manualshive.com logo in svg

Allied Telesis AT-S63, Features Manual

The Allied Telesis AT-S63 is a high-performance network switch that offers advanced features and seamless connectivity. For easy setup and configuration, download the free Cli User's Manual from our website manualshive.com. This comprehensive manual guides you through every aspect of the product, ensuring optimal performance and reliability.

Share
Download
background image

Chapter 36: PKI Certificates and SSL

434

Section IX: Management Security

Certificate

Validation

To validate a certificate, the end entity verifies the signature in the 
certificate, using the public key of the CA who issued the certificate.

CA Hierarchies and Certificate Chains

It may not be practical for every individual certificate in an organization to 
be signed by one certification authority. A certification hierarchy may be 
formed, in which one CA (for example, national headquarters) is declared 
to be the root CA. This CA issues certificates to the next level down in the 
hierarchy (for example, regional headquarters), who become subordinate 
CAs and issue certificates to the next level down, and so on. A hierarchy 
may have as many levels as needed.

Certificate hierarchies allow validation of certificates through certificate 
chains and cross-certification. If a switch X, which holds a certificate 
signed by CA X, wishes to communicate securely with a switch Y, which 
holds a certificate signed by CA Y, there are two ways in which the 
switches can validate each other’s certificates. Cross-certification occurs 
when switch X validates switch Y's CA (CA Y) by obtaining a certificate for 
switch Y's CA which has been issued by its own CA (CA X)

.

 A certificate 

chain is formed if both CA X and CA Y hold a certificate signed by a root 
CA Z, which the switches have verified out of band. Switch X can validate 
switch Y’s certificate (and vice versa) by following the chain up to CA Z.

Root CA Certificates

A root CA must sign its own certificate. The root CA is the most critical link 
in the certification chain, because the validity of all certificates issued by 
any CA in the hierarchy depends on the root CA’s validity. Therefore, 
every device which uses the root CA’s certificate must verify it out-of-
band.

Out-of-band verification involves both the owner of a certificate and the 
user who wishes to verify that certificate generating a one-way hash (a 
fingerprint) of the certificate. These two hashes must then be compared 
using at least one non-network-based communication method. Examples 
of suitable communication methods are mail, telephone, fax, or transfer by 
hand from a storage device such as a smart card or floppy disk. If the two 
hashes are the same, the certificate can be considered valid. 

Certificate

Revocation Lists

(CRLs)

A certificate may become invalid because some of the details in it change 
(for example, the address changes), because the relationship between the 
Certification Authority (CA) and the subject changes (for example, an 
employee leaves a company), or because the associated private key is 
compromised. Every CA is required to keep a publicly accessible list of its 
certificates which have been revoked. 

Summary of Contents for AT-S63

Page 1: ...22 Rev B Management Software AT S63 Features Guide For Stand alone AT 9400 Switches and AT 9400Ts Stacks AT S63 Version 2 2 0 for AT 9400 Layer 2 Switches AT S63 Version 4 0 0 for AT 9400 Basic Layer 3 Switches ...

Page 2: ...arks or registered trademarks of their respective owners Allied Telesis Inc reserves the right to make changes in specifications and other information contained in this document without prior written notice The information provided herein is subject to change without notice In no event shall Allied Telesis Inc be liable for any incidental special indirect or consequential damages whatsoever includ...

Page 3: ...ement Interfaces 37 Management Access Methods 43 Local Management Sessions 43 Remote Telnet Sessions 43 Remote Secure Shell SSH Sessions 44 Remote Web Browser Session 44 Remote SNMP Management 44 Manager Access Levels 45 Installation and Management Configurations 46 Stand alone Switches 46 AT 9400Ts Stacks 46 Enhanced Stacking 46 IP Configuration 47 Configuration Files 48 Stand alone Switches 48 A...

Page 4: ... Supported Platforms 78 Overview 79 Master and Slave Switches 80 Common VLAN 81 Master Switch and the Local Interface 82 Slave Switches 83 Enhanced Stacking Compatibility 84 Enhanced Stacking Guidelines 85 General Steps 86 Chapter 4 SNMPv1 and SNMPv2c 87 Supported Platforms 88 Overview 89 Community String Attributes 90 Community String Name 90 Access Mode 90 Operating Status 90 Open or Closed Acce...

Page 5: ...forms 126 Overview 127 Classifier Criteria 129 Guidelines 134 Chapter 12 Access Control Lists 135 Supported Platforms 136 Overview 137 Parts of an ACL 139 Guidelines 140 Examples 141 Chapter 13 Class of Service 147 Supported Platforms 148 Overview 149 Scheduling 152 Strict Priority Scheduling 152 Weighted Round Robin Priority Scheduling 152 Chapter 14 Quality of Service 155 Supported Platforms 156...

Page 6: ...lasses 194 Section III Snooping Protocols 195 Chapter 17 Internet Group Management Protocol Snooping 197 Supported Platforms 198 Overview 199 Chapter 18 Multicast Listener Discovery Snooping 201 Supported Platforms 202 Overview 203 Chapter 19 Router Redundancy Protocol Snooping 205 Supported Platforms 206 Overview 207 Guidelines 208 Chapter 20 Ethernet Protection Switching Ring Snooping 209 Suppor...

