, Inc. Allied Telesis and the Allied Telesis logo are trademarks of Allied Telesis, Incorporated. Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation. All other product names, company names, logos or other designations mentioned herein are trademarks or registered trademarks of their respective owners. Allied Telesis, Inc.
Contents Preface ............................................................................................................................................................ 21 How This Guide is Organized........................................................................................................................... 22 Product Documentation .................................................................................................................................... 25 Where to Go First ....
Contents Chapter 2: AT-9400Ts Stacks ....................................................................................................................... 63 Supported Platforms ......................................................................................................................................... 64 Introduction .......................................................................................................................................................
AT-S63 Management Software Features Guide Load Distribution Methods.............................................................................................................................. 112 Guidelines....................................................................................................................................................... 113 Chapter 8: Port Mirror ............................................................................................................................
Contents Replacing Priorities .........................................................................................................................................176 VLAN Tag User Priorities ................................................................................................................................176 DSCP Values ..................................................................................................................................................176 DiffServ Domains ....
AT-S63 Management Software Features Guide Chapter 23: Ethernet Protection Switching Ring Snooping .................................................................... 243 Supported Platforms....................................................................................................................................... 244 Overview......................................................................................................................................................... 245 Restrictions...
Contents Associating VLANs to MSTIs ..........................................................................................................................305 Connecting VLANs Across Different Regions .................................................................................................307 Section VI: Virtual LANs .......................................................................................309 Chapter 27: Port-based and Tagged VLANs .................................................
AT-S63 Management Software Features Guide Section VII: Internet Protocol Routing ................................................................. 361 Chapter 32: Internet Protocol Version 4 Packet Routing ......................................................................... 363 Supported Platforms....................................................................................................................................... 364 Overview............................................................
Contents Section VIII: Port Security .....................................................................................413 Chapter 35: MAC Address-based Port Security ........................................................................................415 Supported Platforms .......................................................................................................................................416 Overview .................................................................................
AT-S63 Management Software Features Guide Chapter 39: PKI Certificates and SSL ........................................................................................................ 463 Supported Platforms....................................................................................................................................... 464 Overview.........................................................................................................................................................
Contents Internet Protocol Version 4 Packet Routing ....................................................................................................519 Link-flap Protection .........................................................................................................................................520 MAC Address-based Port Security .................................................................................................................521 MAC Address Table ..........................
AT-S63 Management Software Features Guide Appendix D: MIB Objects ............................................................................................................................ 557 Access Control Lists ....................................................................................................................................... 558 Class of Service...........................................................................................................................................
Contents 14
Figures Figure 1: AT-StackXG Stacking Module ...............................................................................................................................67 Figure 2: Duplex-chain Topology..........................................................................................................................................70 Figure 3: Duplex-ring Topology .....................................................................................................................................
Figures Figure 51: Example of a Tagged VLAN ..............................................................................................................................323 Figure 52: GVRP Example..................................................................................................................................................328 Figure 53: GARP Architecture ........................................................................................................................................
Tables Table 1: Basic Operations ...................................................................................................................................................34 Table 2: Advanced Operations ............................................................................................................................................35 Table 3: Snooping Protocols ................................................................................................................................
Tables Table 50: Default Mappings of IEEE 802.1p Priority Levels to Priority Queues ............................................................... 160 Table 51: Customized Mappings of IEEE 802.1p Priority Levels to Priority Queues ........................................................ 160 Table 52: Example of Weighted Round Robin Priority ...................................................................................................... 163 Table 53: Example of a Weight of Zero for Priority Queue 7 ..
AT-S63 Management Software Features Guide Table 110: Support for 802.1x Port-based Network Access Control .................................................................................422 Table 111: Management Interfaces for 802.1x Port-based Network Access Control ........................................................422 Table 112: Support for the Web Server .............................................................................................................................
Tables 20
Preface This guide describes the features of the AT-9400 Layer 2+ and Basic Layer 3 Gigabit Ethernet Switches and the AT-S63 Management Software.
Preface How This Guide is Organized This guide has the following sections and chapters: Section I: Basic Operations Chapter 1, “Overview” on page 33 Chapter 2, “AT-9400Ts Stacks” on page 63 Chapter 3, “Enhanced Stacking” on page 81 Chapter 4, “SNMPv1 and SNMPv2c” on page 91 Chapter 5, “MAC Address Table” on page 97 Chapter 6, “Static Port Trunks” on page 101 Chapter 7, “LACP Port Trunks” on page 107 Chapter 8, “Port Mirror” on page 115 Chapter 9, “Link-flap Protection” on page 119 Section II: Advanc
AT-S63 Management Software Features Guide Chapter 23, “Ethernet Protection Switching Ring Snooping” on page 243 Section IV: SNMPv3 Chapter 24, “SNMPv3” on page 253 Section V: Spanning Tree Protocols Chapter 25, “Spanning Tree and Rapid Spanning Tree Protocols” on page 269 Chapter 26, “Multiple Spanning Tree Protocol” on page 289 Section VI: Virtual LANs Chapter 27, “Port-based and Tagged VLANs” on page 311 Chapter 28, “GARP VLAN Registration Protocol” on page 325 Chapter 29, “Multiple VLAN Modes
Preface Appendix B, “SNMPv3 Configuration Examples” on page 543 Appendix C, “Features and Standards” on page 549 Appendix D, “MIB Objects” on page 557 24
AT-S63 Management Software Features Guide Product Documentation For overview information on the features of the AT-9400 Switches and the AT-S63 Management Software, refer to: AT-S63 Management Software Features Guide (PN 613-001022) For instructions on how to start a local or remote management session on stand-alone AT-9400 Switches or AT-9400Ts Stacks, refer to: Starting an AT-S63 Management Session Guide (PN 613-001023) For instructions on how to install or manage stand-alone AT-9400 Switches, re
Preface Where to Go First Allied Telesis recommends that you read Chapter 1, “Overview” on page 33 in this guide before you begin to manage the switch for the first time. There you will find a variety of basic information about the unit and the management software, like the two levels of manager access levels and the different types of management sessions. You should also read Chapter 2, “AT-9400Ts Stacks” on page 63 if you are managing a stack of the AT-9424Ts, AT-9424Ts/XP and AT-9448Ts/XP Switches.
AT-S63 Management Software Features Guide Starting a Management Session For instructions on how to start a local or remote management session on the AT-9400 Switch, refer to the Starting an AT-S63 Management Session Guide.
Preface Document Conventions This document uses the following conventions: Note Notes provide additional information. Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data. Warning Warnings inform you that performing or omitting a specific action may result in bodily injury.
AT-S63 Management Software Features Guide Contacting Allied Telesis This section provides Allied Telesis contact information for technical support and for sales and corporate information. Online Support You can request technical support online by accessing the Allied Telesis Knowledge Base: www.alliedtelesis.com/support/kb.aspx. You can use the Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions.
Preface 30
Section I Basic Operations The chapters in this section contain background information on basic switch features.
Section I: Basic Operations
Chapter 1 Overview This chapter has the following sections: “Layer 2+ and Basic Layer 3 Switches” on page 34 “AT-S63 Management Software” on page 40 “Management Interfaces” on page 41 “Management Access Methods” on page 47 “Manager Access Levels” on page 49 “Installation and Management Configurations” on page 50 “IP Configuration” on page 51 “Configuration Files” on page 52 “Redundant Twisted Pair Ports” on page 53 “History of New Features” on page 55 33
Chapter 1: Overview Layer 2+ and Basic Layer 3 Switches The switches in the AT-9400 Gigabit Ethernet Series are divided into two groups: Layer 2+ Switches — AT-9408LC/SP — AT-9424T/GB — AT-9424T/SP Basic Layer 3 Switches — AT-9424T — AT-9424T/POE — AT-9424Ts — AT-9424Ts/XP — AT-9448T/SP — AT-9448Ts/XP Although the switches have many of the same features and capabilities, there are a number of significant differences.
AT-S63 Management Software Features Guide Table 1.
Chapter 1: Overview Table 2. Advanced Operations Layer 2+ Switches 08LC 24GB 24SP Basic Layer 3 Switches 24T 24T POE 24Ts 24XP 48SP 48XP Stack Class of Service Y Y Y Y Y Y Y Y Y Y Quality of Service Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Group link control Denial of service defenses Y Y Y Power over Ethernet Y 1. The only accessible file system in a stack is the one on the master switch. 2.
AT-S63 Management Software Features Guide Table 4. SNMPv3 Layer 2+ Switches 08LC 24GB 24SP SNMPv3 Y Y Y Basic Layer 3 Switches 24T 24T POE Y Y 24Ts 24XP 48SP 48XP Y Y Y Y Stack Y Table 5.
Chapter 1: Overview Table 6. Virtual LANs Layer 2+ Switches 08LC 24GB 24SP Basic Layer 3 Switches 24T 24T POE 24Ts 24XP 48SP 48XP GARP VLAN Registration Protocol Y Y Y Y Y Y Y Y Y Protected ports VLANs Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y MAC address-based VLANs Stack Table 7.
AT-S63 Management Software Features Guide Table 8. Port Security Layer 2+ Switches 08LC 24GB 24SP Basic Layer 3 Switches 24T 24T POE 24Ts 24XP 48SP 48XP Stack MAC address-based port security Y Y Y Y Y Y Y Y Y Y 802.1x port-based network access control using RADIUS protocol Y Y Y Y Y Y Y Y Y Y Table 9.
Chapter 1: Overview AT-S63 Management Software The AT-9400 Switch is managed with the AT-S63 Management Software. The software comes preinstalled on the unit with default settings for all the operating parameters of the switch. If the default settings are adequate for your network, you can use the switch as an unmanaged unit. Note The default settings are listed in Appendix A, “AT-S63 Management Software Default Settings” on page 505.
AT-S63 Management Software Features Guide Management Interfaces The AT-S63 Management Software has four management interfaces: Standard command line AlliedWare Plus command line Menus Web browser windows As shown in Table 10, the standard command line and the web browser windows are supported on all of the possible platforms: stand-alone AT-9400 Layer 2+ Switches, stand-alone AT-9400 Basic Layer 3 Switches, and AT-9400 Stacks.
Chapter 1: Overview In other cases, a management interface might support only part of a function. For example, you can set a switch or stack’s name, contact or location with any of the management interfaces, except for the AlliedWare Plus commands, which only lets you set the name. The following tables list the features you can configure from the various management interfaces for stand-alone switches and AT-9400Ts Stacks.
AT-S63 Management Software Features Guide Table 11. Management Interfaces for Basic Operations Stand-alone Switches SCL ACL M Baud rate of the Terminal Port Y Y Management console timer Y Telnet server Y Console startup mode Y WB Stacks SCL ACL Y Y Y Y Y Y Y Y Y Y Y Y Y WB 1. You can use the AlliedWare Plus command line to set the name of the switch or stack, but not the contact or location. Table 12.
Chapter 1: Overview 4. You cannot upload or download files to a compact flash card with the web browser windows. Also, that interface does not support switch-to-switch uploads. 5. You cannot upload or download files to a compact flash card with the web browser interface. 6. You cannot modify the event log full action from the web browser windows. Table 13.
AT-S63 Management Software Features Guide Table 15. Management Interfaces for Spanning Tree Protocols Stand-alone Switches Multiple Spanning Tree Protocol (MSTP) SCL ACL M WB Y Y Y Y Stacks SCL ACL WB Table 16. Management Interfaces for Virtual LANs Stand-alone Switches Stacks SCL ACL M WB SCL ACL WB Port-based and tagged VLANs Y Y Y Y Y Y Y 802.1Q-compliant and non-802.
Chapter 1: Overview Table 18. Management Interfaces for Port Security Stand-alone Switches Stacks SCL ACL M WB SCL ACL MAC address-based port security Y Y Y Y Y Y 802.1x port-based network access control Y Y Y Y Y Y WB Y Table 19.
AT-S63 Management Software Features Guide Management Access Methods You can access the AT-S63 Management Software on a switch several ways: Local Management Sessions Local session Remote Telnet session Remote Secure Shell (SSH) session Remote web browser (HTTP or HTTPS) session Remote SNMP session To establish a local management session, you connect a terminal or a PC with a terminal emulator program to the Terminal Port on the front panel of the stand-alone switch or the master switc
Chapter 1: Overview Remote Secure Shell (SSH) Sessions The AT-S63 Management Software also has a Secure Shell (SSH) server for remote management from SSH clients on your network. An SSH management session is similar to a Telnet management session except it uses encryption to protect the session from snooping.
AT-S63 Management Software Features Guide Manager Access Levels The AT-S63 Management Software has two manager access levels of manager and operator. The manager access level lets you view and configure the operating parameters, while the operator access level lets you only view the parameters settings. You log in by entering the appropriate username and password when you start a management session. To log in as a manager, type “manager” as the login name. The default password is “friend.
Chapter 1: Overview Installation and Management Configurations The AT-9400 Switches can be installed in three configurations. Stand-alone Switches AT-9400Ts Stacks All the AT-9400 Switches can be installed as managed or unmanaged, stand-alone Gigabit Ethernet switches. The AT-9424Ts, AT-9424Ts/XP and AT-9448Ts/XP Switches can be installed as a stack. This requires the AT-StackXG Stacking Module.
AT-S63 Management Software Features Guide IP Configuration Do you intend to remotely manage the switch with a Telnet or Secure Shell client, or a web browser? Or, will the management software be accessing application servers on your network, like a Simple Network Network Time Protocol server for setting its date and time, or a TFTP server for uploading or downloading files? If so, then the switch will need an IP configuration.
Chapter 1: Overview Configuration Files Stand-alone switches and stacks store their parameter settings in configuration files in their file systems. The devices use these files to configure their parameter settings whenever they initialize their management software, such as when you power on or reset the units. The switches do not update the files automatically after you change a parameter setting. Instead, you must update the files by performing save commands in the management software.
AT-S63 Management Software Features Guide Redundant Twisted Pair Ports Several AT-9400 Switches have twisted pair ports and GBIC or SFP slots that are paired together. The twisted pair ports are identified with the letter “R” for “Redundant” as part of their number on the front faceplate of the unit. The switch models with paired ports and slots are listed in Table 20.
Chapter 1: Overview Note These guidelines do not apply to the SFP slots on the AT-9408LC/SP Switch and the XFP slots on the AT-9424Ts/XP and AT-9448Ts/XP Switches.
AT-S63 Management Software Features Guide History of New Features The following sections outline the history of new features in the AT-S63 Management Software. Version 4.1.0 Version 4.0.0 AlliedWare Plus™ Command Line: This version includes new AlliedWare Plus commands. Group Link Control: This feature is used to group the link states of ports on the switches, to enhance the operability of redundant systems in network topologies.
Chapter 1: Overview already familiar with the commands in the AlliedWare Plus operating system, you may find this new interface more convenient to use than the standard command line.
AT-S63 Management Software Features Guide Note The new MODULE parameter can only be used on stacks that already have Version 4.0.0 or later. To update member switches that have versions earlier than 4.0.0, you have to disconnect them from the stack and update them as stand-alone units. The 802.
Chapter 1: Overview Version 3.0.0 Table 21 lists the new features in version 3.0.0 of the AT-S63 Management Software. Table 21. New Features in AT-S63 Version 3.0.0 Feature Stacking with the AT-StackXG Stacking Module New feature. For information, refer to Chapter 1, Overview in the AT-S63 Stack Command Line Interface User’s Guide. Virtual Router Redundancy Protocol (VRRP) New feature. For information, refer to Chapter 34, “Virtual Router Redundancy Protocol” on page 403.
AT-S63 Management Software Features Guide Version 2.1.0 Table 22 lists the new features in version 2.1.0. Table 22. New Features in AT-S63 Version 2.1.0 Version 2.0.0 Feature Change Internet Protocol version 4 packet routing Added the following new features: Equal Cost Multi-path (ECMP) for supporting multiple routes in the routing table to the same remote destination. Variable length subnet masks for the IP addresses of routing interfaces and static and dynamic routes.
Chapter 1: Overview Version 1.3.0 Table 24 lists the new features in version 1.3.0 of the AT-S63 Management Software. Table 24. New Features in AT-S63 Version 1.3.0 Feature 802.1x Port-based Network Access Control Management Access Control List 60 Change Added the following new features: Guest VLAN. For background information, see “Guest VLAN” on page 438. VLAN Assignment and Secure VLAN for supporting dynamic VLAN assignments from a RADIUS authentication server for supplicant accounts.
AT-S63 Management Software Features Guide Version 1.2.0 Table 25 lists the new features in version 1.2.0. Table 25. New Features in AT-S63 Version 1.2.0 Feature MAC Address Table Quality of Service Change Added the following new parameters to the CLI commands for displaying and deleting specific types of MAC addresses in the MAC address table: STATIC, STATICUNICAST, and, STATICMULTICAST for displaying and deleting static unicast and multicast MAC addresses.
Chapter 1: Overview Table 25. New Features in AT-S63 Version 1.2.0 (Continued) Feature 802.1x Port-based Network Access Control Change Added a new parameter to authenticator ports: 62 Supplicant Mode for supporting multiple supplicant accounts on an authenticator port. For background information, see “Authenticator Ports with Single and Multiple Supplicants” on page 429.
Chapter 2 AT-9400Ts Stacks This chapter has the following sections: “Supported Platforms” on page 64 “Introduction” on page 65 “AT-S63 Management Software” on page 66 “Supported Models” on page 66 “AT-StackXG Stacking Module” on page 67 “Maximum Number of Switches in a Stack” on page 68 “Management Interfaces” on page 68 “Management Access Methods” on page 68 “Enhanced Stacking” on page 69 “Stack Topology” on page 70 “Discovery Process” on page 72 “Master and
Chapter 2: AT-9400Ts Stacks Supported Platforms Table 26 and Table 27 list the AT-9400 Switches and the management interfaces that support AT-9400Ts Stacks. Table 26. Support for AT-9400Ts Stacks Switch Supported Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP AT-9448Ts/XP Yes AT-9400Ts Stacks Yes Table 27.
AT-S63 Management Software Features Guide Introduction The switches in the AT-9400 Series are divided into the Layer 2+ group and the Basic Layer 3 group. The two groups share many of the same features, but there are a number of significant differences. For instance, the Internet Protocol version 4 packet routing feature and the Virtual Router Redundancy Protocol are supported only on the Basic Layer 3 switches. Three models in the Basic Layer 3 series support an additional feature called stacking.
Chapter 2: AT-9400Ts Stacks AT-S63 Management Software Stacking requires Version 3.0.0 or later of the AT-S63 Management Software. Note Version 3.0.0 is only supported on the AT-9424T, AT-9424T/POE, AT-9424Ts, AT-9424Ts/XP, AT-9448T/SP, and AT-9448Ts/XP Basic Layer 3 Switches. Do not install it on the AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP Layer 2+ Switches.
AT-S63 Management Software Features Guide AT-StackXG Stacking Module To be part of a stack, the AT-9400Ts Switch must have the AT-StackXG Stacking Module, shown in Figure 1. You install the module in the switch’s expansion slot on the back panel. The installation instructions are provided in the AT-9400Ts Stack Installation Guide. AATT-L-S X4ta4cC kPXUG CVR Stack Port 1 Stack Port 2 1240 Figure 1.
Chapter 2: AT-9400Ts Stacks Maximum Number of Switches in a Stack Stacks of the 24-port AT-9424Ts Switch or the AT-9424Ts/XP Switch can have up to eight units. A stack can have both models and either model can be the master switch of the stack. Allied Telesis does not recommend using the 48-port AT-9448Ts/XP Switch as the master switch of a stack. Consequently, a stack with one or more 48-port switches should have as the master switch the 24-port AT-9424Ts Switch or the AT-9424Ts/XP Switch.
AT-S63 Management Software Features Guide Enhanced Stacking If you have prior experience with Allied Telesis products, you might already be familiar with a feature that happens to have a similar name to the feature discussed in this chapter. The feature is enhanced stacking and what it allows you to do is manage the different Allied Telesis switches in your network from one management session by redirecting the management session from switch to switch.
Chapter 2: AT-9400Ts Stacks Stack Topology The switches of an AT-9400Ts Stack are cabled with the AT-StackXG Stacking Module and its two full-duplex, 12-Gbps stacking ports. There are two supported topologies. The first topology is the duplex-chain topology, where a port on one stacking module is connected to a port on the stacking module in the next switch, which is connected to the next switch, and so on. The connections must crossover to different numbered ports on the modules.
AT-S63 Management Software Features Guide AT-StackXG RPS INPUT STACK PORT 1 STACK PORT 2 STACK PORT 1 STACK PORT 2 STACK PORT 1 STACK PORT 2 STACK PORT 1 STACK PORT 2 AT-StackXG RPS INPUT AT-StackXG RPS INPUT AT-StackXG RPS INPUT 1247 Figure 3. Duplex-ring Topology Both topologies offer the same in terms of network speed and performance. But the duplex-ring topology adds redundancy by providing a secondary path through the stacking modules.
Chapter 2: AT-9400Ts Stacks Discovery Process When the switches of a stack are powered on or reset, they synchronize their operating software in a two phase process before they begin to forward network traffic through their ports. In the first phase the switches initialize their AT-S63 Management Software. It takes about one minute for a switch to fully initialize its software.
AT-S63 Management Software Features Guide Master and Member Switches The activities of the devices of a stack are coordinated by a master switch. There can be only one master switch, but it can be any unit in a stack. The master switch is assigned module ID 1, as explained in “Module ID Numbers” on page 74. This switch maintains the active configuration file, which contains the parameter settings for all of the switches in the stack. The stack also has a backup master switch.
Chapter 2: AT-9400Ts Stacks Module ID Numbers The switches of a stack are identified by module ID numbers. Each switch must have it own unique number. The range is 1 to 8. The switches assigned the module ID numbers 1 and 2 become the master switch and the backup master switch of a stack, respectively. The commands for managing the module ID numbers are SET STACK and SHOW STACK.
AT-S63 Management Software Features Guide Stack Configuration Files The parameter settings of a stack are stored in the active configuration file in the master switch’s file system. The master switch restores the parameter settings in the file to the switches whenever the stack performs the discovery process, such as when you reset or power cycle the stack, or add or remove a switch.
Chapter 2: AT-9400Ts Stacks If the switch determines that its ID number is set to STATIC with the value 1, then it knows that it’s the master switch of the stack and that it is responsible for maintaining the STACK.CFG file for the entire stack. If the switch determines that its ID number is set to STATIC with a value of 2 or more, then it knows that it is part of a stack and that it should receive its configure settings from the master switch.