Page 7: ...tworks 245 Spanning Tree and VLANs 246 Chapter 23 Multiple Spanning Tree Protocol 247 Supported Platforms 248 Overview 249 Multiple Spanning Tree Instance MSTI 250 MSTI Guidelines 254 VLAN and MSTI Associations 255 Ports in Multiple MSTIs 256 Multiple Spanning Tree Regions 257 Region Guidelines 259 Common and Internal Spanning Tree CIST 260 MSTP with STP and RSTP 260 Summary of Guidelines 261 Asso...

Page 8: ... Overview 309 Egress Ports 310 VLANs That Span Switches 313 VLAN Hierarchy 315 Steps to Creating a MAC Address based VLAN 316 Guidelines 317 Section VII Routing 319 Chapter 29 Internet Protocol Version 4 Packet Routing 321 Supported Platforms 322 Overview 324 Routing Interfaces 326 VLAN ID VID 327 Interface Numbers 327 IP Address and Subnet Mask 327 Interface Names 329 Static Routes 330 Routing In...

Page 9: ...view 363 Master Switch 364 Backup Switches 365 Interface Monitoring 366 Port Monitoring 367 VRRP on the Switch 368 Section VIII Port Security 371 Chapter 32 MAC Address based Port Security 373 Supported Platforms 374 Overview 375 Automatic 375 Limited 375 Secured 376 Locked 376 Invalid Frames and Intrusion Actions 377 Guidelines 378 Chapter 33 802 1x Port based Network Access Control 379 Supported...

Page 10: ...ication 418 Key Exchange Algorithms 419 Chapter 36 PKI Certificates and SSL 421 Supported Platforms 422 Overview 423 Types of Certificates 423 Distinguished Names 425 SSL and Enhanced Stacking 427 Guidelines 428 Technical Overview 429 SSL Encryption 429 User Verification 430 Authentication 430 Public Key Infrastructure 431 Public Keys 431 Message Encryption 431 Digital Signatures 431 Certificates ...

Page 11: ... Internet Protocol Version 4 Packet Routing 477 MAC Address based Port Security 478 MAC Address Table 479 Management Access Control List 480 Manager and Operator Account 481 Multicast Listener Discovery Snooping 482 Public Key Infrastructure 483 Port Settings 484 RJ 45 Serial Terminal Port 485 Router Redundancy Protocol Snooping 486 Server based Authentication RADIUS and TACACS 487 Server based Au...

Page 12: ...ng 507 MAC Address Table 508 Management Access and Security 508 Management Access Methods 509 Management Interfaces 509 Management MIBs 509 Port Security 510 Port Trunking and Mirroring 510 Spanning Tree Protocols 510 System Monitoring 510 Traffic Control 511 Virtual LANs 511 Virtual Router Redundancy Protocol 512 Appendix D MIB Objects 513 Access Control Lists 514 Class of Service 515 Date Time a...

Page 13: ...P or RSTP 251 Figure 27 MSTP Example of Two Spanning Tree Instances 252 Figure 28 Multiple VLANs in a MSTI 253 Figure 29 Multiple Spanning Tree Region 258 Figure 30 CIST and VLAN Guideline Example 1 263 Figure 31 CIST and VLAN Guideline Example 2 264 Figure 32 Spanning Regions Example 1 265 Figure 33 Port based VLAN Example 1 276 Figure 34 Port based VLAN Example 2 277 Figure 35 Example of a Tagge...

Page 14: ...Figures 14 ...

Page 15: ...0 Table 27 Management Interfaces for AT 9400Ts Stacks 60 Table 28 Maximum Number of Switches in a Stack of both 24 port and 48 port Switches 64 Table 29 Support for Enhanced Stacking 78 Table 30 Management Interfaces for Enhanced Stacking 78 Table 31 Support for SNMPv1 and SNMPv2c Community Strings 88 Table 32 Management Interfaces for SNMPv1 and SNMPv2c Community Strings 88 Table 33 Support for S...

Page 16: ...ol 248 Table 78 Support for the Port based and Tagged VLANs 270 Table 79 Management Interfaces for the Port based and Tagged VLANs 270 Table 80 Support for the GARP VLAN Registration Protocol 284 Table 81 Management Interfaces for the GARP VLAN Registration Protocol 284 Table 82 Support for the Multiple VLAN Modes 296 Table 83 Management Interfaces for the Multiple VLAN Modes 296 Table 84 802 1Q C...

Page 17: ...of an Enhanced Stack AtiStackInfo MIB 518 Table 126 GVFP Switch Configuration AtiStackSwitch MIB 519 Table 127 GVRP Port Configuration AtiStackSwitch MIB 519 Table 128 GVRP Counters AtiStackSwitch MIB 519 Table 129 MAC Address Table AtiStackSwitch MIB 521 Table 130 Static MAC Address Table AtiStackSwitch MIB 521 Table 131 Management Access Control List Status AtiStackSwitch MIB 522 Table 132 Manag...

Page 18: ...Tables 18 ...

Page 19: ...ryptographic functionality and its export is restricted by U S law As of this writing it has been submitted for review as a retail encryption item in accordance with the Export Administration Regulations 15 C F R Part 730 772 promulgated by the U S Department of Commerce and conditionally may be exported in accordance with the pertinent terms of License Exception ENC described in 15 C F R Part 740...

Page 20: ... System on page 117 Chapter 10 Event Logs and the Syslog Client on page 121 Chapter 11 Classifiers on page 125 Chapter 12 Access Control Lists on page 135 Chapter 13 Class of Service on page 147 Chapter 14 Quality of Service on page 155 Chapter 15 Denial of Service Defenses on page 177 Chapter 16 Power Over Ethernet on page 189 Section III Snooping Protocols Chapter 17 Internet Group Management Pr...

Page 21: ...1 Chapter 30 BOOTP Relay Agent on page 355 Chapter 31 Virtual Router Redundancy Protocol on page 361 Section VIII Port Security Chapter 32 MAC Address based Port Security on page 373 Chapter 33 802 1x Port based Network Access Control on page 379 Section IX Management Security Chapter 34 Web Server on page 405 Chapter 35 Encryption Keys on page 411 Chapter 36 PKI Certificates and SSL on page 421 C...

Page 22: ... 000987 AT S63 Management Software Menus User s Guide PN 613 001025 AT S63 Management Software Command Line User s Guide PN 613 001024 AT S63 Management Software Web Browser User s Guide PN 613 001026 For instructions on how to install or manage an AT 9400Ts Stack refer to AT 9400Ts Stack Installation Guide PN 613 000796 AT S63 Management Software Command Line User s Guide PN 613 001024 AT S63 Man...

Page 23: ...he unit and the management software like the two levels of manager access levels and the different types of management sessions You should also read Chapter 2 AT 9400Ts Stacks on page 59 if you are managing a stack of the AT 9424Ts AT 9424Ts XP and AT 9448Ts XP Switches This guide is your resource for background information on the features of the switch You can refer here for the relevant concepts...

Page 24: ...Preface 24 Starting a Management Session For instructions on how to start a local or remote management session on the AT 9400 Switch refer to the Starting an AT S63 Management Session Guide ...

Page 25: ...e following conventions Note Notes provide additional information Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data Warning Warnings inform you that performing or omitting a specific action may result in bodily injury ...

Page 26: ...ate tab Returning Products Products for return or repair must first be assigned a return materials authorization RMA number A product sent to Allied Telesis without an RMA number will be returned to the sender at the sender s expense For instructions on how to obtain an RMA number go to the Support section on our web site at www alliedtelesis com Sales or Corporate Information You can contact Alli...

Page 27: ...ch features The chapters include Chapter 1 Overview on page 29 Chapter 2 AT 9400Ts Stacks on page 59 Chapter 3 Enhanced Stacking on page 77 Chapter 4 SNMPv1 and SNMPv2c on page 87 Chapter 5 MAC Address Table on page 93 Chapter 6 Static Port Trunks on page 97 Chapter 7 LACP Port Trunks on page 103 Chapter 8 Port Mirror on page 111 ...

Page 28: ...28 Section I Basic Operations ...

Page 29: ...nagement Software on page 36 Management Interfaces on page 37 Management Access Methods on page 43 Manager Access Levels on page 45 Installation and Management Configurations on page 46 IP Configuration on page 47 Configuration Files on page 48 Redundant Twisted Pair Ports on page 49 History of New Features on page 51 ...

Page 30: ...feature is only supported on the Basic Layer 3 switches and is the reason for the group s name The following tables list the supported features on the various switches The Stack column lists the features of the AT 9424Ts AT 9424Ts XP and AT 9448Ts XP Switches when they are installed as AT 9400Ts Stacks with the AT StackXG Stacking Module Y supported features Table 1 Basic Operations Layer 2 Switch...

Page 31: ... Y Y Y Y Y Y Y Y Port mirroring Y Y Y Y Y Y Y Y Y Y Table 1 Basic Operations Layer 2 Switches Basic Layer 3 Switches 08LC 24GB 24SP 24T 24T POE 24Ts 24XP 48SP 48XP Stack Table 2 Advanced Operations Layer 2 Switches Basic Layer 3 Switches 08LC 24GB 24SP 24T 24T POE 24Ts 24XP 48SP 48XP Stack File system Y Y Y Y Y Y Y Y Y Y1 Event logs Y Y Y Y Y Y Y Y Y Y2 TFTP client Y Y Y Y Y Y Y Y Y Y Syslog clien...