AT-S63 Management Software Features Guide MAC Address Tables The MAC address tables of the switches in a stack are all the same. This is because the switches share their MAC addresses as they learn them. When a switch learns a new address on a port, it stores the address in its MAC address table and sends the address from the AT-StackXG Stacking Module to the other switches, which store the address in their tables.
Chapter 2: AT-9400Ts Stacks Stack IP Address If you do not intend to use the packet routing feature, you must still assign one routing interface to the stack if it will be performing any of the following management functions: Remote Telnet or web browser management Sending event messages to a syslog server Sending or receiving TCP/IP pings Uploading or downloading files to the master switch’s file system from a TFTP server To assign an IP address to the stack you have to create an IPv4 rout
AT-S63 Management Software Features Guide Upgrading the AT-S63 Management Software The AT-9400 Switch must have Version 3.0.0 or later of the AT-S63 Management Software to be a member of a stack. To update the management software on an existing stack for versions after Version 3.0.0, you must disconnect the stacking cables and update the switches individually, either locally through the Terminal Port on the units or over the network using a TFTP server.
Chapter 2: AT-9400Ts Stacks 80 Section I: Basic Operations
Chapter 3 Enhanced Stacking This chapter contains the following sections: Section I: Basic Operations “Supported Platforms” on page 82 “Overview” on page 83 “Master and Slave Switches” on page 84 “Common VLAN” on page 85 “Master Switch and the Local Interface” on page 86 “Slave Switches” on page 87 “Enhanced Stacking Compatibility” on page 88 “Enhanced Stacking Guidelines” on page 89 “General Steps” on page 90 81
Chapter 3: Enhanced Stacking Supported Platforms Table 29 and Table 30 list the AT-9400 Switches and the management interfaces that support enhanced stacking. Table 29. Support for Enhanced Stacking Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Table 30.
AT-S63 Management Software Features Guide Overview Having to manage a large number of network devices typically involves starting a separate management session on each device. This usually means having to end one management session in order to start a new session on another unit. The enhanced stacking feature can simplify this task because it allows you to easily transition among the different AT-9400 Switches in your network from just one management session.
Chapter 3: Enhanced Stacking Master and Slave Switches An enhanced stack must have at least one master switch. This switch is your management access point to the switches of a stack. After you have started a local or remote management session on a master switch, you can redirect the session to any of the other switches. The other switches in the stack are known as slave switches. They can be managed through the master switch or directly, such as from a local management session.
AT-S63 Management Software Features Guide Common VLAN A master switch searches for the other switches in an enhanced stack by sending out a broadcast packet out a local subnet. (The designation of this subnet is explained in “Master Switch and the Local Interface,” next.) Since a broadcast packet cannot cross a router or a VLAN boundary, you must connect the switches of an enhanced stack with a common VLAN.
Chapter 3: Enhanced Stacking Master Switch and the Local Interface Before a switch can function as the master switch of an enhanced stack, it needs to know which subnet is acting as the common subnet among the switches in the stack. It uses that information to know which subnet to send out its broadcast packets and to monitor for the management packets from the other switches and from remote management workstations.
AT-S63 Management Software Features Guide Slave Switches The slave switches of an enhanced stack must be connected to the master switch through a common VLAN. A slave switch can be connected indirectly to the master switch so long as there is an uninterrupted path of the common VLAN from the slave switch to the master switch. A slave switch does not need a routing interface on the common VLAN if you use the Default_VLAN (VID 1) as the common VLAN.
Chapter 3: Enhanced Stacking Enhanced Stacking Compatibility This version of enhanced stacking is compatible with earlier AT-S63 versions and the enhanced stacking feature in the AT-8400 Series and AT-8500 Series Switches.
AT-S63 Management Software Features Guide Enhanced Stacking Guidelines Here are the guidelines to using the enhanced stacking feature: Section I: Basic Operations There can be up to 24 switches in an enhanced stack. The switches in an enhanced stack must be connected with a common port-based or tagged VLAN. The VLAN must have the same name and VLAN identifier (VID) on each switch, and the switches must be connected using tagged or untagged ports of the VLAN.
Chapter 3: Enhanced Stacking General Steps Here are the basic steps to implementing the enhanced stacking feature on the AT-9400 Switches in your network: 1. Select a switch to act as the master switch of the enhanced stack. This can be any Allied Telesis switch that supports this feature. In a stack with different switch models, Allied Telesis recommends using an AT-9400 Switch as the master switch. For further information, refer to “Enhanced Stacking Compatibility” on page 88. 2.
Chapter 4 SNMPv1 and SNMPv2c This chapter describes SNMPv1 and SNMPv2c community strings for SNMP management of the switch.
Chapter 4: SNMPv1 and SNMPv2c Supported Platforms Refer to Table 31 and Table 32 for the AT-9400 Switches and the management interfaces that support SNMPv1 and SNMPv2c community strings. Table 31. Support for SNMPv1 and SNMPv2c Community Strings Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 32.
AT-S63 Management Software Features Guide Overview You can manage a switch by viewing and changing the management information base (MIB) objects on the device with the Simple Network Management Program (SNMP). The AT-S63 Management Software supports SNMPv1, SNMPv2c, and SNMPv3. This chapter explains SNMPv1 and SNMPv2c. For information on SNMPv3, refer to Chapter 24, ”SNMPv3” on page 253.
Chapter 4: SNMPv1 and SNMPv2c Community String Attributes A community string has attributes for controlling who can use the string and what the string will allow a network management to do on the switch. The community string attributes are defined below: Community String Name A community string must have a name of one to eight alphanumeric characters. Spaces are allowed. Access Mode This attribute defines the permissions of a community string. There are two access modes: Read and Read/Write.
AT-S63 Management Software Features Guide the community strings. Each community string can have up to eight trap IP addresses. It does not matter which community strings you assign your trap receivers. When the switch sends a trap, it looks at all the community strings and sends the trap to all trap receivers on all community strings. This is true even for community strings that have a access mode of only Read.
Chapter 4: SNMPv1 and SNMPv2c Default SNMP Community Strings The AT-S63 Management Software provides two default community strings: public and private. The public string has an access mode of just Read and the private string has an access mode of Read/Write. If you activate SNMP management on the switch, you should delete or disable the private community string, which is a standard community string in the industry, or change its status from open to closed to prevent unauthorized changes to the switch.
Chapter 5 MAC Address Table This chapter contains background information about the MAC address table.
Chapter 5: MAC Address Table Overview The AT-9400 Switch has a MAC address table with a storage capacity of 16,000 entries. The table stores the MAC addresses of the network nodes connected to its ports and the port numbers where the addresses were learned. A switch learns the MAC addresses of the end nodes by examining the source addresses of the packets received on a port. It adds to the MAC table the addresses along with the ports on which the packets were received.
AT-S63 Management Software Features Guide no longer active. The period of time a switch waits before purging inactive dynamic MAC addresses is called the aging time. This value is adjustable on the AT-9400 Switch. The default value is 300 seconds (5 minutes). The MAC address table can also store static MAC addresses. These are addresses of end nodes you enter manually into the MAC address table.
Chapter 5: MAC Address Table 100 Section I: Basic Operations
Chapter 6 Static Port Trunks This chapter describes static port trunks.
Chapter 6: Static Port Trunks Supported Platforms Refer to Table 33 and Table 34 for the AT-9400 Switches and the management interfaces that support static port trunks. Table 33. Support for Static Port Trunks Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 34.
AT-S63 Management Software Features Guide Overview A static port trunk is a group of two to eight ports that function as a single virtual link between the switch and another device. Traffic is distributed across the ports to improve performance and enhance reliability by reducing the reliance on a single physical link. A static port trunk is easy to configure. You simply designate the ports of the trunk and the management software automatically groups them together.
Chapter 6: Static Port Trunks Load Distribution Methods This section discusses the load distribution methods of static port trunks and LACP port trunks, described in Chapter 7, “LACP Port Trunks” on page 107. When you create a static or LACP port trunk, you have to select a load distribution method. This controls how the switch distributes the packets of the traffic load across the ports in a trunk.
AT-S63 Management Software Features Guide A similar method is used for the two load distribution methods that employ both the source and destination addresses. Only here the last three bits of both addresses are combined by an XOR process to derive a single value which is then compared against the mappings of the bits to ports.
Chapter 6: Static Port Trunks Guidelines Here are the guidelines to static trunks: 106 Allied Telesis recommends limiting static port trunks to Allied Telesis network devices to ensure compatibility. A static trunk can have up to eight ports. Stand-alone switches and AT-9400Ts Stacks can support up to a total of 32 static and LACP trunks at a time. An LACP trunk is countered against the maximum number of trunks only when it is active.
Chapter 7 LACP Port Trunks This chapter explains Link Aggregation Control Protocol (LACP) port trunks.
Chapter 7: LACP Port Trunks Supported Platforms Refer to Table 35 and Table 36 for the AT-9400 Switches and the management interfaces that support LACP port trunks. Table 35. Support for LACP Port Trunks Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 36.
AT-S63 Management Software Features Guide Overview LACP (Link Aggregation Control Protocol) port trunks perform the same function as static trunks. They increase the bandwidth between network devices by distributing the traffic load over multiple physical links. The advantage of an LACP trunk over a static port trunk is its flexibility. While implementations of static trunking tend to be vendor specific, the implementation of LACP in the AT-S63 Management Software is compliant with the IEEE 802.
Chapter 7: LACP Port Trunks LACP System Priority It is possible for two devices interconnected by an aggregate trunk to encounter a conflict when they form the trunk. For example, the two devices might not support the same number of active ports in an aggregate trunk or might not agree on which ports are to be active and which are to be in standby. If a conflict does occur, the two devices need a mechanism for resolving the problem and deciding whose LACP settings are to take precedence.
AT-S63 Management Software Features Guide Adminkey Parameter The adminkey is a hexadecimal value from 1 to FFFF that identifies an aggregator. Each aggregator on a switch must have a unique adminkey. The adminkey is restricted to a switch. Two aggregators on different switches can have the same adminkey without generating a conflict.
Chapter 7: LACP Port Trunks Load Distribution Methods The load distribution method determines the manner in which the switch distributes the traffic across the active ports of an aggregate trunk. The method is assigned to an aggregator and applies to all aggregate trunks within it. If you want to assign different load distribution methods to different aggregate trunks, you must create a separate aggregator for each trunk. For further information, refer to “Load Distribution Methods” on page 104.
AT-S63 Management Software Features Guide Guidelines The following guidelines apply to creating aggregators: Section I: Basic Operations LACP must be activated on both the switch and the other device. The other device must be 802.3ad-compliant. An aggregator can consist of any number of ports. The AT-S63 Management Software supports up to eight active ports in an aggregate trunk at a time.
Chapter 7: LACP Port Trunks 114 When creating a new aggregator, you can specify either a name for the aggregator or an adminkey, but not both. If you specify a name, the adminkey is based on the operator key of the lowest numbered port in the aggregator. If you specify an adminkey, the default name is DEFAULT_AGG followed by the port number of the lowest numbered port in the aggregator. For example, an aggregator of ports 12 to 16 is assigned the default name DEFAULT_AGG12.
Chapter 8 Port Mirror This chapter explains the port mirror feature.
Chapter 8: Port Mirror Supported Platforms Refer to Table 37 and Table 38 for the AT-9400 Switches and the management interfaces that support the port mirror. Table 37. Support for the Port Mirror Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 38.
AT-S63 Management Software Features Guide Overview The port mirror feature allows for the unobtrusive monitoring of ingress or egress traffic on one or more ports on a switch, without impacting network performance or speed. It copies the traffic from specified ports to another switch port where the traffic can be monitored with a network analyzer. The port(s) whose traffic is mirrored is called the source port(s). The port where the traffic is copied to is referred to as the destination port.
Chapter 8: Port Mirror 118 Section I: Basic Operations
Chapter 9 Link-flap Protection This chapter explains link-flap protection.
Chapter 9: Link-flap Protection Supported Platforms Refer to Table 39 and Table 40 for the AT-9400 Switches and the management interfaces that support link-flap protection. Table 39. Support for Link-flap Protection Switch Supported Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 40.
AT-S63 Management Software Features Guide Overview A port that is unable to maintain a reliable connection to a network node may experience a condition referred to as link-flapping. This problem, which is usually caused by intermittent problems with network cables or network nodes, causes the state of a link on a port to fluctuate up and down. A fluctuating link can disrupt more than the connectivity of a single port. Other switch operations may be affected as well.
Chapter 9: Link-flap Protection Guidelines Here are the guidelines to link-flap protection: 122 The rate and duration are set at the switch or the stack level and apply to all of the ports. You can enable this feature on a per-port basis. The performance of the switch is not affected if you enable it on all of the ports. This feature is supported on the base ports and the SFP and XFP modules in the switches.
AT-S63 Management Software Features Guide Configuring the Feature Here are the commands that are used to configure the link-flap protection feature. The first example uses the standard commands and the second example uses the AlliedWare Plus commands. They configure the feature such that link-flap events are defined as seven link changes in three minutes, and they activate the feature on ports 11 to 20.
Chapter 9: Link-flap Protection 124 Section I: Basic Operations
Section II Advanced Operations This section contains the following chapters: Section II: Advanced Operations Chapter 10, ”File System” on page 127 Chapter 11, ”Event Logs and the Syslog Client” on page 131 Chapter 12, ”Classifiers” on page 135 Chapter 13, ”Access Control Lists” on page 145 Chapter 14, “Class of Service” on page 157 Chapter 15, ”Quality of Service” on page 165 Chapter 16, “Group Link Control” on page 187 Chapter 17, ”Denial of Service Defenses” on page 201
Section II: Advanced Operations
Chapter 10 File System The chapter explains the switch’s file system and contains the following sections: Section II: Advanced Operations “Overview” on page 128 “File Naming Conventions” on page 129 “Using Wildcards to Specify Groups of Files” on page 130 127
Chapter 10: File System Overview The AT-9400 Switch has a file system in flash memory for storing system files. You can view a list of the files as well as copy, rename, and delete files. For those AT-9400 Switches that support a compact flash memory card, you can perform the same functions on the files stored on a flash card, as well as copy files between the switch’s file system and a flash card.
AT-S63 Management Software Features Guide File Naming Conventions The flash memory file system is a flat file system—directories are not supported. However, directories are supported on compact flash cards. In both types of storage, files are uniquely identified by a file name in the following format: filename.ext where: filename is a descriptive name for the file, and may be one to sixteen characters in length.
Chapter 10: File System Using Wildcards to Specify Groups of Files You can use the asterisk character (*) as a wildcard character in some fields to identify groups of files. In addition, a wildcard can be combined with other characters. The following are examples of valid wildcard expressions: *.cfg *.key 28*.
Chapter 11 Event Logs and the Syslog Client This chapter describes how to monitor the activity of a switch by viewing the event messages in the event logs and sending the messages to a syslog server.
Chapter 11: Event Logs and the Syslog Client Supported Platforms Refer to Table 42 and Table 43 for the AT-9400 Switches and the management interfaces that support the event logs and the syslog client. Table 42. Support for the Event Logs and the Syslog Client Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 43.
AT-S63 Management Software Features Guide Overview A managed switch is a complex piece of computer equipment that includes both hardware and software. Multiple software features operate simultaneously, interoperating with each other and processing large amounts of network traffic. It is often difficult to determine exactly what is happening when a switch appears not to be operating normally, or what happened when a problem occurred.
Chapter 11: Event Logs and the Syslog Client Syslog Client The management software features a syslog client to send event messages to a syslog server on your network. A syslog server can function as a central repository for events from many different network devices. In order for the switch to send events to a syslog server, you must define a syslog output by specifying the IP address of the syslog server along with other information, such as the types of event messages the switch is to send to the server.
Chapter 12 Classifiers This chapter explains classifiers for access control lists and Quality of Service policies.
Chapter 12: Classifiers Supported Platforms Refer to Table 44 and Table 45 for the AT-9400 Switches and the management interfaces that support classifiers. Table 44. Support for Classifiers Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 45.
AT-S63 Management Software Features Guide Overview A classifier defines a traffic flow. A traffic flow consists of packets that share one or more characteristics. A traffic flow can range from being very broad to very specific. An example of the former might be all IP traffic while an example of the latter could be packets with specific source and destination MAC addresses. A classifier contains a set of criteria for defining a traffic flow.
Chapter 12: Classifiers is dictated by the QoS policy, as explained in Chapter 15, “Quality of Service” on page 165. In summary, a classifier is a list of variables that define a traffic flow. You apply a classifier to an ACL or a QoS policy to define the traffic flow you want the ACL or QoS policy to affect or control.
AT-S63 Management Software Features Guide Classifier Criteria The components of a classifier are defined in the following subsections. Destination MAC Address (Layer 2) Source MAC Address (Layer 2) You can identify a traffic flow by specifying a source and/or destination MAC address. For instance, you might create a classifier for a traffic flow destined to a particular destination node, or from a specific source node to a specific destination node, all identified by their MAC addresses.
Chapter 12: Classifiers Preamble Destination Address Source Address Type/ Length 64 bits 48 bits 48 bits 16 bits Tag Protocol Identifier 16 bits User Priority CFI 3 bits 1 bit Frame Data CRC 368 to 12000 bits 32 bits VLAN Identifier 12 bits Figure 5. User Priority and VLAN Fields within an Ethernet Frame You can identify a traffic flow of tagged packets using the user priority value.
AT-S63 Management Software Features Guide Observe the following guidelines when using this variable: When selecting a Layer 3 or Layer 4 variable, this variable must be left blank or set to IP. If you choose to specify a protocol by its number, you can enter the value in decimal or hexadecimal format. If you choose the latter, precede the number with the prefix “0x”. The range for the protocol number is 1536 (0x600) to 65535 (0xFFFF).
Chapter 12: Classifiers Observe these guidelines when using this criterion: The Protocol variable must be left blank or set to IP. You cannot specify both an IP ToS value and an IP DSCP value in the same classifier. IP Protocol (Layer 3) You can define a traffic flow by the following Layer 3 protocols: TCP UDP ICMP IGMP IP protocol number If you choose to specify the protocol by its number, you can enter the value in decimal or hexadecimal format.
AT-S63 Management Software Features Guide Observe this guideline when using these criteria: The Protocol variable must be left blank or set to IP. TCP Source Ports (Layer 4) TCP Destination Ports (Layer 4) A traffic flow can be identified by a source and/or destination TCP port number contained within the header of an IP frame. Observe the following guidelines when using these criteria: The Protocol variable must be left blank or set to IP.
Chapter 12: Classifiers Guidelines Follow these guidelines when creating a classifier: 144 Each classifier represents a separate traffic flow. The variables within a classifier are linked by AND. The more variables you define within a classifier, the more specific it becomes in terms of the flow it defines.
Chapter 13 Access Control Lists This chapter describes access control lists (ACL) and how they can improve network security and performance.
Chapter 13: Access Control Lists Supported Platforms Refer to Table 46 and Table 47 for the AT-9400 Switches and the management interfaces that support the access control lists. Table 46. Support for the Access Control Lists Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 47.
AT-S63 Management Software Features Guide Overview An access control list is a filter that controls the ingress traffic on a port. It defines a category of traffic and the action of the port when it receives packets of the category. The action can be to accept the defined packets or discard them.
Chapter 13: Access Control Lists 4. Finally, if a packet does not meet the criteria of any ACLs on a port, it is accepted by the port.
AT-S63 Management Software Features Guide Parts of an ACL An ACL must have the following information: Section II: Advanced Operations Name - An ACL must have a name. The name of an ACL should indicate the type of traffic flow being filtered and, perhaps, also the action. An example might be “HTTPS flow - permit.” The more specific the name, the easier it will be for you to identify it. Action - The action of an ACL can be permit or deny.
Chapter 13: Access Control Lists Guidelines Here are the rules to creating ACLs: 150 Ports can have multiple permit and deny ACLs. ACLs must have at least one classifier. ACLs can have up to sixteen classifiers. ACLs can be assigned to more than one switch port. ACLs filter ingress traffic, but not egress traffic. The action of an ACL can be either permit or deny. A permit ACL overrides a deny ACL on the same port when the ACLs define the same traffic.
AT-S63 Management Software Features Guide Examples This section contains several examples of ACLs. In this example, port 4 has been assigned one ACL, a deny ACL for the subnet 149.11.11.0. This ACL prevents the port from accepting any traffic originating from that subnet. Since this is the only ACL on the port, all other traffic is accepted. As explained earlier, a port automatically accepts all packets that do not meet the criteria of the classifiers assigned to its ACLs.
Chapter 13: Access Control Lists To deny traffic from several subnets on the same port, you can create multiple classifiers and apply them to the same ACL, as illustrated in the next example. Three subnets are denied access to port 4. The three classifiers defining the subnets are applied to the same ACL. Create Classifier 01 - Classifier ID: ..... 22 02 - Description: ...... 149.11.11 flow . . 12 - Src IP Addr: ..... 149.11.11.0 13 - Src IP Mask: .... 255.255.255.
AT-S63 Management Software Features Guide The same result can be achieved by assigning the classifiers to different ACLs and assigning the ACLs to the same port, as in this example, again for port 4. Create Access Control Lists (ACL) 1 - ACL ID ................. 4 2 - Description .......... 149.11.11-deny 3 - Action .................. Deny 4 - Classifier List ...... 22 5 - Port List .............. 4 Create Access Control Lists (ACL) 1 - ACL ID ................. 22 2 - Description .......... 149.22.22.
Chapter 13: Access Control Lists In this example, the traffic on ports 14 and 15 is restricted to packets from the source subnet 149.44.44.0. All other IP traffic is denied. Classifier ID 11, which specifies the traffic flow to be permitted by the ports, is assigned to an ACL with an action of permit. Classifier ID 17 specifies all IP traffic and is assigned to an ACL whose action is deny. Since a permit ACL overrides a deny ACL, the port will accept the traffic from the 149.44.44.
AT-S63 Management Software Features Guide The next example limits the ingress traffic on port 17 to IP packets from the subnet 149.22.11.0 and a Type of Service setting of 6, destined to the end node with the IP address 149.22.22.22. All other IP traffic and ARP packets are prohibited. Create Classifier Create Access Control Lists (ACL) 1 - ACL ID ................. 4 2 - Description .......... ToS 6 traffic - permit 3 - Action .................. Permit 4 - Classifier List ...... 6 5 - Port List ...........
Chapter 13: Access Control Lists 156 Section II: Advanced Operations
Chapter 14 Class of Service This chapter describes the Class of Service (CoS) feature.
Chapter 14: Class of Service Supported Platforms Refer to Table 48 and Table 49 for the AT-9400 Switches and the management interfaces that support the Class of Service feature. Table 48. Support for the Class of Service Feature Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 49.
AT-S63 Management Software Features Guide Overview When a port on an Ethernet switch becomes oversubscribed—its egress queues contain more packets than the port can handle in a timely manner—the port may be forced to delay the transmission of some packets, resulting in the delay of packets reaching their destinations. A port may be forced to delay transmission of packets while it handles other traffic. Some packets destined to be forwarded to an oversubscribed port from other switch ports may be discarded.
Chapter 14: Class of Service Table 50. Default Mappings of IEEE 802.1p Priority Levels to Priority Queues IEEE 802.1p Priority Level Port Priority Queue 0 Q1 1 Q0 (lowest) 2 Q2 3 Q3 4 Q4 5 Q5 6 Q6 7 Q7 (highest) For example, when a tagged packet with a priority level of 3 enters a port on the switch, the packet is stored in Q3 queue on the egress port.
AT-S63 Management Software Features Guide Table 51. Customized Mappings of IEEE 802.1p Priority Levels to Priority Queues (Continued) IEEE 802.1p Priority Level Port Priority Queue 6 Q6 7 Q7 (highest) Note that because all ports must use the same priority-to-egress queue mappings, these mappings are applied at the switch level. They cannot be set on a per-port basis.
Chapter 14: Class of Service Scheduling A switch port needs a mechanism that specifies the order of transmittal of the packets from its eight egress queues. For example, should a port that has packets in all its queues transmit all the packets from Q7, the highest priority queue, before moving on to the other queues, or should it transmit a few packets from each queue and, if so, how many? This control mechanism is called scheduling.
AT-S63 Management Software Features Guide Table 52 shows an example. Table 52. Example of Weighted Round Robin Priority Maximum Number of Packets Port Egress Queue Q0 (lowest) 1 Q1 1 Q2 5 Q3 5 Q4 5 Q5 5 Q6 10 Q7 15 In this example, the port transmits a maximum number of 15 packets from Q7 before moving to Q6, from where it transmits up to 10 packets, and so forth. For Q0 to Q6, the range of the maximum number of transmitted packets is 1 to 15.
Chapter 14: Class of Service Table 53.
Chapter 15 Quality of Service This chapter describes Quality of Service (QoS).
Chapter 15: Quality of Service Supported Platforms Refer to Table 54 and Table 55 for the AT-9400 Switches and the management interfaces that support Quality of Service. Table 54. Support for Quality of Service Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 55.
AT-S63 Management Software Features Guide Overview Quality of Service allows you to prioritize traffic and/or limit the bandwidth available to it. The concept of QoS is a departure from the original networking protocols, which treated all traffic on the Internet or within a LAN in the same manner. Without QoS, every traffic type is equally likely to be dropped if a link becomes oversubscribed.
Chapter 15: Quality of Service The QoS functionality described in this chapter sorts packets into various flows, according to the QoS policy that applies to the port the traffic is received on. The switch then allocates resources to direct this traffic according to bandwidth or priority settings in the policy. A policy contains traffic classes, flow groups, and classifiers. Therefore, to configure QoS, you: Create classifiers to sort packets into traffic flows.
AT-S63 Management Software Features Guide Classifiers Classifiers identify a particular traffic flow, and range from general to specific. (See Chapter 12, “Classifiers” on page 135 for more information.) Note that a single classifier should not be used in different flows that will end up, through traffic classes, assigned to the same policy. A classifier should only be used once per policy. Traffic is matched in the order of classifiers.
Chapter 15: Quality of Service Flow Groups Flow groups group similar traffic flows together, and allow more specific QoS controls to be used, in preference to those specified by the traffic class. Flow groups consist of a small set of QoS parameters and a group of classifiers. After a flow group has been added to a traffic class it cannot be added to another traffic class. A traffic class may have many flow groups. Traffic is matched in the order of the flow groups.
AT-S63 Management Software Features Guide Traffic Classes Traffic classes are the central component of the QoS solution. They provide most of the QoS controls that allow a QoS solution to be deployed. A traffic class can be assigned to only one policy. Traffic classes consist of a set of QoS parameters and a group of QoS flow groups. Traffic can be prioritized, marked (IP TOS or DSCP field set), and bandwidth limited. Traffic is matched in the order of traffic class.
Chapter 15: Quality of Service Policies QoS policies consist of a collection of user defined traffic classes. A policy can be assigned to more than one port, but a port may only have one policy. Note that the switch can only perform error checking of parameters and parameter values for the policy and its traffic classes and flow groups when the policy is set on a port. QoS controls are applied to ingress traffic on ports.
AT-S63 Management Software Features Guide QoS Policy Guidelines Following is a list of QoS policy guidelines: Section II: Advanced Operations A classifier may be assigned to many flow groups. However, assigning a classifier more than once within the same policy may lead to undesirable results. A classifier may be used successfully in many different policies. A flow group must be assigned at least one classifier but may have many classifiers.
Chapter 15: Quality of Service Packet Processing You can use the switch’s QoS tools to perform any combination of the following functions on a packet flow: Limiting bandwidth Prioritizing packets to determine the level of precedence the switch will give to the packet for processing Replacing the VLAN tag User Priority to enable the next switch in the network to process the packet correctly Replacing the TOS precedence or DSCP value to enable the next switch in the network to process the pack
AT-S63 Management Software Features Guide Both the VLAN tag User Priority and the traffic class / flow group priority setting allow eight different priority values (0-7). These eight priorities are mapped to the switch’s eight CoS queues. The switch’s default mapping is shown in Table 50 on page 160. Note that priority 0 is mapped to CoS queue 1 instead of CoS queue 0 because tagged traffic that has never been prioritized has a VLAN tag User Priority of 0.
Chapter 15: Quality of Service Replacing Priorities The traffic class or flow group priority (if set) determines the egress queue a packet is sent to when it egresses the switch, but by default has no effect on how the rest of the network processes the packet. To permanently change the packet’s priority, you need to replace one of two priority fields in the packet header: The User Priority field of the VLAN tag header.
AT-S63 Management Software Features Guide DiffServ Domains Differentiated Services (DiffServ) is a method of dividing IP traffic into classes of service, without requiring that every router in a network remember detailed information about traffic flows. DiffServ operates within a DiffServ domain, a network or subnet that is managed as a single QoS unit. Packets are classified according to user-specified criteria at the edge of the network, divided into classes, and assigned the required class of service.
Chapter 15: Quality of Service To use the QoS tool set to configure a DiffServ domain: 1. As packets come into the domain at edge switches, replace their DSCP value, if required. Classify the packets according to the required characteristics. For available options, see Chapter 12, “Classifiers” on page 135. Assign the classifiers to flow groups and the flow groups to traffic classes, with a different traffic class for each DiffServ code point grouping within the DiffServ domain.
AT-S63 Management Software Features Guide Examples The following examples demonstrate how to implement QoS in three situations: Voice Applications “Voice Applications,” next “Video Applications” on page 181 “Critical Database” on page 183 Voice applications typically require a small but consistent bandwidth. They are sensitive to latency (interpacket delay) and jitter (delivery delay). Voice applications can be set up to have the highest priority.
Chapter 15: Quality of Service Policy 6 Policy 11 Create Classifier Create Classifier 01 - Classifier ID: ..... 22 02 - Description ....... VoIP flow . 12 - Src IP Addr ....... 149.44.44.44 13 - Src IP Mask ...... 01 - Classifier ID: ..... 23 02 - Description ....... VoIP flow . 14 - Dst IP Addr ....... 149.44.44.44 15 - Dst IP Mask ....... Create Flow Group Create Flow Group 1 - Flow Group ID ............. 14 2 - Description ................... VoIP 3 - DSCP Value ................. 4 - Priority ....
AT-S63 Management Software Features Guide Video Applications Traffic Class - No action is taken by the traffic class, other than to specify the flow group. Traffic class has a priority setting you can use to override the priority level of packets, just as in a flow group. If you enter a priority value in both places, the setting in the flow group overrides the setting in the traffic class. Policy - Specifies the traffic class and the port to which the policy is to be assigned.
Chapter 15: Quality of Service Policy 17 Policy 32 Create Classifier Create Classifier 01 - Classifier ID: ..... 16 02 - Desciption ......... Video flow . 12 - Src IP Addr ....... 149.44.44.44 13 - Src IP Mask ....... 01 - Classifier ID: ..... 42 02 - Desciption ......... Video flow . 12 - Dst IP Addr ........ 149.44.44.44 13 - Dst IP Mask ....... Create Flow Group Create Flow Group 1 - Flow Group ID ............. 41 2 - Description ................... Video 3 - DSCP Value .................
AT-S63 Management Software Features Guide packets so they leave containing the new level, you would change option 5, Remark Priority, to Yes. Critical Database Traffic Class - The packet stream is assigned a maximum bandwidth of 5 Mbps. Bandwidth assignment can only be made at the traffic class level. Policy - Specifies the traffic class and the port where the policy is to be assigned. Critical databases typically require a high bandwidth.
Chapter 15: Quality of Service Policy Component Hierarchy The purpose of this example is to illustrate the hierarchy of the components of a QoS policy and how that hierarchy needs to be taken into account when assigning new priority and DSCP values. A new priority can be set at the flow group and traffic class levels, while a new DSCP value can be set at all three levels—flow group, traffic class and policy.
AT-S63 Management Software Features Guide Create Classifier 01 - Classifier ID: ..... 1 . 14 - Dst IP Addr ..... 149.11.11.0 15 - Dst IP Mask ..... 255.255.255.0 Create Classifier Create Flow Group 1 - Flow Group ID ......... 1 . 3 - DSCP Value ............. 10 . 9 - Classifier List ............1,2 01 - Classifier ID: ..... 2 . 14 - Dst IP Addr ..... 149.22.22.0 15 - Dst IP Addr ...... 255.255.255.0 Create Traffic Class 1 - Traffic Class ID: ........ 1 . 5 - DSCP value ............. 30 .
Chapter 15: Quality of Service 186 Section II: Advanced Operations
Chapter 16 Group Link Control This chapter explains group link control.
Chapter 16: Group Link Control Supported Platforms Refer to Table 56 and Table 57 for the AT-9400 Switches and the management interfaces that support group link control. Table 56. Support for Group Link Control Switch Supported Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 57.
AT-S63 Management Software Features Guide Overview Group link control is designed to improve the effectiveness of the redundant systems in a network. It enables the switch to alert network devices about problems they might not otherwise detect or respond to, so that they can implement their redundant systems, automatically. The feature works by duplicating the link states of ports on other ports.
Chapter 16: Group Link Control In the first diagram a server with two teamed network adapter cards is connected to different AT-9400 Switches, with the active link to switch 3. If there was a failure on the active link, the server would be able to detect it directly and would respond by automatically transferring the traffic to the redundant network interface and the secondary path, which leads to switch 4.
AT-S63 Management Software Features Guide But if the failure occurred further upstream between switches 1 and 3, the server would not detect the problem. Unaware of the problem, it would lose connectivity to the network because it would continue to transmit packets to switch 3, which would discard the packets. This is shown in this figure. Network Switch 1 Switch 2 Switch 3 Switch 4 Primary link Secondary link Figure 19.
Chapter 16: Group Link Control Network Switch 1 Switch 2 Upstream port 17 Switch 3 Switch 4 Downstream port 24 Figure 20. Group Link Control Example 3 When a link on an upstream port is reestablished, the switch automatically reactivates the downstream counterpart. Referring to the example, when the link on port 17 is reestablished, the switch enables port 24 again. A link control group can have more than one upstream and downstream port. This enables it to support static port trunks and LACP trunks.
AT-S63 Management Software Features Guide Network Switch 1 Switch 2 Upstream ports 17, 20 Switch 3 Switch 4 Downstream ports 24, 25 Secondary trunk Primary trunk Figure 21.
Chapter 16: Group Link Control If connectivity is lost on both ports 17 and 20, the downstream ports 24 and 25 are disabled. Network Switch 2 Switch 1 Upstream ports 17, 20 Switch 3 Switch 4 Downstream ports 24, 25 Figure 22. Group Link Control Example 5 In the previous examples the ports of the groups on the switch are connected to different devices, making it possible for downstream devices to know whether or not there are links to upstream devices.
AT-S63 Management Software Features Guide This is illustrated in this figure. Switch 1 and switch 3 are connected with a static or LACP trunk of three links. A backup trunk from switch 2 to switch 3 is placed in the blocking state by the spanning tree protocol to prevent a network loop. Network Switch 1 Switch 2 Ports 7, 8, 9 Switch 3 Switch 4 Figure 23. Group Link Control Example 6 Let’s assume that you wanted switch 3 to shutdown the primary trunk to switch 1 if the active trunk lost a single link.
Chapter 16: Group Link Control In this example the primary and backup trunks have four links each. Network Switch 1 Switch 2 Ports 7, 8, 9, 10 Switch 3 Switch 4 Figure 24. Group Link Control Example 7 If you wanted switch 3 to shutdown the primary trunk if any two links were lost, you would need to create six groups to cover all of the possible combinations. The groups are listed in Table 59.
AT-S63 Management Software Features Guide Guidelines Here are the guidelines to group link control: Section II: Advanced Operations The switch or stack can support up to eight groups. A group can have any number of ports, up to the total number of ports on the switch. Ports can be members of more than one group. Ports can also be upstream and downstream ports in different groups. Ports, however, cannot be both upstream and downstream ports in the same group.
Chapter 16: Group Link Control Configuring the Feature Here are a few examples on how to configure the feature. The first example configures the group in Figure 20 on page 192 in which port 17 is the upstream port and port 24 is the downstream port.
AT-S63 Management Software Features Guide awplus(config-if)# awplus(config-if)# awplus(config-if)# awplus(config-if)# awplus(config-if)# awplus(config-if)# awplus(config-if)# awplus(config-if)# awplus(config-if)# awplus# show group Section II: Advanced Operations interface 8 group link control group link control group link control interface 9 group link control group link control group link control end link control upstream 2 downstream 1 downstream 3 upstream 3 downstream 1 downstream 2 199
Chapter 16: Group Link Control 200 Section II: Advanced Operations
Chapter 17 Denial of Service Defenses This chapter explains the defense mechanisms in the management software that can protect your network against denial of service (DoS) attacks.
Chapter 17: Denial of Service Defenses Supported Platforms Refer to Table 60 and Table 61 for the AT-9400 Switches and the management interfaces that support the denial of service defenses. Table 60. Support for the Denial of Service Defenses Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Table 61.
AT-S63 Management Software Features Guide Overview The AT-S63 Management Software can help protect your network against the following types of denial of service attacks. SYN Flood Attack Smurf Attack Land Attack Teardrop Attack Ping of Death Attack IP Options Attack The following sections describe each type of attack and the mechanism employed by the AT-S63 Management Software to protect your network.
Chapter 17: Denial of Service Defenses SYN Flood Attack In this type of attack, an attacker sends to a victim a large number of TCP connection requests (TCP SYN packets) with bogus source addresses. The victim responds with acknowledgements (SYN ACK packets), but because the original source addresses are bogus, the victim node does not receive any replies.
AT-S63 Management Software Features Guide Smurf Attack This DoS attack is instigated by an attacker sending a ICMP Echo (Ping) request that has the network’s IP broadcast address as the destination address and the address of the victim as the source of the ICMP Echo (Ping) request. This overwhelms the victim with a large number of ICMP Echo (Ping) replies from the other network nodes.
Chapter 17: Denial of Service Defenses Land Attack In this attack, an attacker sends a bogus IP packet where the source and destination IP addresses are the same. This leaves the victim thinking that it is sending a message to itself. The most direct approach for defending against this form of attack would be for the AT-S63 Management Software to check the source and destination IP addresses in the IP packets, searching for and discarding those with identical source and destination addresses.
AT-S63 Management Software Features Guide 2. If the source IP address is not local to the network, it discards the packet because it assumes that a packet with an IP address that is not local to the network should not be appearing on a port that is not an uplink port. This protects against the possibility of a Land attack originating from within your network. 3. If the source IP address is local to the network, the port forwards the packet to uplink port 1.
Chapter 17: Denial of Service Defenses Teardrop Attack An attacker sends an IP packet in several fragments with a bogus offset value, used to reconstruct the packet, in one of the fragments to a victim. Because of the bogus offset value, the victim is unable to reassemble the packet, possibly causing it to freeze operations. The defense mechanism for this type of attack has all ingress fragmented IP traffic received on a port sent to the switch’s CPU.
AT-S63 Management Software Features Guide Ping of Death Attack The attacker sends an oversized, fragmented ICMP Echo (Ping) request (greater than 65,535 bits) to the victim, which, if lacking a policy for handling oversized packets, may freeze. To defend against this form of attack, a switch port searches for the last fragment of a fragmented ICMP Echo (Ping) request and examines its offset to determine if the packet size is greater than 63,488 bits.
Chapter 17: Denial of Service Defenses IP Options Attack In the basic scenario of an IP attack, an attacker sends packets containing bad IP options. There are several types of IP option attacks and the AT-S63 Management Software does not distinguish between them. Rather, the defense mechanism counts the number of ingress IP packets containing IP options received on a port.
AT-S63 Management Software Features Guide Mirroring Traffic The Land, Teardrop, Ping of Death, and IP Options defense mechanisms allow you to copy the examined traffic to a mirror port for further analysis with a data sniffer or analyzer. This feature differs slightly from port mirroring in that prior to an actual violation of a defense mechanism, only the packets examined by a defense mechanism, rather than all packets, are mirrored to the destination port.
Chapter 17: Denial of Service Defenses Denial of Service Defense Guidelines Below are guidelines to observe when using this feature: 212 A switch port can support more than one DoS defense at a time. The Teardrop and the Ping of Death defenses are CPU intensive. Use these defenses with caution.
Chapter 18 Power Over Ethernet This chapter contains background information on Power over Ethernet (PoE) for the AT-9424T/POE Switch. Sections in the chapter include: “Supported Platforms” on page 214 “Overview” on page 215 “Power Budgeting” on page 216 “Port Prioritization” on page 217 “PoE Device Classes” on page 218 Note This chapter applies only to the AT-9424T/POE Switch.
Chapter 18: Power Over Ethernet Supported Platforms Refer to Table 62 and Table 63 for the AT-9400 Switch and the management interfaces that support the Power over Ethernet feature. Table 62. Support for the Power Over Ethernet Feature Switch Supported Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE Yes AT-9424Ts AT-9424Ts/XP AT-9448T/SP AT-9448Ts/XP AT-9400Ts Stack Table 63.
AT-S63 Management Software Menus User’s Guide Overview Power over Ethernet (PoE) is a mechanism for supplying power to network devices over the same twisted pair cables that carry the network traffic. This feature, defined in the IEEE 802.3af standard, can make the installation and maintenance of a network easier. The device that provides the power, in this case the AT-9424T/POE Switch, acts as a central power source for other network devices.
Chapter 18: Power Over Ethernet Power Budgeting The AT-9424T/POE Switch has a maximum power budget of 380 watts. The maximum possible load on the switch from the powered devices is 360W. The latter number assumes that all of the twenty four ports are connected to powered devices that are drawing the maximum of 15.4 W per port. Given that the power budget of the switch exceeds the highest possible load, it should be possible to connect powered devices to all of the ports without exceeding the power budget.
AT-S63 Management Software Menus User’s Guide Port Prioritization Port prioritization is used to control which ports on the switch are to receive PoE in the event the power requirements of the devices exceed the switch’s power budget. Port prioritization should be unnecessary on the AT-9424T/POE Switch since its power supply can deliver the maximum of 15.4 W to all of its twenty four ports simultaneously.
Chapter 18: Power Over Ethernet PoE Device Classes The IEEE 802.3af standard specifies four levels of classes for powered devices that are defined by power usage. The classes are: 0 - 0.44 W to 12.95 W 1 - 0.44 W to 3.84 W 2 - 3.84 W to 6.49 W 3 - 6.49 W to 12.95 W (The standard actually specifies five levels; the fifth is reserved for future use.) The class of a powered device is set by the manufacturer and it cannot be changed.
Section III Snooping Protocols The chapters in this section contain overview information on the snooping protocols.
Section III: Snooping Protocols
Chapter 19 Internet Group Management Protocol Snooping This chapter explains the Internet Group Management Protocol (IGMP) snooping feature in the following sections: Section III: Snooping Protocols “Supported Platforms” on page 222 “Overview” on page 223 221
Chapter 19: Internet Group Management Protocol Snooping Supported Platforms Refer to Table 64 and Table 65 for the AT-9400 Switches and the management interfaces that support the Internet Group Management Protocol (IGMP) snooping feature. Table 64.
AT-S63 Management Software Features Guide Overview IPv4 routers use IGMP to create lists of nodes that are members of multicast groups. (A multicast group is a group of end nodes that want to receive multicast packets from a multicast application.) The router creates a multicast membership list by periodically sending out queries to the local area networks connected to its ports. A node wanting to become a member of a multicast group responds to a query by sending a report.
Chapter 19: Internet Group Management Protocol Snooping Without IGMP snooping a switch would have to flood multicast packets out all of its ports, except the port on which it received the packet. Such flooding of packets can negatively impact network performance.
Chapter 20 Internet Group Management Protocol Snooping Querier This chapter explains IGMP snooping querier and contains the following sections: Section III: Snooping Protocols “Supported Platforms” on page 226 “Overview” on page 227 “Guidelines” on page 230 “Configuring the Feature” on page 231 225
Chapter 20: Internet Group Management Protocol Snooping Querier Supported Platforms Refer to Table 66 and Table 67 for the AT-9400 Switches and the management interfaces that support IGMP snooping querier. Table 66. Support for IGMP Snooping Querier Switch Supported Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 67.
AT-S63 Management Software Features Guide Overview Multicast routers are essential for IP multicasting. They send out the queries to the network nodes to determine group memberships, route the multicast packets across networks, and maintain lists of the multicast groups and the ports where the members of the groups are located. But if IP multicasting is restricted to a single LAN, without the need for routing, IGMP snooping querier can be used in place of a multicast router.
Chapter 20: Internet Group Management Protocol Snooping Querier Switch 1: VLAN: Default_VLAN VID: 1 IGMP snooping: Enabled IGMP snooping querier: Enabled Routing interface address: 149.123.48.2 Multicast source: IP address: 149.123.48.1 Host nodes: IP addresses: 149.123.48.3 to 149.123.48.24 Figure 25. IGMP Snooping Querier Example 1 The next example adds a second switch that has the same VLAN, the Default VLAN.