Page 32: ... 24XP 48SP 48XP Stack Table 3 Snooping Protocols Layer 2 Switches Basic Layer 3 Switches 08LC 24GB 24SP 24T 24T POE 24Ts 24XP 48SP 48XP Stack Internet Group Management Protocol IGMP snooping Y Y Y Y Y Y Y Y Y Y Multicast Listener Discovery MLD snooping Y Y Y Y Y Y Y Y Y Router Redundancy Protocol RRP snooping Y Y Y Y Y Y Y Y Y Ethernet Protection Switching Ring EPSR snooping Y Y Y Y Y Y Table 4 SN...

Page 33: ...RSTP Y Y Y Y Y Y Y Y Y Y Multiple Spanning Tree Protocol MSTP Y Y Y Y Y Y Y Y Y Table 6 Virtual LANs Layer 2 Switches Basic Layer 3 Switches 08LC 24GB 24SP 24T 24T POE 24Ts 24XP 48SP 48XP Stack Port based and tagged VLANs Y Y Y Y Y Y Y Y Y Y 802 1Q compliant and non 802 1Q compliant multiple VLAN modes Y Y Y Y Y Y Y Y Y GARP VLAN Registration Protocol Y Y Y Y Y Y Y Y Y Protected ports VLANs Y Y Y ...

Page 34: ...ing interface1 Y Y Y Y Y Y Y Y Y Y Virtual Router Redundancy Protocol Y Y Y Y Y Y BOOTP and DHCP clients Y Y Y Y Y Y Y Y Y Y BOOTP relay agent Y Y Y Y Y Y Y 1 Used to assign the switch or stack an IP address configuration Table 8 Port Security Layer 2 Switches Basic Layer 3 Switches 08LC 24GB 24SP 24T 24T POE 24Ts 24XP 48SP 48XP Stack MAC address based port security Y Y Y Y Y Y Y Y Y Y 802 1x port...

Page 35: ...icates and Secure Sockets Layer SSL protocol Y Y Y Y Y Y Y Y Y Y Remote Secure Shell management Y Y Y Y Y Y Y Y Y Y Manager accounts using TACACS or RADIUS protocol Y Y Y Y Y Y Y Y Y Y1 Management access control list Y Y Y Y Y Y Y Y Y 1 Stacks do not support the TACACS protocol You can use the web browser interface to configure RADIUS accounting on a stack but you cannot use the interface to enter...

Page 36: ...ork in band using a Telnet or Secure Shell client or a web browser For further information refer to Management Access Methods on page 43 The management software has four management interfaces a menus interface a standard command line interface an AlliedWare Plus command line interface and a web browser interface You can use any of the interfaces to perform basic configuration procedures But some o...

Page 37: ... command line and the menus from local management sessions and from remote Telnet and Secure Shell clients The web browser windows are available from remote web browsers using either non secure HTTP or secure HTTPS The standard command line is the only management interface that lets you configure all of the parameters on stand alone switches and stacks The other management interfaces support only ...

Page 38: ... Menus WB Web browser Table 11 Management Interfaces for Basic Operations Stand alone Switches Stacks SCL ACL M WB SCL ACL WB Switch s name location and contact Y Y1 Y Y Y Y1 Y Manager and operator passwords Y Y Y Y Y Date and time manual and SNTP Y Y Y Y Y Y Y Rebooting a switch Y Y Y Y Y Y Multiple manager sessions Y Y Y Y TCP IP pings Y Y Y Y Y Y Y Enhanced stacking Y Y Y SNMPv1 and SNMPv2 comm...

Page 39: ...e the web browser windows to view the files in the file system of a switch or on a compact flash card but you cannot copy rename or delete them change directories on a compact flash card or create a new switch configuration file 2 You can use the web browser windows to view the files in the file system of the master switch or on a compact flash card in the master switch but you cannot copy rename ...

Page 40: ...tener Discovery MLD snooping Y Y Router Redundancy Protocol RRP snooping Y Y Ethernet Protection Switching Ring EPSR snooping Y Table 14 Management Interfaces for SNMPv3 Stand alone Switches Stacks SCL ACL M WB SCL ACL WB SNMPv3 Y Y Y Y Y Table 15 Management Interfaces for Spanning Tree Protocols Stand alone Switches Stacks SCL ACL M WB SCL ACL WB Spanning Tree Protocol STP Y Y Y Y Y Y Y Rapid Spa...

Page 41: ...ANs Y Y MAC address based VLANs Y Y Table 17 Management Interfaces for Internet Protocol Routing Stand alone Switches Stacks SCL ACL M WB SCL ACL WB Routing interfaces Y Y Y Y Y Static routes Y Y Y Y Routing Information Protocol RIP Y Address Resolution Protocol ARP table Y Y BOOTP and DHCP clients Y Y Y Y Y BOOTP relay agent Y Y Virtual Router Redundancy Protocol Y Table 18 Management Interfaces ...

Page 42: ...ets Layer SSL protocol Y Y Y3 Y Secure Shell server Y Y Y Y Y Y TACACS and RADIUS authentication Y Y Y Y Y Y Management access control list Y Y Y 1 You can use the AlliedWare Plus command line to enable or disable the web server To configure the server you have to use another management interface 2 From the web browser interface you can view the encryption keys but you cannot create or delete them...