AT-S63 Management Software Features Guide Switch 1: VLAN: Default_VLAN VID: 1 IGMP snooping: Enabled IGMP snooping querier: Enabled Routing interface address: 149.123.48.2 Multicast source: IP address: 149.123.48.1 Host nodes: IP addresses: 149.44.44.3 to 149.123.48.24 Switch 2: VLAN: Default_VLAN VID: 1 IGMP snooping: Enabled IGMP snooping querier: Disabled No routing interface Host nodes: IP addresses: 149.44.44.25 to 149.123.48.40 Figure 26.
Chapter 20: Internet Group Management Protocol Snooping Querier Guidelines The guidelines for IGMP snooping querier are listed here: 230 The network can have only one LAN. There cannot be any multicast routers. IGMP snooping must be enabled on the switch. IGMP snooping querier should be enabled on just one switch. Other switches in the LAN should use IGMP snooping. IGMP snooping querier must be applied to the VLAN on which the queries are to be sent.
AT-S63 Management Software Features Guide Configuring the Feature The procedures in this section illustrate how to use the standard commands and the AlliedWare Plus commands to configure the switch for IGMP snooping querier. The procedures configure the settings for switch 1 in Figure 25 on page 228. To configure the feature with the standard commands: 1. To create the routing interface: add ip interface=vlan1-0 ipaddress=149.123.48.2 mask=255.255.255.0 2. To enable IGMP snooping: enable igmpsnooping 3.
Chapter 20: Internet Group Management Protocol Snooping Querier 5. To confirm that IGMP snooping and IGMP snooping querier are enabled on the switch and that the interface is functioning as the querier: show igmpsnooping IGMP Snooping Configuration: IGMP Snooping Status ............... Querier Admin ...................... Host Topology ...................... Host/Router Timeout Interval ....... Maximum IGMP Multicast Groups ...... Router Port(s) .....................
AT-S63 Management Software Features Guide 2. To enable IGMP snooping: awplus(config)# ip igmp snooping 3. To enable IGMP snooping querier and apply it to the VLAN: awplus(config)# ip igmp querier-list 1 awplus(config)# exit 4. To confirm the routing interface: awplus# show ip interface 5. To confirm that IGMP snooping and IGMP snooping querier are enabled on the switch and that the interface is functioning as the querier: awplus# show ip igmp snooping 6.
Chapter 20: Internet Group Management Protocol Snooping Querier 234 Section III: Snooping Protocols
Chapter 21 Multicast Listener Discovery Snooping This chapter explains Multicast Listener Discovery (MLD) snooping: Section III: Snooping Protocols “Supported Platforms” on page 236 “Overview” on page 237 235
Chapter 21: Multicast Listener Discovery Snooping Supported Platforms Refer to Table 68 and Table 69 for the AT-9400 Switches and the management interfaces that support Multicast Listener Discovery snooping. Table 68. Support for Multicast Listener Discovery Snooping Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Table 69.
AT-S63 Management Software Features Guide Overview MLD snooping performs the same function as IGMP snooping. The switch uses the feature to build multicast membership lists. It uses the lists to forward multicast packets only to switch ports where there are host nodes that are members of the multicast groups. The difference between the two is that MLD snooping is for IPv6 and IGMP snooping for IPv4 environments. (For background information on IGMP snooping, refer to “Overview” on page 223.
Chapter 21: Multicast Listener Discovery Snooping 238 Section III: Snooping Protocols
Chapter 22 Router Redundancy Protocol Snooping This chapter explains Router Redundancy Protocol (RRP) snooping and contains the following sections: Section III: Snooping Protocols “Supported Platforms” on page 240 “Overview” on page 241 “Guidelines” on page 242 239
Chapter 22: Router Redundancy Protocol Snooping Supported Platforms Refer to Table 70 and Table 71 for the AT-9400 Switches and the management interfaces that support Router Redundancy Protocol Snooping. Table 70. Support for Router Redundancy Protocol Snooping Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Table 71.
AT-S63 Management Software Features Guide Overview The Router Redundancy Protocol (RRP) allows multiple routers to share the same virtual IP address and MAC address. In network topologies where redundant router paths or links exist, the protocol enables routers, through an election process, to designate one as the master router. This router functions as the provider of the primary path between LAN segments. Slave routers function as backup paths in the event that the master router or primary path fails.
Chapter 22: Router Redundancy Protocol Snooping Guidelines The following guidelines apply to the RRP snooping feature: 242 The default setting for this feature is disabled. Activating the feature flushes all dynamic MAC addresses from the MAC address table. RRP snooping is supported on ports operating in the MAC addressbased port security level of automatic. This feature is not supported on ports operating with a security level of limited, secured, or locked.
Chapter 23 Ethernet Protection Switching Ring Snooping This chapter has the following sections: Section III: Snooping Protocols “Supported Platforms” on page 244 “Overview” on page 245 “Restrictions” on page 247 “Guidelines” on page 249 243
Chapter 23: Ethernet Protection Switching Ring Snooping Supported Platforms Refer to Table 72 and Table 73 for the AT-9400 Switches and the management interfaces that support Ethernet Protection Switching Ring Snooping. Table 72. Support for Ethernet Protection Switching Ring Snooping Switch Supported Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Table 73.
AT-S63 Management Software Features Guide Overview Ethernet Protection Switching Ring is a feature found on selected Allied Telesis products, such as the AT-x900 Advanced Layer 3 Switches. It offers an effective alternative to spanning tree based options when using ring based topologies to create high speed resilient networks. EPSR consists of a master node and a number of transit nodes in a ring configuration.
Chapter 23: Ethernet Protection Switching Ring Snooping After creating the VLANs, you activate EPSR snooping by specifying the control VLAN with the ENABLE EPSRSNOOPING command. The switch immediately begins to monitor the VLAN for control messages from the master switch and reacts accordingly should it receive EPSR messages on one of the two ports of the VLAN.
AT-S63 Management Software Features Guide Restrictions EPSR snooping has three important restrictions. All the restrictions are related to control EPSR messages and the fact that EPSR snooping can not generate these messages. The AT-9400 Switch cannot fulfill the role of master node of a ring because EPSR snooping does not generate EPSR control messages. That function must be assigned to another Allied Telesis switch that supports EPSR, such as the AT-x900 Advanced Layer 3 Switches.
Chapter 23: Ethernet Protection Switching Ring Snooping S AT-8948 Switch P Master Node Transit Node AT-9400 Switch Transit Node Figure 29. Double Fault Condition in EPSR Snooping Now assume the link is reestablished between the switch and transit node. At that point, the port on the transit node enters a preforwarding state in which it forwards EPSR packets over the control VLAN to the AT-9400 Switch.
AT-S63 Management Software Features Guide Guidelines The guidelines to EPSR snooping are: Section III: Snooping Protocols The AT-9400 Switch can support up to sixteen control VLANs and so up to sixteen EPSR instances. The AT-9400 Switch cannot be the master node of a ring. EPSR snooping does not support the transit node unsolicited method of fault notification. The switch must be operating in the user-configure VLAN mode. EPSR snooping is not supported in the Multiple VLAN mode or the 802.
Chapter 23: Ethernet Protection Switching Ring Snooping 250 Section III: Snooping Protocols
Section IV SNMPv3 The chapter in this section contains overview information on SNMPv3.
Section IV: SNMPv3
Chapter 24 SNMPv3 This chapter provides a description of the AT-S63 implementation of the SNMPv3 protocol.
Chapter 24: SNMPv3 Supported Platforms Refer to Table 74 and Table 75 for the AT-9400 Switches and the management interfaces that support SNMPv3. Table 74. Support for SNMPv3 Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 75.
AT-S63 Management Software Features Guide Overview The SNMPv3 protocol builds on the existing SNMPv1 and SNMPv2c protocol implementation which is described in Chapter 4, “SNMPv1 and SNMPv2c” on page 91. In SNMPv3, User-based Security Model (USM) authentication is implemented along with encryption, allowing you to configure a secure SNMP environment. In addition, SNMP terminology changes in the SNMPv3 protocol. In the SNMPv1 and SNMPv2c protocols, the terms agent and manager are used.
Chapter 24: SNMPv3 SNMPv3 Authentication Protocols The SNMPv3 protocol supports two authentication protocols—HMACMD5-96 (MD5) and HMAC-SHA-96 (SHA). Both MD5 and SHA use an algorithm to generate a message digest. Each authentication protocol authenticates a user by checking the message digest. In addition, both protocols use keys to perform authentication.
AT-S63 Management Software Features Guide SNMPv3 Privacy Protocol After you have configured an authentication protocol, you have the option of assigning a privacy protocol if you have the encrypted version of the AT-S63 software. In SNMPv3 protocol terminology, privacy is equivalent to encryption. Currently, the DES protocol is the only encryption protocol supported. The DES privacy protocol requires the authentication protocol to be configured as either MD5 or SHA.
Chapter 24: SNMPv3 SNMPv3 MIB Views The SNMPv3 protocol allows you to configure MIB views for users and groups. The MIB tree is defined by RFC 1155 (Structure of Management Information). See Figure 30.
AT-S63 Management Software Features Guide After you specify a MIB subtree view you have the option of further restricting a view by defining a subtree mask. The relationship between a MIB subtree view and a subtree mask is analogous to the relationship between an IP address and a subnet mask. The switch uses the subnet mask to determine which portion of an IP address represents the network address and which portion represents the node address.
Chapter 24: SNMPv3 SNMPv3 Storage Types Each SNMPv3 table entry has its own storage type. You can choose between nonvolatile storage which allows you to save the table entry or volatile storage which does not allow you to save an entry. If you select the volatile storage type, when you power off the switch your SNMPv3 configuration is lost and cannot be recovered. At each SNMPv3 menu, you are prompted to configure a storage type.
AT-S63 Management Software Features Guide SNMPv3 Message Notification When you generate an SNMPv3 message from the switch, there are three basic pieces of information included in the message: The type of message The destination of the message SNMP security information To configure the type of message, you need to define if you are sending a Trap or Inform message. Basically, the switch expects a response to an Inform message and the switch does not expect a response to a Trap message.
Chapter 24: SNMPv3 SNMPv3 Tables The SNMPv3 configuration is neatly divided into configuring SNMPv3 user information and configuring the message notification. You must configure all seven tables to successfully configure the SNMPv3 protocol. You use the following tables for user configuration: Configure SNMPv3 User Table Configure SNMPv3 View Table Configure SNMPv3 Access Table Configure SNMPv3 SecurityToGroup Table First, you create a user in the Configure SNMPv3 User Table.
AT-S63 Management Software Features Guide Configure SNMPv3 Notify Table Configure SNMPv3 Target Address Table Configure SNMPv3 Target Parameters Table You start the message notification configuration by defining the type of message you want to send with the SNMPv3 Notify Table. Then you define a IP address that is used for notification in the Configure SNMPv3 Target Address Table. This is the IP address of the SNMPv3 host.
Chapter 24: SNMPv3 “SNMPv3 Target Parameters Table” on page 265 “SNMPv3 Community Table” on page 265 SNMPv3 User Table The Configure SNMPv3 User Table menu allows you to create an SNMPv3 user and provides the options of configuring authentication and privacy protocols. With the SNMPv3 protocol, users are authenticated when they send and receive messages. In addition, you can configure a privacy protocol and password so messages a user sends and receives are encrypted.
AT-S63 Management Software Features Guide SNMPv3 Notify Table The Configure SNMPv3 Notify Table menu allows you to define the type of message that is sent from the switch to the SNMP host. In addition, you have the option of defining the message type as either an Inform or a Trap message. The difference between these two types of messages is that when a switch sends an Inform message, the switch expects a response from the host.
Chapter 24: SNMPv3 SNMPv3 Configuration Example You may want to have two classes of SNMPv3 users—Managers and Operators. In this scenario, you would configure one group, called Managers, with full access privileges. Then you would configure a second group, called Operators, with monitoring privileges only. For a detailed example of this configuration, see Appendix B, “SNMPv3 Configuration Examples” on page 543.
Section V Spanning Tree Protocols The section has the following chapters: Section V: Spanning Tree Protocols Chapter 25, “Spanning Tree and Rapid Spanning Tree Protocols” on page 269 Chapter 26, “Multiple Spanning Tree Protocol” on page 289 267
Section V: Spanning Tree Protocols
Chapter 25 Spanning Tree and Rapid Spanning Tree Protocols This chapter provides background information on the Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP).
Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols Supported Platforms Refer to Table 76 and Table 77 for the AT-9400 Switches and the management interfaces that support the Spanning Tree and Rapid Spanning Tree Protocols. Table 76.
AT-S63 Management Software Features Guide Overview The performance of a Ethernet network can be negatively impacted by the formation of a data loop in the network topology. A data loop exists when two or more nodes on a network can transmit data to each other over more than one data path.
Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols Bridge Priority and the Root Bridge The first task that bridges perform when a spanning tree protocol is activated on a network is the selection of a root bridge. A root bridge distributes network topology information to the other network bridges and is used by the other bridges to determine if there are redundant paths in the network. A root bridge is selected by the bridge priority number, also referred to as the bridge identifier.
AT-S63 Management Software Features Guide Path Costs and Port Costs After the root bridge has been selected, the bridges determine if the network contains redundant paths and, if one is found, select a preferred path while placing the redundant paths in a backup or blocking state. Where there is only one path between a bridge and the root bridge, the bridge is referred to as the designated bridge and the port through which the bridge is communicating with the root bridge is referred to as the root port.
Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols Table 80 lists the STP port costs with Auto-Detect when a port is part of a port trunk. Table 80. STP Auto-Detect Port Trunk Costs Port Speed Port Cost 10 Mbps 4 100 Mbps 4 1000 Mbps 2 Table 81 lists the RSTP port costs with Auto-Detect. Table 81.
AT-S63 Management Software Features Guide Table 83.
Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols Forwarding Delay and Topology Changes If there is a change in the network topology due to a failure, removal, or addition of any active components, the active topology also changes. This may trigger a change in the state of some blocked ports. However, a change in a port state is not activated immediately. It might take time for the root bridge to notify all bridges that a topology change has occurred, especially if it is a large network.
AT-S63 Management Software Features Guide seconds and the default is two seconds. Consequently, if the AT-9400 Switch is selected as the root bridge of a spanning tree domain, it transmits a BPDU every two seconds. Point-to-Point and Edge Ports Note This section applies only to RSTP. Part of the task of configuring RSTP is defining the port types on the bridge. This relates to the device(s) connected to the port.
Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols 1 3 5 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT L/A D/C 1000 LINK / ACT 10/100 LINK / HDX / FDX 1 SFP 3 5 7 9 11 Gigabit Ethernet Switch ACT COL 13 15 17 19 TERMINAL PORT 21 23R L/A SFP D/C 1000 LINK / SFP MASTER L/A L/A 23 RPS 24 POWER D/C 2 4 6 8 10 12 14 16 18 20 22 23 24R 2 24 STATUS FAULT ACT 4 6 8 10 12 14 16 18 20 22 24R Edge Port 1
AT-S63 Management Software Features Guide Mixed STP and RSTP Networks RSTP IEEE 802.1w is fully compliant with STP IEEE 802.1d. A network can have both protocols. If both RSTP and STP are present in a network, they operate together to create a single spanning tree domain. Given this, if you decide to activate spanning tree on the AT-9400 Switch, there is no reason not to use RSTP, even if the other switches are running STP.
Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols Spanning Tree and VLANs The STP and RSTP implementations in the AT-S63 Management Software support a single-instance spanning tree that encompasses all the ports on the switch. If the ports are divided into different VLANs, the spanning tree crosses the VLAN boundaries. This point can pose a problem in networks that contain multiple VLANs that span different switches and that are connected with untagged ports.
AT-S63 Management Software Features Guide RSTP BPDU Guard This feature monitors RSTP edge ports on stand-alone switches or AT-9400Ts stacks and disables the ports if they receive BPDU packets. The benefit of this feature is that it prevents the use of edge ports by RSTP devices and so reduces the possibility of unwanted changes to a network topology.
Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols BPDU guard is supported only on RSTP. It is not supported on STP or MSTP. This feature is supported on the base ports of the switch and any expansion modules and fiber optic transceivers installed in the unit. Note A port that the BPDU guard feature has disabled remains in that state until you enable it with the management software.
AT-S63 Management Software Features Guide RSTP Loop Guard Although RSTP is intended to detect and prevent the formation of loops in a network topology, it is possible that the protocol might inadvertently create a loop. This can happen in the unlikely situation where a link between two RSTP devices remains active when there is an cessation of BPDUs because of a hardware or software problem. This feature is designed to prevent the formation of a loop in this situation.
Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols This feature is supported on the base ports of the switch as well as on any expansion modules and fiber optic transceivers installed in the unit. This feature is not supported in STP or MSTP. It is also not supported on RSTP edge ports. The following figures illustrate this feature. The first figure shows RSTP under normal operations in a network of three switches that have been connected to form a loop.
AT-S63 Management Software Features Guide Switch 2 Port 17 Stops transmitting BDPUs Switch 1 Root bridge Port 14 Transitions to the forwarding state from the blocking state Switch 3 Figure 38. Loop Guard Example 2 But if loop guard is enabled on port 14 on switch 3, the port, instead of changing to the forwarding state, stays in the blocking state, preventing the formation of the loop.
Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols In the first example the root bridge stops transmitting BPDUs. If switch 3 is not using loop guard, it continues to forward traffic on port 4, but since no BPDUs are received on the port, it assumes that the device connected to the port is not an RSTP device. Since switch 2 becomes the new root bridge, port 14 on switch 3 transitions to the forwarding state from the blocking state to become the new root port for the switch.
AT-S63 Management Software Features Guide Switch 2 New root bridge Switch 1 Old root bridge RSTP stops operating Port 14 Transitions from the blocking state to the forwarding state Port 4 Loop guard changes the port to the blocking state from the forwarding state Switch 3 Figure 41.
Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols 288 Section V: Spanning Tree Protocols
Chapter 26 Multiple Spanning Tree Protocol This chapter provides background information on the Multiple Spanning Tree Protocol (MSTP).
Chapter 26: Multiple Spanning Tree Protocol Supported Platforms Refer to Table 84 and Table 85 for the AT-9400 Switches and the management interfaces that support the Multiple Spanning Tree Protocol. Table 84. Support for the Multiple Spanning Tree Protocol Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Table 85.
AT-S63 Management Software Features Guide Overview As mentioned in Chapter 25, ”Spanning Tree and Rapid Spanning Tree Protocols” on page 269, STP and RSTP are referred to as single-instance spanning trees that search for physical loops across all VLANs in a bridged network. When loops are detected, the protocols stop the loops by placing one or more bridge ports in a blocking state.
Chapter 26: Multiple Spanning Tree Protocol Multiple Spanning Tree Instance (MSTI) The individual spanning trees in MSTP are referred to as Multiple Spanning Tree Instances (MSTIs). A MSTI can span any number of AT-9400 Switches. The switch can support up to 16 MSTIs at a time. To create a MSTI, you first assign it a number, referred to as the MSTI ID. The range is 1 to 15. (The switch is shipped with a default MSTI with an MSTI ID of 0.
AT-S63 Management Software Features Guide Sales VLAN 1 3 5 Production VLAN 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT 1000 LINK / L/A ACT 10/100 LINK / HDX / FDX D/C 1 SFP 3 5 7 9 13 15 17 19 TERMINAL PORT 21 23R SFP 1000 LINK / MASTER L/A L/A 23 4 6 8 10 12 14 16 18 20 22 23 24R RPS 24 POWER 2 24 STATUS FAULT ACT D/C 2 Gigabit Ethernet Switch ACT COL 11 L/A D/C SFP 4 6 8 10 12 14 16 18 20 22 24R Block
Chapter 26: Multiple Spanning Tree Protocol Figure 43 illustrates the same two AT-9400 Switches and the same two virtual LANs. But in this example, the two switches are running MSTP and the two VLANs have been assigned different spanning tree instances. Now that they reside in different MSTIs, both links remain active, enabling the VLANs to forward traffic over their respective direct link.
AT-S63 Management Software Features Guide A MSTI can contain more than one VLAN. This is illustrated in Figure 44 where there are two AT-9400 Switches with four VLANs. There are two MSTIs, each containing two VLANs. MSTI 1 contains the Sales and Presales VLANs and MSTI 2 contains the Design and Engineering VLANs.
Chapter 26: Multiple Spanning Tree Protocol MSTI Guidelines The following are several guidelines to keep in mind about MSTIs: 296 The AT-9400 Switch can support up to 16 spanning tree instances, including the CIST. A MSTI can contain any number of VLANs. A VLAN can belong to only one MSTI at a time. A switch port can belong to more than one spanning tree instance at a time by being an untagged and tagged member of VLANs belonging to different MSTI’s.
AT-S63 Management Software Features Guide VLAN and MSTI Associations Part of the task to configuring MSTP involves assigning VLANs to spanning tree instances. The mapping of VLANs to MSTIs is called associations. A VLAN, either port-based or tagged, can belong to only one instance at a time, but an instance can contain any number of VLANs.
Chapter 26: Multiple Spanning Tree Protocol Ports in Multiple MSTIs A port can be a member of more than one MSTI at a time if it is a tagged member of one or more VLANs assigned to different MSTI’s. In this circumstance, a port might be have to operate in different spanning tree states simultaneously, depending on the requirements of the MSTIs.
AT-S63 Management Software Features Guide Multiple Spanning Tree Regions Another important concept of MSTP is regions. A MSTP region is defined as a group of bridges that share exactly the same MSTI characteristics. Those characteristics are: Configuration name Revision number VLANs VLAN to MSTI ID associations A configuration name is a name assigned to a region to identify it. You must assign each bridge in a region exactly the same name; even the same upper and lowercase lettering.
Chapter 26: Multiple Spanning Tree Protocol Figure 45 illustrates the concept of regions. It shows one MSTP region consisting of two AT-9400 Switches. Each switch in the region has the same configuration name and revision level. The switches also have the same five VLANs and the VLANs are associated with the same MSTIs.
AT-S63 Management Software Features Guide The same is true for any ports connected to bridges running the singleinstance spanning tree STP or RSTP. Those ports are also considered as part of another region. Each MSTI functions as an independent spanning tree within a region. Consequently, each MSTI must have a root bridge to locate physical loops within the spanning tree instance. An MSTI’s root bridge is called a regional root.
Chapter 26: Multiple Spanning Tree Protocol Common and Internal Spanning Tree (CIST) MSTP has a default spanning tree instance called the Common and Internal Spanning Tree (CIST). This instance has an MSTI ID of 0. This instance has unique features and functions that make it different from the MSTIs that you create yourself. First, you cannot delete this instance and you cannot change its MSTI ID.