Page 43: ...d with the unit must be performed at the switch hence the name local A switch or stack does not require an Internet Protocol IP configuration for local management Here are the management interfaces that are available to you from this type of management session Standard command line AlliedWare Plus command line Menus You can change between the interfaces during your management sessions Note In most...

Page 44: ...a workstation on your network A web browser session can be either non encrypted HTTP or encrypted HTTPS Remote SNMP Management You can also remotely configure the switch using a Simple Network Management Protocol SNMP application such as AT View This management method requires an understanding of management information base MIB objects The AT S63 Management Software supports the following MIBs SNM...

Page 45: ...er as the login name The default password is friend The username for operator is operator and the default password is also operator The usernames and passwords are case sensitive There can be up to three active manager sessions at a time on a switch This is set with the SET SYSTEM command in the command line interface The default is just one manager session There can be up to nine operator session...

Page 46: ...features of the switches For instance the ports of a static port trunk on a stand alone switch must be from the same switch while the ports of a static trunk on a stack can be selected from different switches in the same stack For more information on stacking refer to Chapter 2 AT 9400Ts Stacks on page 59 Enhanced Stacking This feature is a management tool that can make it easier for you to config...

Page 47: ...le you need to know if the switch is an AT 9400 Layer 2 Switch which supports only one routing interface or an AT 9400 Basic Layer 3 Switch which supports more than one routing interface If the answer is the latter you also have to consider whether you plan to implement Internet Protocol version 4 packet routing on the switch Furthermore since routing interfaces are assigned to virtual LANs VLANs ...

Page 48: ...400Ts Stacks When the AT 9424Ts AT 9424Ts XP and AT 9448Ts XP Switches are installed as a stack they store their parameter settings in a single boot configuration file on the master switch This one file contains the settings for all of the switches in a stack The default name of this file is STACK CFG The switches do not come with this file but the master switch automatically creates it when you i...

Page 49: ...module establishes a link with an end node A twisted pair port automatically transitions back to the active status when the link is lost on the GBIC or SFP module A twisted pair port and a GBIC or SFP module share the same configuration settings including port settings VLAN assignments access control lists and spanning tree The only exception to shared settings is port speed If you disable Auto Ne...

Page 50: ...Chapter 1 Overview 50 Note These guidelines do not apply to the SFP slots on the AT 9408LC SP Switch and the XFP slots on the AT 9424Ts XP and AT 9448Ts XP Switches ...

Page 51: ... The management software has a new command line interface based on the commands in the AlliedWare Plus operating system found on other Allied Telesis products such as the Layer 3 switches If you are already familiar with the commands in the AlliedWare Plus operating system you may find this new interface more convenient to use than the standard command line Some of the management functions you can...

Page 52: ...and update the switches individually But with the new MODULE parameter you ll be able to update the management software on all the switches in a stack simultaneously Note The new MODULE parameter can only be used on stacks that already have Version 4 0 0 or later To update member switches that have versions earlier than 4 0 0 you have to disconnect them from the stack and update them as stand alon...

Page 53: ...S63 Version 3 2 0 Management Software or to the AT S63 Stack Command Line User s Guide Version 3 2 0 did not include any new features for stand alone AT 9400 Switches Version 3 0 0 Table 21 lists the new features in version 3 0 0 of the AT S63 Management Software Table 21 New Features in AT S63 Version 3 0 0 Feature Change Stacking with the AT StackXG Stacking Module New feature For information re...

Page 54: ...ransport Layer Security PEAP Protected Extensible Authentication Protocol Table 21 New Features in AT S63 Version 3 0 0 Continued Feature Change Table 22 New Features in AT S63 Version 2 1 0 Feature Change Internet Protocol version 4 packet routing Added the following new features Equal Cost Multi path ECMP for supporting multiple routes in the routing table to the same remote destination Variable...

Page 55: ... S63 Version 1 3 0 Feature Change 802 1x Port based Network Access Control Added the following new features Guest VLAN For background information see Guest VLAN on page 396 VLAN Assignment and Secure VLAN for supporting dynamic VLAN assignments from a RADIUS authentication server for supplicant accounts For background information see Supplicant and VLAN Associations on page 394 MAC address based a...

Page 56: ...r displaying and deleting dynamic unicast and multicast MAC addresses Quality of Service Added the following new parameters to QoS flow groups traffic classes and policies ToS parameter for replacing the Type of Service field of IPv4 packets Move ToS to Priority parameter for replacing the value in the 802 1p priority field with the value in the ToS priority field in IPv4 packets Move Priority to ...

Page 57: ...a new parameter to authenticator ports Supplicant Mode for supporting multiple supplicant accounts on an authenticator port For background information see Authenticator Ports with Single and Multiple Supplicants on page 387 Table 25 New Features in AT S63 Version 1 2 0 Continued Feature Change ...

Page 58: ...Chapter 1 Overview 58 ...