AT-S63 Management Software Features Guide Summary of Guidelines Careful planning is essential for the successful implementation of MSTP. This section reviews all the rules and guidelines mentioned in earlier sections, and contains a few new ones: Section V: Spanning Tree Protocols The AT-9400 Switch can support up to 16 spanning tree instances, including the CIST, at a time. A MSTI can contain any number of VLANs. A VLAN can belong to only one MSTI at a time.
Chapter 26: Multiple Spanning Tree Protocol Note The AT-S63 MSTP implementation complies fully with the new IEEE 802.1s standard. Any other vendor’s fully compliant 802.1s implementation is interoperable with the AT-S63 implementation.
AT-S63 Management Software Features Guide Associating VLANs to MSTIs Allied Telesis recommends that you assign all VLANs on a switch to an MSTI. You should not leave a VLAN assigned to just the CIST, including the Default_VLAN. This is to prevent the blocking of a port that should be in the forwarding state. The reason for this guideline is explained below. An MSTP BPDU contains the instance to which the port transmitting the packet belongs. By default, all ports belong to the CIST instance.
Chapter 26: Multiple Spanning Tree Protocol BPDU Packet Instances: CIST 0 and MSTI 10 Port 1 Switch A Port 15 1 3 5 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT L/A D/C 1000 LINK / ACT 10/100 LINK / HDX / FDX 5 7 9 11 13 15 17 19 21 23R 2 4 6 8 10 12 14 16 18 20 22 24R TERMINAL PORT SFP SFP 23 24 ACT L/A L/A 6 8 10 12 14 16 18 20 22 24R 3 5 7 9 11 13 15 17 23 19 21 23R 2 4 6 8 10 12 14 16 18 20 22
AT-S63 Management Software Features Guide Connecting VLANs Across Different Regions Special consideration needs to be taken into account when you connect different MSTP regions or an MSTP region and a single-instance STP or RSTP region. Unless planned properly, VLAN fragmentation can occur between the VLANS of your network. As mentioned previously, only the CIST can span regions. A MSTI cannot.
Chapter 26: Multiple Spanning Tree Protocol Another approach is to group those VLANs that need to span regions into the same MSTI. Those VLANs that do not span regions can be assigned to other MSTIs. Here is an example.
Section VI Virtual LANs The chapters in this section discuss the various types of virtual LANs supported by the AT-9400 Switch.
Section VI: Virtual LANs
Chapter 27 Port-based and Tagged VLANs This chapter contains overview information about port-based and tagged virtual LANs (VLANs).
Chapter 27: Port-based and Tagged VLANs Supported Platforms Refer to Table 86 and Table 87 for the AT-9400 Switches and the management interfaces that support the port-based and tagged VLANs. Table 86. Support for Port-based and Tagged VLANs Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 87.
AT-S63 Management Software Features Guide Overview A VLAN is a group of ports on an Ethernet switch that form a logical Ethernet segment. The ports of a VLAN form an independent traffic domain where the traffic generated by the nodes of a VLAN remains within the VLAN. With VLANs, you can segment your network through the switch’s AT-S63 Management Software and so be able to group nodes with related functions into their own separate, logical LAN segments.
Chapter 27: Port-based and Tagged VLANs Management Software. You can change the VLAN memberships through the management software without moving the workstations physically, or changing group memberships by moving cables from one switch port to another. In addition, a virtual LAN can span more than one switch. This means that the end nodes of a VLAN do not need to be connected to the same switch and so are not restricted to being in the same physical location.
AT-S63 Management Software Features Guide Port-based VLAN Overview As explained in “Overview” on page 313, a VLAN consists of a group of ports on one or more Ethernet switches that form an independent traffic domain. Traffic generated by the end nodes of a VLAN remains within the VLAN and does not cross over to the end nodes of other VLANs unless there is an interconnection device, such as a router or Layer 3 switch.
Chapter 27: Port-based and Tagged VLANs three AT-9400 Switches, you would assign the Marketing VLAN on each switch the same VID. You can assign this number manually or allow the AT-S63 Management Software to do it automatically. If you allow the management software to do it automatically, it selects the next available VID. This is acceptable when you are creating a new, unique VLAN.
AT-S63 Management Software Features Guide Guidelines to Creating a Portbased VLAN Drawbacks of Port-based VLANs Section VI: Virtual LANs Below are the guidelines to creating a port-based VLAN. Each port-based VLAN must be assigned a unique VID. If a particular VLAN spans multiples switches, each part of the VLAN on the different switches should be assigned the same VID. A port can be an untagged member of only one port-based VLAN at a time.
Chapter 27: Port-based and Tagged VLANs Port-based Example 1 Figure 49 illustrates an example of one AT-9424T/SP Gigabit Ethernet Switch with three port-based VLANs. (For purposes of the following examples, the Default_VLAN is not shown.) Engineering VLAN (VID 3) Production VLAN (VID 4) Sales VLAN (VID 2) 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 AT-9424T/SP Gigabit Ethernet Switch WAN Router Figure 49.
AT-S63 Management Software Features Guide In the example, each VLAN has one port connected to the router. The router interconnects the various VLANs and functions as a gateway to the WAN. Port-based Example 2 Figure 50 illustrates more port-based VLANs. In this example, two VLANs, Sales and Engineering, span two AT-9400 Switches Gigabit Ethernet switches.
Chapter 27: Port-based and Tagged VLANs The table below lists the port assignments for the Sales, Engineering, and Production VLANs on the switches: Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) AT-9424T/SP Switch (top) Ports 1 - 6 (PVID 2) Ports 9 - 13 (PVID 3) Ports 17, 19 - 21 (PVID 4) AT-9424T/GB Switch (bottom) Ports 2 - 4, 6, 8 (PVID 2) Ports 16, 18-20, 22 (PVID 3) none Sales VLAN - This VLAN spans both switches.
AT-S63 Management Software Features Guide Tagged VLAN Overview The second type of VLAN supported by the AT-S63 Management Software is the tagged VLAN. VLAN membership in a tagged VLAN is determined by information within the frames that are received on a port. This differs from a port-based VLAN, where the PVIDs assigned to the ports determine VLAN membership. The VLAN information within an Ethernet frame is referred to as a tag or tagged header.
Chapter 27: Port-based and Tagged VLANs Port VLAN Identifier Note For explanations of VLAN name and VLAN identifier, refer back to “VLAN Name” on page 315 and “VLAN Identifier” on page 315. Tagged and Untagged Ports You need to specify which ports will be members of the VLAN. In the case of a tagged VLAN, it is usually a combination of both untagged ports and tagged ports. You specify which ports are tagged and which untagged when you create the VLAN.
AT-S63 Management Software Features Guide Tagged VLAN Example Figure 51 illustrates how tagged ports can be used to interconnect IEEE 802.1Q-based products. Engineering VLAN (VID 3) Sales VLAN (VID 2) Production VLAN (VID 4) Legacy Server 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 AT-9424T/SP Gigabit Ethernet Switch IEEE 802.
Chapter 27: Port-based and Tagged VLANs The port assignments for the VLANs are as follows: Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) Untagged Ports Tagged Ports Untagged Ports Tagged Ports Untagged Ports Tagged Ports AT-9424T/ SP Switch (top) 1, 3 to 5 (PVID 2) 2, 10 9, 11 to 13 (PVID 3) 2, 10 17, 19 to 21 (PVID 4) 2 AT-9424T/ GB Switch (bottom) 2, 4, 6, 8 (PVID 2) 9 16, 18, 20, 22 (PVID 3) 9 none none This example is nearly identical to the “Port-based Exa
Chapter 28 GARP VLAN Registration Protocol This chapter describes the GARP VLAN Registration Protocol (GVRP) and contains the following sections: Section VI: Virtual LANs “Supported Platforms” on page 326 “Overview” on page 327 “Guidelines” on page 330 “GVRP and Network Security” on page 331 “GVRP-inactive Intermediate Switches” on page 332 “Generic Attribute Registration Protocol (GARP) Overview” on page 333 325
Chapter 28: GARP VLAN Registration Protocol Supported Platforms Refer to Table 88 and Table 89 for the AT-9400 Switches and the management interfaces that support the GARP VLAN Registration Protocol. Table 88. Support for the GARP VLAN Registration Protocol Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Table 89.
AT-S63 Management Software Features Guide Overview The GARP VLAN Registration Protocol (GVRP) allows network devices to share VLAN information. The main purpose of GVRP is to allow switches to automatically discover some of the VLAN information that would otherwise need to be manually configured in each switch. This is helpful in networks where VLANs span more than one switch.
Chapter 28: GARP VLAN Registration Protocol Figure 52 provides an example of how GVRP works.
AT-S63 Management Software Features Guide as an tagged dynamic GVRP port. If the port is already a member of the VLAN, then no change is made. 5. Switch #3 sends a PDU out port 4 to switch #2. 6. Switch #2 receives the PDU on port 3 and then adds the port as a tagged dynamic GVRP port to the dynamic GVRP_VLAN_11 VLAN. There is now a communications path for the end nodes of the Sales VLAN on switches #1 and #3.
Chapter 28: GARP VLAN Registration Protocol Guidelines Following are guidelines to observe when using this feature: 330 GVRP is supported with STP and RSTP, or without spanning tree. GVRP is not supported with MSTP. GVRP is supported when the switch is operating in the tagged VLAN mode, which is the VLAN mode for creating your own tagged and portbased VLANs. GVRP is not supported when the switch is operating in either of the multiple VLAN modes.
AT-S63 Management Software Features Guide GVRP and Network Security GVRP should be used with caution because it can expose your network to unauthorized access. A network intruder can access to restricted parts of the network by connecting to a switch port running GVRP and transmitting a bogus GVRP PDU containing VIDs of restricted VLANs. GVRP would make the switch port a member of the VLANs and that could give the intruder access to restricted areas of your network.
Chapter 28: GARP VLAN Registration Protocol GVRP-inactive Intermediate Switches If two GVRP-active devices are separated by a GVRP-inactive switch, the GVRP-active devices may not be able to share VLAN information. There are two issues involved. The first is whether the intermediate switch forwards the GVRP PDUs that it receives from the GVRP-active switches. GVRP PDUs are management frames, intended for a switch’s CPU.
AT-S63 Management Software Features Guide Generic Attribute Registration Protocol (GARP) Overview The following is a technical overview of GARP. An understanding of GARP may prove helpful when you use GVRP. The purpose of the Generic Attribute Registration Protocol (GARP) is to provide a generic framework whereby devices in a bridged LAN, for example end stations and switches, can register and deregister attribute values, such as VLAN Identifiers, with each other.
Chapter 28: GARP VLAN Registration Protocol GARP architecture is shown in Figure 53. Switch GARP Participant GARP Participant GARP Application GARP Application GIP MAC Layer: Port 1 GARP PDUs GID LLC GARP PDUs LLC GARP PDUs GARP PDUs GID MAC Layer: Port 2 Figure 53.
AT-S63 Management Software Features Guide GID Attribute ... state: Attribute C state: Attribute B state: Attribute A state: Applicant State Registrar State Figure 54. GID Architecture GARP registers and deregisters attribute values through GARP messages sent at the GID level. A GARP participant that wishes to make a declaration (an applicant registering an attribute value) sends a JoinIn or JoinEmpty message.
Chapter 28: GARP VLAN Registration Protocol To control the applicant state machine, an applicant administrative control parameter is provided. This parameter determines whether or not the applicant state machine participates in GARP protocol exchanges. The default value has the applicant participating in the exchanges. To control the registrar state machine, a registrar administrative control parameter is provided.
Chapter 29 Multiple VLAN Modes This chapter describes the multiple VLAN modes. This chapter contains the following sections: Section VI: Virtual LANs “Supported Platforms” on page 338 “Overview” on page 339 “802.1Q- Compliant Multiple VLAN Mode” on page 340 “Non-802.
Chapter 29: Multiple VLAN Modes Supported Platforms Refer to Table 90 and Table 91 for the AT-9400 Switches and the management interfaces that support the multiple VLAN modes. Table 90. Support for the Multiple VLAN Modes Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Table 91.
AT-S63 Management Software Features Guide Overview The multiple VLAN modes are designed to simplify the task of configuring the switch in network environments that require a high degree of network segmentation. In a multiple VLAN mode, the ports on a switch are prohibited from forwarding traffic to each other and are only allowed to forward traffic to a user-designated uplink port. These configurations isolate the traffic on each port from all other ports, while providing access to the uplink port.
Chapter 29: Multiple VLAN Modes 802.1Q- Compliant Multiple VLAN Mode In this mode, each port is placed into a separate VLAN as an untagged port. The VLAN names and VID numbers are based on the port numbers. For example, the VLAN for port 4 is named Client_VLAN_4 and is given the VID of 4, the VLAN for port 5 is named Client_VLAN_5 and has a VID of 5, and so on. The VLAN configuration is accomplished automatically by the switch. After you select the mode and an uplink port, the switch forms the VLANs.
AT-S63 Management Software Features Guide Table 92. 802.
Chapter 29: Multiple VLAN Modes Non-802.1Q Compliant Multiple VLAN Mode Unlike the 802.1Q-compliant VLAN mode, which isolates port traffic by placing each port in a separate VLAN, this mode forms one VLAN with a VID of 1 that encompasses all ports. To establish traffic isolation, it uses port mapping. The result, however, is the same. Ports are permitted to forward traffic only to the designated uplink port and to no other port, even when they receive a broadcast packet.
Chapter 30 Protected Ports VLANs This chapter explains protected ports VLANs.
Chapter 30: Protected Ports VLANs Supported Platforms Refer to Table 93 and Table 94 for the AT-9400 Switches and the management interfaces that support the protected ports VLANs. Table 93. Support for Protected Ports VLANs Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Table 94.
AT-S63 Management Software Features Guide Overview The purpose of a protected ports VLAN is to allow multiple ports on the switch to share the same uplink port but not share traffic with each other. This feature has some of the same characteristics as the multiple VLAN modes described in the previous chapter, but it offers several advantages. One is that it provides more flexibility. With the multiple VLAN modes, you can select only one uplink port which is shared by all the other ports.
Chapter 30: Protected Ports VLANs To create a protected ports VLAN, you perform many of the same steps that you do when you create a new port-based or tagged VLAN. You give it a name and a unique VID, and you indicate which of the ports will be tagged and untagged. What makes creating this type of VLAN different is that you must assign the ports of the VLAN to their respective groups. Following is an example of a protected ports VLAN.
AT-S63 Management Software Features Guide Guidelines Following are the guidelines for implementing protected ports VLANS: Section VI: Virtual LANs A protected ports VLAN should contain a minimum of two groups. A protected ports VLAN of only one group can be replaced with a portbased or tagged VLAN instead. A protected ports VLAN can contain any number of groups. A group can contain any number of ports. The ports of a group can be tagged or untagged.
Chapter 30: Protected Ports VLANs 348 Section VI: Virtual LANs
Chapter 31 MAC Address-based VLANs This chapter contains overview information about MAC address-based VLANs.
Chapter 31: MAC Address-based VLANs Supported Platforms Refer to Table 95 and Table 96 for the AT-9400 Switches and the management interfaces that support MAC address-based VLANs. Table 95. Support for MAC Address-based VLANs Switch Supported Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Table 96.
AT-S63 Management Software Features Guide Overview As explained in “Overview” on page 313, VLANs are a means for creating independent LAN segments within a network and are typically employed to improve network performance and security. The AT-S63 Management Software offers several different types of VLANs, including port-based, tagged, and protected ports.
Chapter 31: MAC Address-based VLANs Egress Ports Implementing a MAC address-based VLAN involves more than entering the MAC addresses of the end nodes that are members of the VLAN. You must also designate the egress ports on the switch for the packets from the nodes. The egress ports define the limits of flooding of packets when a port receives a unicast packet with an unknown destination address (that is, an address that has not been learned by the MAC address table).
AT-S63 Management Software Features Guide The community characteristic of egress ports relieves you from having to map each address to its corresponding egress port. You only need to be sure that all the egress ports in a MAC address-based VLAN are assigned to at least one address. It is also important to note that a MAC address must be assigned at least one egress port to be considered a member of a MAC address-based VLAN.
Chapter 31: MAC Address-based VLANs If security is a major concern for your network, you might not want to assign a port as an egress port to more than one VLAN when planning your MAC address-based VLANs.
AT-S63 Management Software Features Guide VLANs That Span Switches To create a MAC address-based VLAN that spans switches, you must replicate the MAC addresses of the VLAN nodes on all the switches where the VLAN exists. The same MAC address-based VLAN on different switches must have the same list of MAC addresses. Figure 55 illustrates an example of a MAC address-based VLAN that spans two AT-9400 Switches. The VLAN consists of three nodes on each switch.
Chapter 31: MAC Address-based VLANs Table 99.
AT-S63 Management Software Features Guide VLAN Hierarchy The switch’s management software employs a VLAN hierarchy when handling untagged packets that arrive on a port that is an egress port of a MAC address-based VLAN as well as an untagged port of a port-based VLAN. (A port can be a member of both types of VLANs at the same time.) The rule is that a MAC address-based VLAN takes precedence over that of a port-based VLAN.
Chapter 31: MAC Address-based VLANs Steps to Creating a MAC Address-based VLAN Here are the three main steps to creating a MAC address-based VLAN: 1. Assign the VLAN a name and a VID. You must also set the VLAN type to MAC Based. 2. Assign the MAC addresses to the VLAN. 3. Add the egress ports to the MAC addresses. The steps must be performed in this order.
AT-S63 Management Software Features Guide Guidelines Follow these guidelines when implementing a MAC address-based VLAN: Section VI: Virtual LANs MAC address-based VLANs are not supported on the AT-9408LC/SP, AT-9424T/GB and AT-9424T/SP Switches. The switch can support up to a total of 4094 port-based, tagged, protected ports, and MAC address-based VLANs. The source nodes of this type of VLAN must send only untagged packets. A MAC address-based VLAN does not support tagged packets.
Chapter 31: MAC Address-based VLANs 360 Egress ports cannot be part of a static or LACP trunk. Since this type of VLAN does not support tagged packets, it is not suitable in environments where a network device, such as a network server, needs to be shared between multiple VLANs. Ports 49 and 50 on the AT-9448Ts/XP switch cannot be designated as egress ports of a MAC address-based VLAN.
Section VII Internet Protocol Routing This section has the following chapters: Section VII: Internet Protocol Routing Chapter 32, “Internet Protocol Version 4 Packet Routing” on page 363 Chapter 33, “BOOTP Relay Agent” on page 397 Chapter 34, “Virtual Router Redundancy Protocol” on page 403 361
Section VII: Internet Protocol Routing
Chapter 32 Internet Protocol Version 4 Packet Routing This chapter describes Internet Protocol version 4 (IPv4) packet routing on the AT-9400 Basic Layer 3 Switches. The chapter covers routing interfaces, static routes, and the Routing Information Protocol (RIP) versions 1 and 2.
Chapter 32: Internet Protocol Version 4 Packet Routing Supported Platforms Refer to Table 100 and Table 101 for the AT-9400 Switches and the management interfaces that support the IPv4 packet routing feature. Table 100.
AT-S63 Management Software Features Guide Features” on page 384 and “AT-9408LC/SP AT-9424T/GB, and AT-9424T/SP Switches” on page 388. Section VII: Routing AT-9400Ts Stacks support static routes but not RIP. You can use the menus on a stand-alone switch to configure the routing interfaces, but not static routes or RIP. To configure all of the feature’s components, you must use the command line.
Chapter 32: Internet Protocol Version 4 Packet Routing Overview This section contains an overview of the IPv4 routing feature on the AT-9400 Switch. It begins with an explanation of the following available routing methods: Routing interfaces Static routes RIP version 1 and 2 A routing interface is a logical connection to a local network or subnet for the purpose of routing IPv4 packets.
AT-S63 Management Software Features Guide At the end of this overview are two examples that illustrate the sequence of commands to implementing the features described in this chapter. You can refer there to see how the commands are used in practice. The sections are “Routing Command Example” on page 390 and “Non-routing Command Example” on page 394. In the following discussions, unless stated otherwise the term “remote destination” refers to a network or subnet that is not directly connected to the switch.
Chapter 32: Internet Protocol Version 4 Packet Routing Routing Interfaces The IPv4 packet routing feature on the switch is built on the foundation of the routing interface. An interface functions as a logical connection to a subnet that allows the egress and ingress of IPv4 packets to the subnet from other local and remote networks, subnets, and nodes. Interfaces are an independent routing function. They are not dependent on static routes or RIP to pass IPv4 traffic among themselves on a switch.
AT-S63 Management Software Features Guide Note Routing interfaces can be configured from either the command line interface or the menus interface. The following subsections describe the three main components of a routing interface: VLAN ID (VID) VLAN ID (VID) Interface number IP address and subnet mask An interface must be assigned to the VLAN on the switch where its network or subnet resides. The VLAN is identified by its VLAN identification (VID) number or VLAN name.
Chapter 32: Internet Protocol Version 4 Packet Routing the other interfaces in the same VLAN must be assigned manually. For example, if there are four interfaces and each of their respective subnets resided in a separate VLAN, then each interface can obtain its IP address and subnet mask from a DHCP or BOOTP server. However, if the four subnets share the same VLAN, only one interface can obtain its IP address from a DHCP or BOOTP server. The other three must be configured manually.
AT-S63 Management Software Features Guide Interface Names Many of the IPv4 routing commands have a parameter for an interface name. An interface name consists of a VLAN and an interface number, separated by a dash. The VLAN is designated by “vlan” followed by the VLAN identification number (VID) or the VLAN name. Here are several examples.
Chapter 32: Internet Protocol Version 4 Packet Routing Static Routes In order for the switch to route an IPv4 packet to a remote network or subnet, there must be a route to the destination in the routing table of the switch. The route must consist of the IP address of the remote destination and the IP address of the next hop to reaching the destination. One type of route to a remote destination is referred to as a static route. You create static routes by manually entering them into the routing table.
AT-S63 Management Software Features Guide The commands for managing static routes are ADD IP ROUTE, DELETE IP ROUTE, and SET IP ROUTE.
Chapter 32: Internet Protocol Version 4 Packet Routing Routing Information Protocol (RIP) A switch can automatically learn routes to remote destinations by sharing the contents of its routing table with its neighboring routers in the network with the Routing Information Protocol (RIP) versions 1 and 2. RIP is a fairly simple distance vector routing protocol that defines networks based in how many hops they are from the switch, just as with static routes.