Page 59: ... in a Stack on page 64 Management Interfaces on page 64 Management Access Methods on page 64 Enhanced Stacking on page 65 Stack Topology on page 66 Discovery Process on page 68 Master and Member Switches on page 69 Module ID Numbers on page 70 Stack Configuration Files on page 71 MAC Address Tables on page 73 File Systems on page 73 Compact Flash Memory Card Slots on page 73 Stack IP Address on pa...

Page 60: ...Table 26 Support for AT 9400Ts Stacks Switch Supported Layer 2 Models AT 9408LC SP AT 9424T GB AT 9424T SP Basic Layer 3 Models AT 9424T AT 9424T POE AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP AT 9448Ts XP Yes AT 9400Ts Stacks Yes Table 27 Management Interfaces for AT 9400Ts Stacks Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser AT 9400Ts Stacks Yes Yes Yes ...

Page 61: ...y function as a unified Gigabit Ethernet switch rather than as independent units As a stack the switches synchronize their actions so that network operations like spanning tree protocols virtual LANs and static port trunks are able to span across all of their Gigabit Ethernet ports The two principal advantages of AT 9400Ts Stacks are You can configure all of the switches in a stack simultaneously ...

Page 62: ...nt Software Note Version 3 0 0 is only supported on the AT 9424T AT 9424T POE AT 9424Ts AT 9424Ts XP AT 9448T SP and AT 9448Ts XP Basic Layer 3 Switches Do not install it on the AT 9408LC SP AT 9424T GB and AT 9424T SP Layer 2 Switches Supported Models Stacking is only supported on the following AT 9400 Switches AT 9424Ts AT 9424Ts XP AT 9448Ts XP ...

Page 63: ... AT 9400Ts Switch must have the AT StackXG Stacking Module shown in Figure 1 You install the module in the switch s expansion slot on the back panel The installation instructions are provided in the AT 9400Ts Stack Installation Guide Figure 1 AT StackXG Stacking Module 1240 AT LX44CPUCVR AT StackXG Stack Port 1 Stack Port 2 ...

Page 64: ... not have more than four AT 9448Ts XP Switches and should not exceed a total of eight units as shown in this table Management Interfaces The AT S63 Management Software has three management interfaces menus command line commands and web browser windows You can use either the command line commands or the web browser windows to manage a stack The menus are only supported when the switches are used as...

Page 65: ...ions such as static port trunks and port mirrors are able to span all the devices in the stack The switches are managed as a unit The switches in a stack have the same MAC address tables The switches must be installed in the same equipment rack The switches are linked together with the AT StackXG Stacking Module The stacking feature is only supported on the AT 9424Ts AT 9424Ts XP and AT 9448Ts XP ...

Page 66: ... 1 on the stacking module in one switch must be connected to Port 2 on the stacking module in the next switch An example of this topology of a stack of four switches is illustrated in Figure 2 Figure 2 Duplex chain Topology The second topology the duplex ring topology is identical to the daisy chain except that the stacking module in the switch at the top of the stack is connected to the stacking ...

Page 67: ...redundancy by providing a secondary path through the stacking modules This can protect a stack against the failure of a stacking port or cable A disruption in the primary path automatically activates the secondary path 1247 RPS INPUT AT StackXG STACK PORT 1 STACK PORT 2 RPS INPUT AT StackXG STACK PORT 1 STACK PORT 2 RPS INPUT AT StackXG STACK PORT 1 STACK PORT 2 RPS INPUT AT StackXG STACK PORT 1 S...

Page 68: ...like the number of switches in the stack the switch models and the number and complexity of the commands in the active configuration file on the master switch For instance a small stack of two switches might take less than fifteen seconds to complete the discovery process while a stack of eight AT 9424Ts Switches might take several minutes When the discovery process is finished the switches of the...

Page 69: ...odule ID 1 as explained in Module ID Numbers on page 70 This switch maintains the active configuration file which contains the parameter settings for all of the switches in the stack The stack also has a backup master switch This unit which is assigned module ID 2 maintains a copy of the active configuration file and assumes the role of the master switch if the current master switch fails or is re...

Page 70: ... equipment rack After you have assigned the module ID numbers to the switches and begun to configure the parameter settings of a stack you should not alter the number assignments The boot configuration file on the master switch identifies the switches by their module ID numbers and if you change the numbers the master switch could assign the wrong configurations to the switches the next time you r...

Page 71: ... is issued and so is an exact duplicate of the active configuration file on the master switch Under normal operating conditions the backup configuration file remains inactive However if the master switch stops operating or is removed from the stack the switch assigned module ID 2 assumes the role of the master switch during the subsequent discovery process and configures the stack devices with its...

Page 72: ...rt of a stack the switch still uses the STACK CFG file to set its parameter settings If the switch does not have this file it uses the default values for its parameter settings By having two standard configuration files a switch can retain its prior configuration settings when converted from a stand alone configuration to a stack member or vice versa This saves you the trouble of having to reconfi...

Page 73: ...r switch has the same table as all the other switches Viewing the MAC address table of a stack from the command line is a little different because you can select to view the table of a particular member switch rather than the master switch Why would this be useful if the tables in a stack are all the same Delays can occur between when member switches learn new addresses and share them with the oth...

Page 74: ...ove Here are the general steps to assigning an IP address to the stack 1 Create a virtual LAN VLAN on the stack The VLAN must include the port s from where the stack will communicate with the remote servers or the Telnet or web browser clients You can skip this step if you will be using the Default_VLAN for the remote management sessions 2 Add an IPv4 routing interface to the VLAN If the IP addres...

Page 75: ... the management software on an existing stack for versions after Version 3 0 0 you must disconnect the stacking cables and update the switches individually either locally through the Terminal Port on the units or over the network using a TFTP server You reconnect the stacking cables after the management software on all of the switches has been updated Note The switches of a stack must use the same...

Page 76: ...Chapter 2 AT 9400Ts Stacks 76 Section I Basic Operations ...

Page 77: ...tions Supported Platforms on page 78 Overview on page 79 Master and Slave Switches on page 80 Common VLAN on page 81 Master Switch and the Local Interface on page 82 Slave Switches on page 83 Enhanced Stacking Compatibility on page 84 Enhanced Stacking Guidelines on page 85 General Steps on page 86 ...

Page 78: ...hanced Stacking Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Table 30 Management Interfaces for Enhanced Stacking Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch Yes Yes Yes AT ...

Page 79: ...ment session when you need to manage another switch It should be noted that the individual switches of an enhanced stack continue to function as stand alone switches and as such operate independently of each other They do not form what is commonly referred to as a virtual stack where the switches act as a logical unit Note Starting with version 2 0 0 of the AT S63 Management Software several signi...

Page 80: ...session on a master switch you can redirect the session to any of the other switches The other switches in the stack are known as slave switches They can be managed through the master switch or directly such as from a local management session An enhanced stack can have more than one master switch Multiple master switches can lessen the impact on your network management should you need to remove a ...

Page 81: ...switches and also serves as the path for other management packets Here are several things to keep in mind as you plan the common VLAN of your enhanced stack Any valid VLAN name and VLAN identifier VID can be used for the common VLAN but it should be the same on all the switches in the stack A slave switch of an enhanced stack can be indirectly connected to the master switch through other switches ...

Page 82: ...nts a logical connection to a network or subnet local to the switch for purposes of routing packets To configure an interface you assign it an IP address and subnet mask appropriate to the subnet where it will route packets and add it to the VLAN that contains the subnet For the most part routing interfaces are limited to the IPv4 packet routing feature and are unnecessary beyond that feature Ther...

Page 83: ...use the Default_VLAN VID 1 as the common VLAN A routing interface in the common VLAN is required if you use any other VLAN other than the Default_VLAN as the common VLAN of the switches in the stack The routing interface in the common VLAN on a slave switch does not have to be designated as the local interface The only circumstance in which you might want to designate a local interface on a slave ...

Page 84: ...d to the common VLAN that interconnects the switches of the stack For instructions on how to select the management VLAN on an AT 8400 Series or AT 8500 Series Switch refer to the appropriate user s guide Though the master switch of an enhanced stack can be any switch that supports this feature Allied Telesis recommends choosing the AT 9400 Switch to perform that role To use an AT 8400 Series or AT...

Page 85: ...mon VLAN on the slave switches if you use the Default_VLAN VID 1 as the common VLAN of the switches of a stack However a routing interface is required if you use any other VLAN as the common VLAN However you do not have to designate it as the local interface You can create different stacks by connecting different groups of switches with different common VLANs and subnets An enhanced stack must hav...

Page 86: ...connect the devices using twisted pair or fiber optic ports of the VLAN As mentioned earlier the slaves switches can be connected indirectly through other switches to the master switch so long as there is an uninterrupted path of the common VLAN to the master switch This step is not necessary if you use the Default_VLAN VID 1 as the common VLAN 4 On the master switch assign a routing interface to ...

Page 87: ...c This chapter describes SNMPv1 and SNMPv2c community strings for SNMP management of the switch Sections in the chapter include Supported Platforms on page 88 Overview on page 89 Community String Attributes on page 90 Default SNMP Community Strings on page 92 ...

Page 88: ...MPv2c Community Strings Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 32 Management Interfaces for SNMPv1 and SNMPv2c Community Strings Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Sta...

Page 89: ...must do the following Activate SNMP management on the switch The default setting for SNMP management is disabled Load the Allied Telesis MIBs for the switch onto your management workstation containing the SNMP application program The MIBs are available from the Allied Telesis web site at www alliedtelesis com To manage a switch using SNMP you need to know the IP address of the switch or of the mas...

Page 90: ...he community string to use it A closed access status restricts the string to those network managers who work at particular workstations identified by their IP addresses You specify the workstations by assigning the IP addresses of the workstations to the community string A closed community string can have up to eight IP addresses of management workstations If you decide to activate SNMP management...

Page 91: ... which community strings you assign your trap receivers When the switch sends a trap it looks at all the community strings and sends the trap to all trap receivers on all community strings This is true even for community strings that have a access mode of only Read If you are not interested in receiving traps then you do not need to enter any IP addresses of trap receivers ...