AT-S63 Management Software Features Guide Note A RIP version 2 password is sent in plaintext. The AT-S63 Management Software does not support encrypted RIP passwords. The switch transmits its routing table every thirty seconds from those interfaces that have RIP. This interval is not adjustable on the switch. The entire table is sent with the following exceptions: Dynamic RIP routes that fall under the split horizon rule. Inactive interface routes where there are no active ports in the VLAN.
Chapter 32: Internet Protocol Version 4 Packet Routing Default Routes A default route is a “match all” destination entry in the routing table. The switch uses it to route packets whose remote destinations are not in the routing table. Rather than discard the packets, the switch sends them to the next hop specified in the default route. A default route has a destination IP address of 0.0.0.0 and no subnet mask.
AT-S63 Management Software Features Guide Equal-cost Multi-path (ECMP) Routing When there are multiple routes in the routing table to the same remote destinations, ECMP enables the switch to use the different routes to forward traffic. This can improve network performance by increasing the available bandwidth for the traffic flows, and also provide for route redundancy. The routing table permits up to 32 routes to the same remote destination, with up to eight of the routes as active at one time.
Chapter 32: Internet Protocol Version 4 Packet Routing ECMP also applies to default routes. This enables the switch to store up to 32 default routes with up to eight of the routes active at one time. The ECMP feature can be enabled and disabled on the switch. The operating status of ECMP does not affect the switch’s ability to store multiple routes to the same destination in its routing table.
AT-S63 Management Software Features Guide Routing Table The switch maintains its routing information in a table of routes that tells the switch how to find a local or remote destination. Each route is uniquely identified in the table by its IP address, network mask, next hop, protocol, and routing interface. When the switch receives an IPv4 packet, it scans the routing table to find the most specific route to the destination on an “up” interface where there is at least one active port in the VLAN.
Chapter 32: Internet Protocol Version 4 Packet Routing Route Selection Process Here is the route selection process the switch goes through when routing packets to a destination: 380 If there is only one route to a destination, forward the packets using the route. If there is more than one route to a destination, select the route with the lowest preference value. If there is more than one route with the lowest preference value, select the route with the lowest metric value.
AT-S63 Management Software Features Guide Address Resolution Protocol (ARP) Table The switch maintains an ARP table of IP addresses and the matching Ethernet MAC addresses. It refers to the table when routing packets to determine the destination MAC addresses of the nodes, as well as interfaces and ports from where the nodes are reached. The ARP table can store both static and dynamic entries. Static entries are entries you add yourself.
Chapter 32: Internet Protocol Version 4 Packet Routing Internet Control Message Protocol (ICMP) ICMP allows routers to send error and control messages to other routers or hosts. It provides the communication between IP software on one system and IP software on another. The switch implements the ICMP functions listed in Table 102. Table 102.
AT-S63 Management Software Features Guide Table 102. ICMP Messages Implemented on the AT-9400 Switch ICMP Packet (Type) Time to Live Exceeded (11) Section VII: Routing Switch Response If the TTL field in a packet falls to zero the switch will send a “Time to live exceeded” packet. This could occur if a route was excessively long or if too many hops were in the path.
Chapter 32: Internet Protocol Version 4 Packet Routing Routing Interfaces and Management Features Routing interfaces are primary intended for the IPv4 packet routing feature. There are, however, a number of management functions that rely on the presence of at least one routing interface on the switch to operate properly. The switch uses the IP address of an interface as its source address when performing the management function.
AT-S63 Management Software Features Guide As an example, assume you decided not to implement the IPv4 routing feature on a switch that had four local subnets, but you wanted the switch to send its events to a syslog server and have access to a RADIUS authentication server. Assume also that you wanted to use a TFTP server to upload and download files to the device.
Chapter 32: Internet Protocol Version 4 Packet Routing Pinging a Remote Device Accessing DHCP or BOOTP Servers 386 This function is used to validate the existence of an active path between the switch and another network node. The switch can ping a device if it has a routing interface on the local subnet from where the device is reached. In previous versions of the AT-S63 Management Software the device to be pinged had to be reached through the management VLAN of the switch.
AT-S63 Management Software Features Guide Local Interface The local interface is used with the enhanced stacking feature. It is also used with remote management of a switch with a Telnet or SSH client, or a web browser. The local interface does the following: With an enhanced stack, it designates on the master switch the common VLAN and subnet that interconnects the switches of the stack.
Chapter 32: Internet Protocol Version 4 Packet Routing AT-9408LC/SP AT-9424T/GB, and AT-9424T/SP Switches The AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP Switches do not support the IPv4 packet routing feature. They do, however, support a limited version of some of the features. Local Interface You can create one routing interface to provide support for those management features that require the switch to have an IP address.
AT-S63 Management Software Features Guide Note The AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP Switches do not use the ARP table to move packets through the switching matrix. They refer to the table only when they perform a management function requiring them to communicate with another network node. Default Gateway The default gateway specifies the IP address of an interface on a neighboring router.
Chapter 32: Internet Protocol Version 4 Packet Routing Routing Command Example This section contains an example of the IPv4 routing feature. It illustrates the sequence of commands to implementing the feature. To make the example easier to explain, some of the command options are not mentioned and the default values are used instead. Note This example does not apply to the AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP switches, which do not support the packet routing feature.
AT-S63 Management Software Features Guide Creating the VLANs The first step is to create the VLANs for the local subnets on the switch. The VLANs must be created before the routing interfaces.
Chapter 32: Internet Protocol Version 4 Packet Routing command. Adding a Static Route and Default Route Building on our example, assume you decided to manually enter a route to a remote subnet as a static route. The command for creating a static route is ADD IP ROUTE. Here is the basic information for defining a static route: The IP address of the remote destination. The subnet mask of the remote destination. The IP address of the next hop.
AT-S63 Management Software Features Guide Adding RIP Rather than adding the static routes to remote destinations, or perhaps to augment them, you decide that the switch should learn routes by exchanging its route table with its routing neighbors using RIP. To implement RIP, you add it to the routing interfaces where routing neighbors are located. The command for adding RIP to an interface is ADD IP RIP.
Chapter 32: Internet Protocol Version 4 Packet Routing Non-routing Command Example This example illustrates how to assign an IP address to a switch by creating just one interface. This example is appropriate in cases where you want to implement the management functions described in “Routing Interfaces and Management Features” on page 384 but without IPv4 packet routing. This section is also appropriate for the AT-9400 Layer 2+ Switches, which do not support packet routing.
AT-S63 Management Software Features Guide The following command creates a default route for the example and specifies the next hop as 149.44.55.6: add ip route=0.0.0.0 nexthop=149.44.55.
Chapter 32: Internet Protocol Version 4 Packet Routing Upgrading from AT-S63 Version 1.3.0 or Earlier When the AT-9400 Switch running AT-S63 version 1.3.0 or earlier is upgraded to the latest version of the management software, the switch automatically creates a routing interface that preserves the previous IP configuration of the unit. If the switch had a static address, the interface is assigned the same address.
Chapter 33 BOOTP Relay Agent This chapter has the following sections: “Supported Platforms” on page 398 “Overview” on page 399 “Guidelines” on page 401 397
Chapter 33: BOOTP Relay Agent Supported Platforms Refer to Table 104 and Table 105 for the AT-9400 Switches and the management interfaces that support the BOOTP relay agent. Table 104. Support for the BOOTP Relay Agent Switch Supported Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 105.
AT-S63 Management Software Features Guide Overview The AT-S63 Management Software comes with a BOOTP relay agent for relaying BOOTP messages between clients and DHCP or BOOTP servers. When a client sends a BOOTP request to a DHCP or BOOTP server for an IP configuration, it transmits the request as a broadcast packet because it does not know the IP address of the server. This can present a problem when a client and server reside on different subnets, because broadcast packets do not cross subnet boundaries.
Chapter 33: BOOTP Relay Agent A routing interface that receives a BOOTP reply from a server inspects the broadcast flag field in the packet to determine whether the client, in its original request to the server, set this flag to signal that the response must be sent as a broadcast datagram. Some older nodes have this dependency. If the flag is not set, the routing interface forwards the packet to the originating client as a unicast packet.
AT-S63 Management Software Features Guide Guidelines These guidelines apply to the BOOTP relay agent: Section VII: Routing A routing interface functions as the BOOTP relay agent for the local clients in its subnet. You can specify up to eight DHCP or BOOTP servers. The TTL for BOOTP request relay packets is preset on the AT-9400 Switch to 4. It cannot be changed. Routing interfaces discard BOOTP requests when the TTL is decremented to zero (i.e., after 4 hops).
Chapter 33: BOOTP Relay Agent 402 Section VII: Routing
Chapter 34 Virtual Router Redundancy Protocol The chapter has the following sections: “Supported Platforms” on page 404 “Overview” on page 405 “Master Switch” on page 406 “Backup Switches” on page 407 “Interface Monitoring” on page 408 “Port Monitoring” on page 409 “VRRP on the Switch” on page 410 403
Chapter 34: Virtual Router Redundancy Protocol Supported Platforms Refer to Table 106 and Table 107 for the AT-9400 Switches and the management interfaces that support the Virtual Router Redundancy Protocol. Table 106. Support for the Virtual Router Redundancy Protocol Switch Supported Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Table 107.
AT-S63 Management Software Features Guide Overview This chapter describes the Virtual Router Redundancy Protocol (VRRP) of the AT-9400 Basic Layer 3 Switches. One of the functions that switches provide to the hosts of a LAN is to act as gateways. The local hosts use the gateways to communicate with the hosts on the WAN. The local hosts are assigned static routes that define which gateway switch to use as the next hop to reach the WAN.
Chapter 34: Virtual Router Redundancy Protocol Master Switch The virtual router has a virtual MAC address known by all the switches that participate in the virtual router. The virtual MAC address is derived from the virtual router identifier, which is a user-defined value from 1 to 255. All the hosts on the LAN are configured with an IP address to use as the first hop. This IP address is typically owned by the preferred switch in the group of switches that constitute the virtual router.
AT-S63 Management Software Features Guide Backup Switches All the other switches participating in the virtual router are designated as backup switches. A switch can be part of several different virtual routers on one LAN, provided that all the virtual routers have different virtual router identifiers.
Chapter 34: Virtual Router Redundancy Protocol Interface Monitoring The virtual router can monitor certain interfaces to change the priority of switches if the master switch loses its connection to the outside world. This is known as interface monitoring. Interface monitoring reduces the priority of the switch when an important interface connection is lost. The reduction in priority causes a backup switch with a higher priority to take over as the master switch and restore connectivity.
AT-S63 Management Software Features Guide Port Monitoring Port monitoring is the process of detecting the failure of ports that are part of a VLAN that a virtual router is running over. If a port fails or is disabled, the VRRP priority is reduced by the stepvalue or by an amount that reflects the proportion of the VLAN’s ports that are out of service. If the switch is the master and a backup switch has a higher priority, the backup switch preempts the master and becomes the new master.
Chapter 34: Virtual Router Redundancy Protocol VRRP on the Switch VRRP is disabled by default. When a virtual router is created on the switch, it is enabled by default, but the VRRP module must be enabled before it is operational. The VRRP module or a specific virtual router can be enabled or disabled afterwards by using the ENABLE VRRP and DISABLE VRRP commands. A virtual router must be created on at least two switches before it operates correctly.
AT-S63 Management Software Features Guide prevents a switch from inadvertently backing up another switch. The authentication type and, in the case of plaintext authentication, the password, must be the same for all switches in the virtual router. By default, the virtual router has no authentication. Authentication is set with the AUTHENTICATION and PASSWORD parameters in the CREATE VRRP and SET VRRP commands.
Chapter 34: Virtual Router Redundancy Protocol 412 Section VII: Routing
Section VIII Port Security The chapters in this section contain overview information on the port security features of the AT-9400 Switch. The chapters include: Section VIII: Port Security Chapter 35, “MAC Address-based Port Security” on page 415 Chapter 36, “802.
Section VIII: Port Security
Chapter 35 MAC Address-based Port Security The sections in this chapter include: Section VIII: Port Security “Supported Platforms” on page 416 “Overview” on page 417 “Invalid Frames and Intrusion Actions” on page 419 “Guidelines” on page 420 415
Chapter 35: MAC Address-based Port Security Supported Platforms Refer to Table 108 and Table 109 for the AT-9400 Switches and the management interfaces that support MAC address-based port security. Table 108. Support for MAC Address-based Port Security Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 109.
AT-S63 Management Software Features Guide Overview You can use this feature to enhance the security of your network by controlling which end nodes can forward frames through the switch, and so prevent unauthorized individuals from accessing your network. It uses a frame’s source MAC address to determine whether the switch should forward a frame or discard it. The source address is the MAC address of the end node that sent the frame.
Chapter 35: MAC Address-based Port Security Secured This security level uses only static MAC addresses assigned to a port to forward frames. Consequently, only those end nodes whose MAC addresses are entered as static addresses are able to forward frames through a port. Dynamic MAC addresses already learned on a port are discarded from the MAC table and no new dynamic addresses are added. Any ingress frames having a source MAC address not entered as a static address on a port are discarded.
AT-S63 Management Software Features Guide Invalid Frames and Intrusion Actions When a port receives an invalid frame, it has to select an intrusion action, which defines the port’s response to the packet. But before defining the intrusion actions, it helps to understand what constitutes an invalid frame.
Chapter 35: MAC Address-based Port Security Guidelines The following guidelines apply to MAC address-based port security: 420 The filtering of a packet occurs on the ingress port, not on the egress port. You cannot use MAC address port security and 802.1x port-based access control on the same port. To configure a port as an Authenticator or Supplicant in 802.1x port-based access control, you must set its MAC address security level to Automatic, which is the default setting.
Chapter 36 802.
Chapter 36: 802.1x Port-based Network Access Control Supported Platforms Refer to Table 110 and Table 111 for the AT-9400 Switches and the management interfaces that support 802.1x port-based network access control. Table 110. Support for 802.
AT-S63 Management Software Features Guide Overview The AT-S63 Management Software has several different methods for protecting your network and its resources from unauthorized access. For instance, Chapter 35, “MAC Address-based Port Security” on page 415, explains how you can restrict network access using the MAC addresses of the end nodes of your network. This chapter explains yet another way. This method, referred to as 802.
Chapter 36: 802.1x Port-based Network Access Control Authentication server - The authentication server is the network device that has the RADIUS server software. This is the device that does the actual authenticating of the supplicants. The AT-9400 Switch does not authenticate any of the supplicants connected to its ports. It’s function is to act as an intermediary between a supplicant and the authentication server during the authentication process.
AT-S63 Management Software Features Guide Authentication Process Below is a brief overview of the authentication process that occurs between a supplicant, authenticator, and authentication server. For further details, refer to the IEEE 802.1x standard. Section VIII: Port Security Either the authenticator (that is, a switch port) or the supplicant initiates an authentication message exchange.
Chapter 36: 802.1x Port-based Network Access Control Port Roles Part of the task of implementing this feature is specifying the roles of the ports on the switch. A port can have one of three roles: None Role None Authenticator Supplicant A switch port in the None role does not participate in port-based access control. Any device can connect to the port and send traffic through it and receive traffic from it without being validated.
AT-S63 Management Software Features Guide Assigning unique username and password combinations to your network users and requiring the users to provide the information when they initially send traffic through the switch can enhance network security by limiting network access to only those supplicants who have been assigned valid combinations. Another advantage is that the authentication is not tied to any specific computer or node.
Chapter 36: 802.1x Port-based Network Access Control Note A supplicant connected to an authenticator port set to forceauthorized must have 802.1x client software if the port’s authenticator mode is 802.1x. Though the force-authorized setting prevents an authentication exchange, the supplicant must still have the client software to forward traffic through the port. Force-unauthorized - Causes the port to remain in the unauthorized state, ignoring all attempts by the supplicant to authenticate.
AT-S63 Management Software Features Guide Authenticator Ports with Single and Multiple Supplicants An authenticator port has two operating modes. The modes relate to the number of clients using the port and, in situations where an authenticator port is supporting more than one client, whether just one client or all the clients must log on to use the switch port. The operating modes are: Single Operating Mode Single Multiple The Single operating mode is used in two situations.
Chapter 36: 802.
AT-S63 Management Software Features Guide 1 3 5 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT AT-9400 Switch L/A D/C 1000 LINK / ACT 10/100 LINK / HDX / FDX 1 3 5 7 9 11 15 17 19 TERMINAL PORT 21 23R 1000 LINK / ACT L/A L/A 23 24 6 8 10 12 14 16 18 20 22 24R 23 24 MASTER RPS POWER D/C 4 STATUS FAULT SFP SFP D/C 2 Gigabit Ethernet Switch ACT COL 13 L/A SFP 2 4 6 8 10 12 14 16 18 20 22 24R RADIUS Authenticatio
Chapter 36: 802.1x Port-based Network Access Control If the clients are connected to an 802.1x-compliant device, such as another AT-9400 Switch, you can automate the initial log on and reauthentications by configuring one of the switch ports as a supplicant. In this manner, the log on and reauthentications are performed automatically. This scenario is illustrated in Figure 59.
AT-S63 Management Software Features Guide 1 3 5 7 9 11 13 15 17 19 21 23R AT-9424T/SP PORT ACTIVITY CLASS 1 LASER PRODUCT AT-9400 Switch (A) L/A D/C 1000 LINK / ACT 10/100 LINK / HDX / FDX 1 SFP 3 5 7 9 11 15 17 19 TERMINAL PORT 21 23R SFP 1000 LINK / 23 MASTER RPS 24 POWER D/C 4 6 8 10 12 14 16 18 20 22 24R 23 2 24 Port 6: Role: None or Role: Authenticator Operating Mode: Single Piggy-back Mode: Enabled STATUS FAULT ACT L/A L/A 2 Gigabit Ethernet S
Chapter 36: 802.1x Port-based Network Access Control An example of this authenticator operating mode is illustrated in Figure 61. The clients are connected to a hub or non-802.1x-compliant switch which is connected to an authenticator port on the AT-9400 Switch. If the authenticator port is set to the 802.1x authentication method, the clients must provide their username and password combinations before they can forward traffic through the AT-9400 Switch.
AT-S63 Management Software Features Guide none, port 6 on switch A will discard the packets because switch B would not be logged on to the port. Also notice that the ports where the clients are connected on switch B are set to the none role. This is because a client can log on only once. If, in this example, you were to make a client’s port an authenticator, the client would have to log on twice when trying to access switch A, once on its port on switch B as well as the authenticator port on switch A.
Chapter 36: 802.1x Port-based Network Access Control Supplicant and VLAN Associations One of the challenges to managing a network is accommodating end users that roam. These are individuals whose work requires that they access the network resources from different points at different times. The difficulty arises in providing them with access to the same network resources and, conversely, restricting them from unauthorized areas, regardless of the workstation from where they access the network.
AT-S63 Management Software Features Guide Single Operating Mode Multiple Operating Mode Here are the operating characteristics for the switch when an authenticator port is set to the Single operating mode: If the switch receives a valid VLAN ID or VLAN name from the RADIUS server, it moves the authenticator port to the designated VLAN and changes the port to the authorized state. If the piggy-back mode is disabled, only the authenticated supplicant is allowed to use the port.
Chapter 36: 802.1x Port-based Network Access Control Guest VLAN An authenticator port in the unauthorized state typically accepts and transmits only 802.1x packets while waiting to authenticate a supplicant. However, you can configure an authenticator port to be a member of a Guest VLAN when no supplicant is logged on. Any client using the port is not required to log on and has full access to the resources of the Guest VLAN. If the switch receives 802.
AT-S63 Management Software Features Guide RADIUS Accounting The AT-S63 Management Software supports RADIUS accounting for switch ports set to the Authenticator role. This feature sends information about the status of the supplicants to the RADIUS server so that you can monitor network activity and use.
Chapter 36: 802.1x Port-based Network Access Control General Steps Here are the general steps to implementing 802.1x Port-based Network Access Control and RADIUS accounting on the switch: 1. You must install a RADIUS server on one or more of your network servers or management stations. Authentication protocol server software is not available from Allied Telesis. Funk Software SteelBelted Radius and Free Radius have been verified as fully compatible with the AT-S63 Management Software.
AT-S63 Management Software Features Guide Guidelines The following are general guidelines to using this feature: Ports operating under port-based access control do not support dynamic MAC address learning. The appropriate port role for a port on the AT-9400 Switch connected to a RADIUS authentication server is None. The authentication method of an authenticator port can be either 802.1x username and password combination or MAC address-based, but not both. A supplicant must have 802.
Chapter 36: 802.1x Port-based Network Access Control An authenticator port cannot be part of a static port trunk, LACP port trunk, or port mirror. If a switch port set to the supplicant role is connected to a port on another switch that is not set to the authenticator role, the port, after a timeout period, will assume that it can send traffic without having to log on. GVRP must be disabled on an authenticator port. When 802.
AT-S63 Management Software Features Guide Here are guidelines for adding VLAN assignments to supplicant accounts on a RADIUS server: Section VIII: Port Security The VLAN can be either port-based or tagged. The VLAN must already exist on the switch. A client can have only one VLAN associated with it on the RADIUS server. When a supplicant logs on, the switch port is moved as an untagged port to the designated VLAN.
Chapter 36: 802.
Section IX Management Security The chapters in this section describe the management security features of the AT-9400 Switch.
Section IX: Management Security
Chapter 37 Web Server The sections in this chapter are: Section IX: Management Security “Supported Platforms” on page 448 “Overview” on page 449 “Configuring the Web Server for HTTP” on page 450 “Configuring the Web Server for HTTPS” on page 451 447
Chapter 37: Web Server Supported Platforms Refer to Table 112 and Table 113 for the AT-9400 Switches and the management interfaces that support the web server. Table 112. Support for the Web Server Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 113.
AT-S63 Management Software Features Guide Overview The AT-S63 Management Software has a web server and a special web browser interface that allow you to remotely manage the switch from a management workstation on your network using a web browser. (For instructions on the switch’s web browser interface, refer to the AT-S63 Management Software Web Browser Interface User’s Guide.) The web server on the switch can operate in HTTP or HTTPS mode.
Chapter 37: Web Server Configuring the Web Server for HTTP The following steps configure the web server for non-secure HTTP operation. The steps reference only the command line commands, but the web server can be configured from the menus interface, too. 1. Disable the web server with the DISABLE HTTP SERVER command. 2. Activate HTTP in the web server with the SET HTTP SERVER command. 3. Enable the web server with the ENABLE HTTP SERVER command.
AT-S63 Management Software Features Guide Configuring the Web Server for HTTPS The following sections outline the steps for configuring the web server on the switch for HTTPS operation with a self-signed or CA certificate. The steps reference only the command line commands, but the web server can be configured from the menus interface, too. General Steps for a Self-signed Certificate These steps configure the web server with a self-signed certificate: 1. Set the switch’s date and time.
Chapter 37: Web Server 6. After receiving the certificates from the CA, download them into the switch’s file system using the LOAD METHOD=TFTP or LOAD METHOD=XMODEM command. 7. Add the certificates to the certificate database with the ADD PKI CERTIFICATE command. 8. Disable the web server with the DISABLE HTTP SERVER command. 9. Activate HTTPS in the web server with the SET HTTP SERVER command. 10. Enable the web server with the ENABLE HTTP SERVER command.
Chapter 38 Encryption Keys The sections in this chapter are: “Supported Platforms” on page 454 “Overview” on page 455 “Encryption Key Length” on page 456 “Encryption Key Guidelines” on page 457 “Technical Overview” on page 458 For an overview of the procedures to configuring the switch’s web server for encryption, refer to “Configuring the Web Server for HTTPS” on page 451.
Chapter 38: Encryption Keys Supported Platforms Refer to Table 114 and Table 115 for the AT-9400 Switches and the management interfaces that support encryption keys. Table 114. Support for Encryption Keys Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 115.
AT-S63 Management Software Features Guide Overview Protecting your managed switches from unauthorized management access is an important role for a network manager. Network operations and security can be severely compromised if an intruder gains access to critical switch information, such as a manager’s login username and password, and uses that information to alter a switch’s configuration settings.
Chapter 38: Encryption Keys Encryption Key Length When you create a key pair, you have to specify its length in bits. The range is 512, the default, to 1,536 bits, in increments of 256 bits. The longer the key, the more difficult it is for someone to decipher. If you are particularly concerned about the safety of your management sessions, you might want to use a longer key length than the default, though the default is likely to be sufficient in most situations.
AT-S63 Management Software Features Guide Encryption Key Guidelines Observe the following guidelines when creating an encryption key pair: Section IX: Management Security Web browser encryption requires only one key pair. SSH encryption requires two key pairs. The keys must be of different lengths of at least one increment (256 bits) apart. The recommended size for the server key is 768 bits and the recommended size for the host key is 1024 bits.
Chapter 38: Encryption Keys Technical Overview The encryption feature provides the following data security services: Data Encryption Data encryption Data authentication Key exchange algorithms Key creation and storage Data encryption for switches is driven by the need for organizations to keep sensitive data private and secure. Data encryption operates by applying an encryption algorithm and key to the original data (the plaintext) to convert it into an encrypted form (the ciphertext).
AT-S63 Management Software Features Guide algorithm and key. For a given input block of plaintext ECB always produces the same block of ciphertext. Cipher Block Chaining (CBC) is the most popular form of DES encryption. CBC also operates on 64-bit blocks of data, but includes a feedback step which chains consecutive blocks so that repetitive plaintext data, such as ASCII blanks, does not yield identical ciphertext.
Chapter 38: Encryption Keys secret. Only the decryption, or private key, needs to be kept secret. The other name for this type of algorithm is public key encryption. The public and private key pair cannot be randomly assigned, but must be generated together. In a typical scenario, a decryption station generates a key pair and then distributes the public key to encrypting stations.
AT-S63 Management Software Features Guide It is very hard to find another message and key which give the same hash The two most commonly used one-way hash algorithms are MD5 (Message Digest 5, defined in RFC 1321) and SHA-1 (Secure Hash Algorithm, defined in FIPS-180-1). MD5 returns a 128-bit hash and SHA-1 returns a 160-bit hash. MD5 is faster in software than SHA-1, but SHA-1 is generally regarded to be slightly more secure.
Chapter 38: Encryption Keys A Diffie-Hellman algorithm requires more processing overhead than RSAbased key exchange schemes, but it does not need the initial exchange of public keys. Instead, it uses published and well tested public key values. The security of the Diffie-Hellman algorithm depends on these values. Public key values less than 768 bits in length are considered to be insecure. A Diffie-Hellman exchange starts with both parties generating a large random number.
Chapter 39 PKI Certificates and SSL The sections in this chapter are: Section IX: Management Security “Supported Platforms” on page 464 “Overview” on page 465 “Types of Certificates” on page 465 “Distinguished Names” on page 467 “SSL and Enhanced Stacking” on page 469 “Guidelines” on page 470 “Technical Overview” on page 471 463
Chapter 39: PKI Certificates and SSL Supported Platforms Refer to Table 116 and Table 117 for the AT-9400 Switches and the management interfaces that support the PKI certificates and SSL. Table 116. Support for PKI Certificates and SSL Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 117.
AT-S63 Management Software Features Guide Overview This chapter describes the second part of the encryption feature of the AT-S63 Management Software—PKI certificates. The first part is explained in Chapter 38, “Encryption Keys” on page 453.
Chapter 39: PKI Certificates and SSL network equipment. With private CAs, companies can keep track of the certificates and control access to various network devices. If your company is large enough, it might have a private CA and you might want the group to issue the certificate for the AT-9400 Switch so that you are in compliance with company policy. The first step to creating a CA certificate is to create a key pair.
AT-S63 Management Software Features Guide Distinguished Names Part of the task to creating a self-signed certificate or enrollment request is selecting a distinguished name. A distinguished name is integrated into a certificate along with the key and can have up to five parts. The parts are: cn - common name This can be the name of the person who will use the certificate. ou - organizational unit This is the name of a department, such as Network Support or IT.
Chapter 39: PKI Certificates and SSL If your network has a Domain Name System and you mapped a name to the IP address of a switch, you can specify the switch’s name instead of the IP address as the distinguished name. For those switches that do not have an IP address, such as slave switches of an enhanced stack, you could assign their certificates a distinguished name using the IP address of the master switch of the enhanced stack.
AT-S63 Management Software Features Guide SSL and Enhanced Stacking Secure Sockets Layer (SSL) is supported in an enhanced stack, but only when all switches in the stack are using the feature. When a switch’s web server is operating in HTTP, management packets are transmitted in plaintext. When it operates in HTTPS, management packets are encrypted. The web server on the AT-9400 Switch operate in either mode.
Chapter 39: PKI Certificates and SSL Guidelines The guidelines for creating certificates are: 470 A certificate can have only one key. A switch can use only those certificates that contain a key that was generated on the switch. You can create multiple certificates on a switch, but the device uses the certificate whose key pair has been designated as the active key pair for the switch’s web server. Most web browsers support both unsecured (plaintext) and secured (encrypted) operation.
AT-S63 Management Software Features Guide Technical Overview This section describes the Secure Sockets Layer (SSL) feature, a security protocol that provides a secure and private TCP connection between a client and server. SSL can be used with many higher layer protocols including HTTP, File Transfer Protocol (FTP) and Net News Transfer Protocol (NNTP). Most web browsers and servers support SSL, and its most common deployment is for secure connections between a client and server over the Internet.
Chapter 39: PKI Certificates and SSL SSL uses asymmetrical (Public Key) encryption to establish a connection between client and server, and symmetrical (Secret Key) encryption for the data transfer phase. User Verification An SSL connection has two phases: handshake and data transfer. The handshake initiates the SSL session, during which data is securely transmitted between a client and server. During the handshake, the following occurs: The client and server establish the SSL version they are to use.
AT-S63 Management Software Features Guide To verify the authenticity of a server, the server has a public and private key. The public key is given to the user. SSL uses certificates for authentication. A certificate binds a public key to a server name. A certification authority (CA) issues certificates after checking that a public key belongs to its claimed owner. There are several agencies that are trusted to issue certificates. Individual browsers have approved Root CAs that are built in to the browser.
Chapter 39: PKI Certificates and SSL this, and other attacks, PKI provides a means for secure transfer of public keys by linking an identity and that identity’s public key in a secure certificate. Caution Although a certificate binds a public key to a subject to ensure the public key’s security, it does not guarantee that the security of the associated private key has not been breached.
AT-S63 Management Software Features Guide Elements of a Public Key Infrastructure A public key infrastructure is a set of applications which manage the creation, retrieval, validation and storage of certificates. A PKI consists of the following key elements: At least one certification authority (CA), which issues and revokes certificates. At least one publicly accessible repository, which stores certificates and Certificate Revocation Lists.
Chapter 39: PKI Certificates and SSL Certificate Validation To validate a certificate, the end entity verifies the signature in the certificate, using the public key of the CA who issued the certificate. CA Hierarchies and Certificate Chains It may not be practical for every individual certificate in an organization to be signed by one certification authority. A certification hierarchy may be formed, in which one CA (for example, national headquarters) is declared to be the root CA.
AT-S63 Management Software Features Guide PKI Implementation The following sections discuss the implementation of PKI on the AT-9400 Switch.
Chapter 39: PKI Certificates and SSL 478 Section IX: Management Security
Chapter 40 Secure Shell (SSH) The sections in this chapter are: Section IX: Management Security “Supported Platforms” on page 480 “Overview” on page 481 “Support for SSH” on page 482 “SSH Server” on page 483 “SSH Clients” on page 484 “SSH and Enhanced Stacking” on page 485 “SSH Configuration Guidelines” on page 487 “General Steps to Configuring SSH” on page 488 479
Chapter 40: Secure Shell (SSH) Supported Platforms Refer to Table 118 and Table 119 for the AT-9400 Switches and the management interfaces that support the Secure Shell protocol. Table 118. Support for the Secure Shell Protocol Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes Table 119.
AT-S63 Management Software Features Guide Overview Secure management is increasingly important in modern networks, as the ability to easily and effectively manage switches and the requirement for security are two universal requirements. Switches are often remotely managed using remote sessions via the Telnet protocol. This method, however, has a serious security problem—it is only protected by plaintext usernames and passwords which are vulnerable to wiretapping and password guessing.
Chapter 40: Secure Shell (SSH) Support for SSH The AT-S63 implementation of the SSH protocol is compliant with the SSH protocol versions 1.3, 1.5, and 2.0. In addition, the following SSH options and features are supported: Inbound SSH connections (server mode) is supported. The following security algorithms are supported: – 128-bit Advanced Encryption Standard (AES), 192-bit AES, and 256-bit AES – Arcfour (RC4) security algorithm is supported.
AT-S63 Management Software Features Guide SSH Server When the SSH server is enabled, connections from SSH clients are accepted. When the SSH server is disabled, connections from SSH clients are rejected by the switch. Within the switch, the AT-S63 Management Software uses well-known port 22 as the SSH default port. Note If your switch is in a network that is protected by a firewall, you may need to configure the firewall to permit SSH connections.
Chapter 40: Secure Shell (SSH) SSH Clients The SSH protocol provides a secure connection between the switch and SSH clients. After you have configured the SSH server, you need to install SSH client software on your management workstations. The AT-S63 Management Software supports both SSH1 and SSH2 clients. You can download client software from the Internet. Two popular SSH clients are PuTTY and CYGWIN. To install SSH client software, follow the directions from the vendor.
AT-S63 Management Software Features Guide SSH and Enhanced Stacking The AT-S63 Management Software allows for encrypted SSH management sessions between a management station and a master switch of an enhanced stack, but not with slave switches, as explained in this section. When you remotely manage a slave switch, all management communications are conducted through the master switch using the enhanced stacking feature.
Chapter 40: Secure Shell (SSH) Because enhanced stacking does not allow for SSH encrypted management sessions between a management station and a slave switch, you configure SSH only on the master switch of a stack. Activating SSH on a slave switch has no affect.
AT-S63 Management Software Features Guide SSH Configuration Guidelines Here are the guidelines to configuring SSH: Section IX: Management Security SSH requires two encryption key pairs. One key pair functions as the host key and the other as the server key. The two encryption key pairs must be of different lengths of at least one increment (256 bits) apart. The recommended bit size for a server key is 768 bits. The recommended size for the host key is 1024 bits.
Chapter 40: Secure Shell (SSH) General Steps to Configuring SSH Configuring the SSH server involves the following procedures: 1. Create two encryption key pairs on the switch. One pair will function as the host key and the other the server key. 2. Configure and activate the Secure Shell server on the switch by specifying the two encryption keys in the server software. 3. Install SSH client software on your management station. Follow the directions provided with the client software.
Chapter 41 TACACS+ and RADIUS Protocols This chapter describes the two authentication protocols TACACS+ and RADIUS.
Chapter 41: TACACS+ and RADIUS Protocols Supported Platforms Refer to Table 120 and Table 121 for the AT-9400 Switches and the management interfaces that support the TACACS+ and RADIUS protocols. Table 120. Support for the TACACS+ and RADIUS Protocols Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Yes1 1.
AT-S63 Management Software Features Guide Overview TACACS+ and RADIUS are authentication protocols that can enhance the manageability of your network. In general terms, these authentication protocols transfer the task of authenticating network access from a network device to an authentication protocol server. The AT-S63 software comes with TACACS+ and RADIUS client software. You can use the client software to add two security features to the switch.
Chapter 41: TACACS+ and RADIUS Protocols When a network manager logs in to a switch to manage the device, the switch passes the username and password entered by the manager to the authentication protocol server. The server checks to see if the username and password are valid. This is referred to as authentication. If the combination is valid, the authentication protocol server notifies the switch and the switch completes the login process, allowing the manager to manage the switch.
AT-S63 Management Software Features Guide Guidelines Here are the main steps to using the TACACS+ or RADIUS client on the switch. 1. Install a TACACS+ or RADIUS server on one or more of your network servers or management stations. Authentication protocol server software is not available from Allied Telesis. 2. Configure the TACACS+ or RADIUS authentication server.
Chapter 41: TACACS+ and RADIUS Protocols maximum length for a password is 16 alphanumeric characters and spaces. – To create an account for a supplicant connected to an authenticator port set to the MAC address-based authentication mode, enter the MAC address of the node used by the supplicant as both its username and password. When entering the MAC address, do not use spaces or colons (:).
AT-S63 Management Software Features Guide Note If no authentication server responds or if no servers have been defined, the AT-S63 Management Software defaults to the standard manager and operator accounts. Note For more information on TACACS+, refer to the RFC 1492 standard. For more information on RADIUS, refer to the RFC 2865 standard.
Chapter 41: TACACS+ and RADIUS Protocols 496 Section IX: Management Security
Chapter 42 Management Access Control List This chapter explains how to restrict Telnet and web browser management access to the switch with the management access control list (ACL).
Chapter 42: Management Access Control List Supported Platforms Refer to Table 122 and Table 123 for the AT-9400 Switches and the management interfaces that support the management access control list. Table 122. Support for the Management Access Control List Switch Supported Layer 2+ Models AT-9408LC/SP Yes AT-9424T/GB Yes AT-9424T/SP Yes Basic Layer 3 Models AT-9424T Yes AT-9424T/POE Yes AT-9424Ts Yes AT-9424Ts/XP Yes AT-9448T/SP Yes AT-9448Ts/XP Yes AT-9400Ts Stack Table 123.
AT-S63 Management Software Features Guide Overview This chapter explains how to restrict remote management access to a switch by creating a management access control list (management ACL). This feature controls which management stations can remotely manage the device using the Telnet application protocol or a web browser. The switch uses the management ACL to filter the management packets that it receives.
Chapter 42: Management Access Control List Parts of a Management ACE An ACE has the following three parts: IP Address 500 IP address Subnet mask Application You can specify the IP address of a specific management station or a subnet. Mask The mask indicates the parts of the IP address the switch should filter on. A binary “1” indicates the switch should filter on the corresponding bit of the address, while a “0” indicates that it should not.
AT-S63 Management Software Features Guide Guidelines Below are guidelines for the management ACL: Section IX: Management Security The default setting for this feature is disabled. A switch can have only one management ACL. A management ACL can have up to 256 ACEs. An ACE must have an IP address and mask. All management ACEs are implicit “permit” statements. A management packet that meets the criteria of an ACE is accepted by the switch.
Chapter 42: Management Access Control List Examples Following are several examples of ACEs. This ACE allows the management station with the IP address 149.11.11.11 to remotely manage the switch using either the Telnet application protocol or a web browser, and to ping the device: IP Address: Mask: Application Type: 149.11.11.11 255.255.255.255 All If the management ACL had only this ACE, remote management of the switch would be restricted to just that management station.
AT-S63 Management Software Features Guide The two ACEs in this management ACL permit remote management from the management station with the IP address 149.11.11.11 and all management stations in the subnet 149.22.22.0: ACE #1 IP Address: Mask: Application Type: 149.11.11.11 255.255.255.255 All ACE #2 IP Address: Mask: Application Type: 149.22.22.0 255.255.255.0 All This example allows the switch to be pinged, but not managed, by the management station with the IP address 149.11.11.
Chapter 42: Management Access Control List 504 Section IX: Management Security
Appendix A AT-S63 Management Software Default Settings This appendix lists the factory default settings for the AT-S63 Management Software. The features are listed in alphabetical order: “Address Resolution Protocol Cache” on page 507 “Boot Configuration File” on page 508 “BOOTP Relay Agent” on page 509 “Class of Service” on page 510 “Denial of Service Defenses” on page 511 “802.
Appendix A: AT-S63 Management Software Default Settings 506 “System Name, Administrator, and Comments Settings” on page 537 “Telnet Server” on page 538 “Virtual Router Redundancy Protocol” on page 539 “VLANs” on page 540 “Web Server” on page 541
AT-S63 Management Software Features Guide Address Resolution Protocol Cache The following table lists the ARP cache default setting.
Appendix A: AT-S63 Management Software Default Settings Boot Configuration File The following table lists the names of the default configuration files. Boot Configuration File 508 Default Stand-alone Switch boot.cfg Stack of AT-9400 Basic Layer 3 Switches and the AT-StackXG Stacking Module stack.
AT-S63 Management Software Features Guide BOOTP Relay Agent The following table lists the default setting for the BOOTP relay agent. BOOTP Relay Agent Setting Default Status Disabled Hop Count1 4 1. Hop count is not adjustable.
Appendix A: AT-S63 Management Software Default Settings Class of Service The following table lists the default mappings of IEEE 802.1p priority levels to egress port priority queues. IEEE 802.
AT-S63 Management Software Features Guide Denial of Service Defenses The following table lists the default settings for the Denial of Service prevention feature. Denial of Service Prevention Setting Default IP Address 0.0.0.0 Subnet Mask 0.0.0.
Appendix A: AT-S63 Management Software Default Settings 802.1x Port-Based Network Access Control The following table describes the 802.1x Port-based Network Access Control default settings. 802.1x Port-based Network Access Control Settings Default Port Access Control Disabled Authentication Method RADIUS EAP Port Role None The following table lists the default settings for RADIUS accounting.
AT-S63 Management Software Features Guide Authenticator Port Setting Default VLAN Assignment Enabled Secure VLAN On Control Direction Both Piggyback Mode Disabled Guest VLAN None The following table lists the default settings for a supplicant port.
Appendix A: AT-S63 Management Software Default Settings Enhanced Stacking The following table lists the enhanced stacking default setting.
AT-S63 Management Software Features Guide Ethernet Protection Switching Ring (EPSR) Snooping The following table lists the EPSR default setting.
Appendix A: AT-S63 Management Software Default Settings Event Logs The following table lists the default settings for both the permanent and temporary event logs.
AT-S63 Management Software Features Guide GVRP This section provides the default settings for GVRP.
Appendix A: AT-S63 Management Software Default Settings IGMP Snooping The following table lists the IGMP Snooping default settings.
AT-S63 Management Software Features Guide Internet Protocol Version 4 Packet Routing The following table lists the IPv4 packet routing default settings. Packet Routing Setting Default Equal Cost Multi-path (ECMP) Enabled Default Route None Update Timer 30 seconds Invalid Timer 180 seconds Split Horizon Enabled Split Horizon with Poison Reverse Disabled Autosummarization of Routes Disabled Note The update and invalid timers are not adjustable.
Appendix A: AT-S63 Management Software Default Settings Link-flap Protection The following table lists the default settings for link-flap protection.
AT-S63 Management Software Features Guide MAC Address-based Port Security The following table lists the MAC address-based port security default settings.
Appendix A: AT-S63 Management Software Default Settings MAC Address Table The following table lists the default setting for the MAC address table.
AT-S63 Management Software Features Guide Management Access Control List The following table lists the default setting for the management access control list.
Appendix A: AT-S63 Management Software Default Settings Manager and Operator Account The following table lists the manager and operator account default settings. Manager Account Setting Default Manager Login Name manager Manager Password friend Operator Login Name operator Operator Password operator Console Disconnect Timer Interval 10 minutes Console Startup Mode CLI Note Login names and passwords are case sensitive.
AT-S63 Management Software Features Guide Multicast Listener Discovery Snooping The following table lists the MLD Snooping default settings.
Appendix A: AT-S63 Management Software Default Settings Public Key Infrastructure The following table lists the PKI default settings, including the generate enrollment request settings.
AT-S63 Management Software Features Guide Port Settings The following table lists the port configuration default settings.
Appendix A: AT-S63 Management Software Default Settings RJ-45 Serial Terminal Port The following table lists the RJ-45 serial terminal port default settings. RJ-45 Serial Terminal Port Setting Default Data Bits 8 Stop Bits 1 Parity None Flow Control None Baud Rate 9600 bps The baud rate is the only adjustable parameter on the port.
AT-S63 Management Software Features Guide Router Redundancy Protocol Snooping The following table lists the RRP Snooping default setting.
Appendix A: AT-S63 Management Software Default Settings Server-based Authentication (RADIUS and TACACS+) This section describes the server-based authentication, RADIUS, and TACACS+ client default settings. Server-based Authentication The following table describes the server-based authentication default settings.
AT-S63 Management Software Features Guide Simple Network Management Protocol The following table describes the SNMP default settings.
Appendix A: AT-S63 Management Software Default Settings Simple Network Time Protocol The following table lists the SNTP default settings. SNTP Setting 532 Default System Time 00:00:00 on January 1, 1980 SNTP Status Disabled SNTP Server 0.0.0.
AT-S63 Management Software Features Guide Spanning Tree Protocols (STP, RSTP, and MSTP) This section provides the spanning tree, STP RSTP, and MSTP, default settings. Spanning Tree Switch Settings The following table describes the Spanning Tree Protocol default settings for the switch. Spanning Tree Setting Spanning Tree Protocol Default Spanning Tree Status Disabled Active Protocol Version RSTP The following table describes the STP default settings.
Appendix A: AT-S63 Management Software Default Settings RSTP Setting Multiple Spanning Tree Protocol 534 Default Loop Guard Disabled BPDU Guard Disabled The following table lists the MSTP default settings.
AT-S63 Management Software Features Guide Secure Shell Server The following table lists the SSH default settings. SSH Setting Default Status Disabled Host Key ID Not Defined Server Key ID Not Defined Server Key Expiry Time 0 hours Login Timeout 180 seconds SSH Port Number 22 The SSH port number is not adjustable.
Appendix A: AT-S63 Management Software Default Settings Secure Sockets Layer The following table lists the SSL default settings.
AT-S63 Management Software Features Guide System Name, Administrator, and Comments Settings The following table describes the IP default settings.
Appendix A: AT-S63 Management Software Default Settings Telnet Server The following table lists the Telnet server default settings. Telnet Server Setting Telnet Server Enabled Telnet Port Number 23 NULL Character Off The Telnet port number is not adjustable.
AT-S63 Management Software Features Guide Virtual Router Redundancy Protocol The following table lists the VRRP default setting.
Appendix A: AT-S63 Management Software Default Settings VLANs This section provides the VLAN default settings.
AT-S63 Management Software Features Guide Web Server The following table lists the web server default settings.
Appendix A: AT-S63 Management Software Default Settings 542
Appendix B SNMPv3 Configuration Examples This appendix provides two examples of SNMPv3 configuration using the SNMPv3 Table menus and a worksheet to use as an aid when configuring the SNMPv3 protocol.
Appendix B: SNMPv3 Configuration Examples SNMPv3 Configuration Examples This appendix provides SNMPv3 configuration examples for the following types of users: Manager Operator In addition an SNMPv3 Configuration Table is provided to record your SNMPv3 configuration. For more information about the SNMPv3 protocol, see Chapter 24, “SNMPv3” on page 253. SNMPv3 Manager Configuration This section provides a sample configuration for a Manager with a User Name of systemadmin24.
AT-S63 Management Software Features Guide Configure SNMPv3 SecurityToGroup Table User Name:systemadmin24 Security Model:v3 Group Name: Managers Storage Type: NonVolatile Configure SNMPv3 Notify Table Notify Name: sysadminTrap Notify Tag: sysadminTag Notify Type: Trap Storage Type: NonVolatile Configure SNMPv3 Target Address Table Target Address Name: host451 Target IP Address: 198.35.11.
Appendix B: SNMPv3 Configuration Examples Configure SNMPv3 View Table Menu View Name: internet View Subtree OID: 1.3.6.1 (or internet) Subtree Mask: View Type: Included Storage Type: NonVolatile Configure SNMPv3 Access Table Group Name: Operators Security Model: SNMPv3 Security Level: Authentication Read View Name: internet Write View Name: Notify View Name: SNMPv3 Worksheet This section supplies a table that you can use a worksheet when configuring SNMPv3.
AT-S63 Management Software Features Guide SNMPv3 Parameters (Continued) Security Model Security Level Read View Name Write View Name Notify View Name Storage Type SNMPv3 SecurityToGroup Table User Name Security Model Group Name Storage Type SNMPv3 Notify Table Notify Name Notify Tag Notify Type Storage Type SNMPv3 Target Address Table Target Address Name Target IP Address UDP Port Timeout Retries Tag List Target Parms Name Storage Type SNMPv3 Target Parameters Table Target Parameters Name User (Security) N
Appendix B: SNMPv3 Configuration Examples SNMPv3 Parameters (Continued) Security Model Security Level Storage Type 548
Appendix C Features and Standards This appendix lists the features and standards of the AT-9400 Switch.
Appendix C: Features and Standards 10/100/1000Base-T Twisted Pair Ports IEEE 802.1d Bridging IEEE 802.3 10Base-T IEEE 802.3u 100Base-TX IEEE 802.3ab 1000Base-T IEEE 802.3u Auto-Negotiation IEEE 802.3x 10/100 Mbps Flow Control / Backpressure IEEE 802.
AT-S63 Management Software Features Guide Fiber Optic Ports (AT-9408LC/SP Switch) IEEE 802.1d Bridging IEEE 802.3z 1000Base-SX — Head of Line Blocking — Eight Egress Queues Per Port — 8 megabyte storage capacity File System DHCP and BOOTP Clients RFC 2131 DHCP client RFC 951, 1542 BOOTP client Internet Protocol Multicasting RFC 1112 IGMP Snooping (Ver. 1.0) RFC 2236 IGMP Snooping (Ver. 2.0) RFC 3376 IGMP Snooping (Ver. 3.0) RFC 2710 MLD Snooping (Ver. 1.
Appendix C: Features and Standards RFC 826 Address Resolution Protocol — Equal Cost Multi-path — Split Horizon and Split Horizon with Poison Reverse — Autosummarization of Routes RFC 1542 BOOTP Relay MAC Address Table — Storage capacity of 16K entries Management Access and Security 552 RFC 1157 SNMPv1 RFC 1901 SNMPv2 RFC 3411 SNMPv3 RFC 1492 TACACS+ Client RFC 2865 RADIUS Client RFC 2068 HTTP RFC 2616 HTTPS RFC 1866 HTML RFC 854 Telnet Server — Secure Sockets Layer (SSL) R
AT-S63 Management Software Features Guide Management Access Methods Enhanced Stacking Out-of-band management (serial port) In-band management (over the network) using Telnet, SSH, web browser, and SNMP Management Interfaces Menus Command Line Web Browser SNMP v1, v2, & v3 Management MIBs RFC 1213 MIB-II RFC 1215 TRAP MIB RFC 1493 Bridge MIB RFC 2863 Interface Group MIB RFC 2933 IGMP RFC 1643 Ethernet-like MIB RFC 2674 IEEE 802.
Appendix C: Features and Standards Port Security IEEE 802.1x Port-based Network Access Control: Supports multiple supplicants per port and the following authentication methods: EAP-MD5 EAP-TLS EAP-TTLS PEAP RFC 2865 RADIUS Client RFC 2866 RADIUS Accounting — MAC Address-based security Port Trunking and Mirroring IEEE 802.3ad Link Aggregation Control Protocol (LACP) — Static Port Trunking — Port Mirroring Spanning Tree Protocols IEEE 802.1D Spanning Tree Protocol IEEE 802.
AT-S63 Management Software Features Guide RFC 1757 RMON Groups 1, 2, 3, and 9 RFC 2386 Quality of Service featuring: Traffic Control — Layer 2, 3, and 4 criteria — Flow Groups, Traffic Classes, and Policies — DSCP Replacement — 802.1q Priority Replacement — Type of Service Replacement — Type of Service to 802.1q Priority Replacement — 802.1q Priority to Type of Service Replacement — Maximum Bandwidth Control — Burst Size Control — Support on Ingress and Egress Ports IEEE 802.
Appendix C: Features and Standards — MAC Address-based VLANs (Not supported on the AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP switches.) IEEE 802.3ac VLAN Tag Frame Extension IEEE 802.
Appendix D MIB Objects This appendix lists the SNMP MIB objects in the private Allied Telesis MIBs that apply to the AT-S63 Management Software and the AT-9400 Switch.
Appendix D: MIB Objects Access Control Lists Table 31. Access Control Lists (AtiStackSwitch MIB) Object Name atiStkSwACLConfigTable atiStkSwACLConfigEntry 558 OID 1.3.6.1.4.1.207.8.17.9.1 1.3.6.1.4.1.207.8.17.9.1.1 atiStkSwACLModuleId 1.3.6.1.4.1.207.8.17.9.1.1.1 atiStkSwACLId 1.3.6.1.4.1.207.8.17.9.1.1.2 atiStkSwACLDescription 1.3.6.1.4.1.207.8.17.9.1.1.3 atiStkSwACLAction 1.3.6.1.4.1.207.8.17.9.1.1.4 atiStkSwACLClassifierList 1.3.6.1.4.1.207.8.17.9.1.1.5 atiStkSwACLPortList 1.3.6.1.4.1.207.
AT-S63 Management Software Features Guide Class of Service Table 32. CoS Scheduling (AtiStackSwitch MIB) Object Name atiSwQoSGroup OID 1.3.6.1.4.1.207.8.17.7 atiStkSwQoSGroupNumberOfQueues 1.3.6.1.4.1.207.8.17.7.1 atiStkSwQoSGroupSchedulingMode 1.3.6.1.4.1.207.8.17.7.2 Table 33. CoS Priority to Egress Queue Mappings (AtiStackSwitch MIB) Object Name atiStkSwQoSGroupCoSToQueueTable atiStkSwQoSGroupCoSToQueueEntry OID 1.3.6.1.4.1.207.8.17.7.3 1.3.6.1.4.1.207.8.17.7.3.1 atiStkSwQoSGroupCoSPriority 1.
Appendix D: MIB Objects Date, Time, and SNTP Client Table 36. Date, Time, and SNTP Client (AtiStackSwitch MIB) Object Name atiStkSysSystemTimeConfig 560 OID 1.3.6.1.4.1.207.8.17.1.5 atiStkSwSysCurrentTime 1.3.6.1.4.1.207.8.17.1.5.1 atiStkSwSysCurrentDate 1.3.6.1.4.1.207.8.17.1.5.2 atiStkSwSysSNTPStatus 1.3.6.1.4.1.207.8.17.1.5.3 atiStkSwSysSNTPServerIPAddress 1.3.6.1.4.1.207.8.17.1.5.4 atiStkSwSysSNTPUTCOffset 1.3.6.1.4.1.207.8.17.1.5.5 atiStkSwSysSNTPDSTStatus 1.3.6.1.4.1.207.8.17.1.5.
AT-S63 Management Software Features Guide Denial of Service Defenses Table 37. LAN Address and Subnet Mask (AtiStackSwitch MIB) Object Name atiStkDOSConfig OID 1.3.6.1.4.1.207.8.17.2.6 atiStkDOSConfigLANIpAddress 1.3.6.1.4.1.207.8.17.2.6.1 atiStkDOSConfigLANSubnetMask 1.3.6.1.4.1.207.8.17.2.6.2 Table 38. Denial of Service Defenses (AtiStackSwitch MIB) Object Name atiStkPortDOSAttackConfigTable atiStkPortDOSAttackConfigEntry OID 1.3.6.1.4.1.207.8.17.2.6.3 1.3.6.1.4.1.207.8.17.2.6.3.
Appendix D: MIB Objects Enhanced Stacking Table 39. Switch Mode and Discovery (AtiStackInfo MIB) Object Name atiswitchEnhancedStackingInfo OID 1.3.6.1.4.1.207.8.16.1 atiswitchEnhStackMode 1.3.6.1.4.1.207.8.16.1.1 atiswitchEnhStackDiscover 1.3.6.1.4.1.207.8.16.1.2 atiswitchEnhStackRemoteNumber 1.3.6.1.4.1.207.8.16.1.3 Table 40. Switches of an Enhanced Stack (AtiStackInfo MIB) Object Name atiswitchEnhStackTable atiswitchEnhStackEntry 562 OID 1.3.6.1.4.1.207.8.16.1.4 1.3.6.1.4.1.207.8.16.1.4.
AT-S63 Management Software Features Guide GVRP Table 41. GVFP Switch Configuration (AtiStackSwitch MIB) Object Name atiStkSwGVRPConfig OID 1.3.6.1.4.1.207.8.17.3.6 atiStkSwGVRPStatus 1.3.6.1.4.1.207.8.17.3.6.1 atiStkSwGVRPGIPStatus 1.3.6.1.4.1.207.8.17.3.6.2 atiStkSwGVRPJoinTimer 1.3.6.1.4.1.207.8.17.3.6.3 atiStkSwGVRPLeaveTimer 1.3.6.1.4.1.207.8.17.3.6.4 atiStkSwGVRPLeaveAllTimer 1.3.6.1.4.1.207.8.17.3.6.5 Table 42.
Appendix D: MIB Objects Table 43. GVRP Counters (AtiStackSwitch MIB) Object Name 564 OID atiStkSwGVRPCountersPortNotListening 1.3.6.1.4.1.207.8.17.3.8.1.8 atiStkSwGVRPCountersInvalidPort 1.3.6.1.4.1.207.8.17.3.8.1.9 atiStkSwGVRPCountersInvalidProtocol 1.3.6.1.4.1.207.8.17.3.8.1.10 atiStkSwGVRPCountersInvalidFormat 1.3.6.1.4.1.207.8.17.3.8.1.11 atiStkSwGVRPCountersDatabaseFull 1.3.6.1.4.1.207.8.17.3.8.1.12 atiStkSwGVRPCountersRxMsgLeaveAll 1.3.6.1.4.1.207.8.17.3.8.1.
AT-S63 Management Software Features Guide MAC Address Table Table 44. MAC Address Table (AtiStackSwitch MIB) Object Name atiStkSwMacAddr2VlanTable atiStkSwMacAddr2VlanEntry OID 1.3.6.1.4.1.207.8.17.3.3 1.3.6.1.4.1.207.8.17.3.3.1 atiStkSwMacAddress 1.3.6.1.4.1.207.8.17.3.3.1.1 atiStkSwMacAddrVlanId 1.3.6.1.4.1.207.8.17.3.3.1.2 atiStkSwMacAddrVlanName 1.3.6.1.4.1.207.8.17.3.3.1.3 atiStkSwMacAddrModuleId 1.3.6.1.4.1.207.8.17.3.3.1.4 atiStkSwMacAddrPortId 1.3.6.1.4.1.207.8.17.3.3.1.
Appendix D: MIB Objects Management Access Control List Table 46. Management Access Control List Status (AtiStackSwitch MIB) Object Name atiStkSwSysMgmtACLGroup atiStkSwSysMgmtACLStatus OID 1.3.6.1.4.1.207.8.17.1.7 1.3.6.1.4.1.207.8.17.1.7.1 Table 47. Management Access Control List Entries (AtiStackSwitch MIB) Object Name atiStkSwSysMgmtACLConfigTable atiStkSwSysMgmtACLConfigEntry 566 OID 1.3.6.1.4.1.207.8.17.1.7.2 1.3.6.1.4.1.207.8.17.1.7.2.1 atiStkSwSysMgmtACLConfigModuleId 1.3.6.1.4.1.207.8.17.1.7.
AT-S63 Management Software Features Guide Miscellaneous Table 48. System Reset (AtiStackSwitch MIB) Object Name atiStkSwSysGroup OID 1.3.6.1.4.1.207.8.17.1 atiStkSwSysConfig atiStkSwSysReset 1.3.6.1.4.1.207.8.17.1.1 1.3.6.1.4.1.207.8.17.1.1.1 Table 49. Local Interface (AtiStackSwitch MIB) Object Name atiStkSwSysGroup OID 1.3.6.1.4.1.207.8.17.1 atiStkSwSysConfig 1.3.6.1.4.1.207.8.17.1.1 atiStkSwSysIpAddress 1.3.6.1.4.1.207.8.17.1.1.2 atiStkSwSysSubnetMask 1.3.6.1.4.1.207.8.17.1.1.
Appendix D: MIB Objects Port Mirroring Table 51. Port Mirroring (AtiStackSwitch MIB) Object Name atiStkSwPortMirroringConfig 568 OID 1.3.6.1.4.1.207.8.17.2.2 atiStkSwPortMirroringState 1.3.6.1.4.1.207.8.17.2.2.1 atiStkSwPortMirroringDestinationModuleId 1.3.6.1.4.1.207.8.17.2.2.4 atiStkSwPortMirroringDestinationPortId 1.3.6.1.4.1.207.8.17.2.2.5 atiStkSwPortMirroringSourceRxList 1.3.6.1.4.1.207.8.17.2.2.6 atiStkSwPortMirroringSourceTxList 1.3.6.1.4.1.207.8.17.2.2.
AT-S63 Management Software Features Guide Quality of Service Table 52. Flow Groups (AtiStackSwitch MIB) Object Name atiStkSwQosFlowGrpTable atiStkSwQosFlowGrpEntry OID 1.3.6.1.4.1.207.8.17.7.5 1.3.6.1.4.1.207.8.17.7.5.1 atiStkSwQosFlowGrpModuleId 1.3.6.1.4.1.207.8.17.7.5.1.1 atiStkSwQosFlowGrpId 1.3.6.1.4.1.207.8.17.7.5.1.2 atiStkSwQosFlowGrpDescription 1.3.6.1.4.1.207.8.17.7.5.1.3 atiStkSwQosFlowGrpDSCPValue 1.3.6.1.4.1.207.8.17.7.5.1.4 atiStkSwQosFlowGrpPriority 1.3.6.1.4.1.207.8.17.7.5.1.
Appendix D: MIB Objects Table 53. Traffic Classes (AtiStackSwitch MIB) Object Name OID atiStkSwQosTrafficClassClassPriority 1.3.6.1.4.1.207.8.17.7.6.1.9 atiStkSwQosTrafficClassRemarkPriority 1.3.6.1.4.1.207.8.17.7.6.1.10 atiStkSwQosTrafficClassToS 1.3.6.1.4.1.207.8.17.7.6.1.11 atiStkSwQosTrafficClassMoveToSToPriority 1.3.6.1.4.1.207.8.17.7.6.1.12 atiStkSwQosTrafficClassMovePriorityToToS 1.3.6.1.4.1.207.8.17.7.6.1.13 atiStkSwQosTrafficClassFlowGroupList 1.3.6.1.4.1.207.8.17.7.6.1.
AT-S63 Management Software Features Guide Port Configuration and Status Table 55. Port Configuration and Status (AtiStackSwitch MIB) Object Name atiStkSwPortConfigTable atiStkPortConfigEntry OID 1.3.6.1.4.1.207.8.17.2.1 1.3.6.1.4.1.207.8.17.2.1.1 atiStkSwModuleId 1.3.6.1.4.1.207.8.17.2.1.1.1 atiStkSwPortId 1.3.6.1.4.1.207.8.17.2.1.1.2 atiStkSwPortName 1.3.6.1.4.1.207.8.17.2.1.1.3 atiStkSwPortState 1.3.6.1.4.1.207.8.17.2.1.1.4 atiStkSwPortLinkState 1.3.6.1.4.1.207.8.17.2.1.1.
Appendix D: MIB Objects Spanning Tree Table 56. Spanning Tree (AtiStackSwitch MIB) Object Name atiStkSwSysConfig 572 OID 1.3.6.1.4.1.207.8.17.1.1 atiStkSwSysSpanningTreeStatus 1.3.6.1.4.1.207.8.17.1.1.9 atiStkSwSysSpanningTreeVersion 1.3.6.1.4.1.207.8.17.1.1.
AT-S63 Management Software Features Guide Static Port Trunk Table 57. Static Port Trunks (AtiStackSwitch MIB) Object Name atiStkSwStaticTrunkTable atiStkSwStaticTrunkEntry OID 1.3.6.1.4.1.207.8.17.8.1 1.3.6.1.4.1.207.8.17.8.1.1 atiStkSwStaticTrunkModuleId 1.3.6.1.4.1.207.8.17.8.1.1.1 atiStkSwStaticTrunkIndex 1.3.6.1.4.1.207.8.17.8.1.1.2 atiStkSwStaticTrunkId 1.3.6.1.4.1.207.8.17.8.1.1.3 atiStkSwStaticTrunkName 1.3.6.1.4.1.207.8.17.8.1.1.4 atiStkSwStaticTrunkMethod 1.3.6.1.4.1.207.8.17.8.1.1.
Appendix D: MIB Objects VLANs The objects in Table 58 display the specifications of the Default_VLAN. Table 58. VLAN Table (AtiStackSwitch MIB) Object Name atiStkSwVlanConfigTable atiStkSwVlanConfigEntry OID 1.3.6.1.4.1.207.8.17.3.1 1.3.6.1.4.1.207.8.17.3.1.1 atiStkSwVlanId 1.3.6.1.4.1.207.8.17.3.1.1.1 atiStkSwVlanName 1.3.6.1.4.1.207.8.17.3.1.1.2 atiStkSwVlanTaggedPortListModule1 1.3.6.1.4.1.207.8.17.3.1.1.3 atiStkSwVlanUntaggedPortListModule1 1.3.6.1.4.1.207.8.17.3.1.1.
AT-S63 Management Software Features Guide Table 61. PVID Table (AtiStackSwitch MIB) Object Name atiStkSwPort2VlanTable atiStkSwPort2VlanEntry OID 1.3.6.1.4.1.207.8.17.3.2 1.3.6.1.4.1.207.8.17.3.2.1 atiStkSwPortVlanId 1.3.6.1.4.1.207.8.17.3.2.1.1 atiStkSwPortVlanName 1.3.6.1.4.1.207.8.17.3.2.1.
Appendix D: MIB Objects 576
Index Numerics B 802.1p priority level in classifiers 139 802.1Q-compliant VLAN mode 340 802.
Index protocols 140 source MAC addresses 139 TCP flags 143 TCP source and destination ports 143 UDP source and destination ports 143 VLAN ID 140 Common and Internal Spanning Tree (CIST) defined 302 priority 302 common VLAN 85 community names SNMPv1 and SNMPv2c 94 configuration file described 75 configuration name 299 control messages, Ethernet Protection Switching Ring (EPSR) snooping 245 247 CoS. See Class of Service (CoS) CRL.
AT-S63 Management Software Features Guide H hello time 276 history of new features 55 HMAC authentication algorithm 461 HMAC-MD5-96 (MD5) authentication protocol 256 HMAC-SHA-96 (SHA) authentication protocol 256 HTTP 449 HTTPS 449 I IEEE 802.1D standard 269 IGMP snooping querier. See Internet Group Management Protocol (IGMP) snooping querier IGMP snooping.
Index module ID numbers described 74 MSTI priority 301 MSTI. See Multiple Spanning Tree Instances (MSTI) MSTP.
AT-S63 Management Software Features Guide loop guard 283 supported platforms 270 redundant twisted pair ports 53 regional root 301 regions 299 revision number 299 RJ-45 serial terminal port, default settings 528 root bridge 272 Router Redundancy Protocol (RRP) snooping default setting 529 described 241 guidelines 242 supported platforms 240 Routing Information Protocol (RIP) 374 routing interface names 371 routing interface numbers 369 routing interfaces and enhanced stacking 385 and network servers 384 an
Index static module ID numbers described 74 static port trunks described guidelines 106 load distribution methods 104 supported platforms 102 static routes 372 strict priority scheduling 162 subtree mask, related to MIB subtree view 259 supplicant port role 423, 428 supported features 34 SYN flood attack 204 syslog client 134 system priority in aggregate trunks 110 master switch 406 port monitoring 409 supported platforms 404 VLAN and MSTI associations 297 VLAN ID 315 in classifiers 140 volatile storage 2