Page 92: ...lic and private The public string has an access mode of just Read and the private string has an access mode of Read Write If you activate SNMP management on the switch you should delete or disable the private community string which is a standard community string in the industry or change its status from open to closed to prevent unauthorized changes to the switch ...

Page 93: ...Section I Basic Operations 93 Chapter 5 MAC Address Table This chapter contains background information about the MAC address table This chapter contains the following section Overview on page 94 ...

Page 94: ...een grouped into virtual LANs a switch floods the packet only to those ports that belong to the same VLAN from where the packet originated This prevents packets from being forwarded to inappropriate LAN segments and increases network security When the destination node responds a switch adds its MAC address and port number to its MAC address table If a switch receives a packet with a destination ad...

Page 95: ...inutes The MAC address table can also store static MAC addresses These are addresses of end nodes you enter manually into the MAC address table Static MAC addresses remain in the table indefinitely and are never deleted even when the end nodes are inactive You might need to enter static MAC addresses of end nodes the switch does not learn in its normal dynamic learning process or if you want a MAC...

Page 96: ...Chapter 5 MAC Address Table 96 Section I Basic Operations ...

Page 97: ...tions 97 Chapter 6 Static Port Trunks This chapter describes static port trunks Sections in the chapter include Supported Platforms on page 98 Overview on page 99 Load Distribution Methods on page 100 Guidelines on page 102 ...

Page 98: ...ort Trunks Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 34 Management Interfaces for Static Port Trunks Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch Yes Yes Yes Yes...

Page 99: ... link is shifted to one of the remaining ports in the trunk the bandwidth remains reduced until the lost link is reestablished or another port is manually added to the trunk Network equipment vendors tend to employ different techniques for static trunks on their products Consequently a static trunk on one device might not be compatible with the same feature on a device from a different manufacture...

Page 100: ...t for the packet In cases where you select a load distribution that employs either a source or destination address but not both only the last three bits of the designated address are used in selecting a transmission port in a trunk If you select one of the two load distribution methods that employs both source and destination addresses port selection is achieved through an XOR operation of the las...

Page 101: ...the table above shows that the packet would be transmitted from port 9 Port trunk mappings on the AT 9400 Switch can consist of up to eight ports This corresponds to the maximum number of ports allowed in a static trunk and the maximum number of active ports in an LACP trunk Inactive ports in an LACP trunk are not applied to the mappings until they transition to the active status You can assign di...

Page 102: ... examine the speed duplex mode flow control and back pressure settings of the lowest number port to be in the trunk Verify that its settings are correct for the device to which the trunk will be connected When you create a static port trunk the management software copies the current settings of the lowest numbered port in the trunk to the other ports because all ports in a static trunk must have t...

Page 103: ...regation Control Protocol LACP port trunks Sections in the chapter include Supported Platforms on page 104 Overview on page 105 LACP System Priority on page 106 Adminkey Parameter on page 107 LACP Port Priority Value on page 107 Load Distribution Methods on page 108 Guidelines on page 109 ...

Page 104: ... Port Trunks Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 36 Management Interfaces for LACP Port Trunks Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch Yes Yes Yes AT ...

Page 105: ...ch is using ports 11 to 18 as the active ports and ports 19 and 20 as reserve If an active port loses its link the switch automatically activates one of the reserve ports to maintain maximum bandwidth of the trunk The main component of an LACP trunk is an aggregator An aggregator is a group of ports on the switch The ports in an aggregator are further grouped into a trunk referred to as an aggrega...

Page 106: ...ACP priority value the settings on the switch with the lowest MAC address take precedence This parameter can prove useful when connecting an aggregate trunk between the AT 9400 Switch and another 802 3ad compliant device that does not have the same LACP trunking capabilities If the other device s capability is less than that of the AT 9400 Switch you should give that device the higher priority so ...

Page 107: ...iorities lowest priority values are designated as the active ports and the others are placed in the standby mode If an active link goes down on a active port the standby port with the next highest priority is automatically activated to take its place The selection of the active links in an aggregate trunk is dynamic and will change as links are added removed lost or reestablished For example if an...

Page 108: ...ibutes the traffic across the active ports of an aggregate trunk The method is assigned to an aggregator and applies to all aggregate trunks within it If you want to assign different load distribution methods to different aggregate trunks you must create a separate aggregator for each trunk For further information refer to Load Distribution Methods on page 100 ...

Page 109: ...ator and a static trunk at the same time The ports of an aggregate trunk must be untagged members of the same VLAN 10 100 1000Base TX twisted pair ports must be set to Auto Negotiation or 100 Mbps full duplex mode LACP trunking is not supported in half duplex mode 100Base FX fiber optic ports must be set to full duplex mode You can create an aggregate trunk of transceivers with 1000Base X fiber op...

Page 110: ...or to creating an aggregate trunk between an Allied Telesis device and another vendor s device refer to the vendor s documentation to determine the maximum number of active ports the device can support in a trunk If the number is less than eight the maximum number for the AT 9400 Switch you should probably assign it a higher system LACP priority than the AT 9400 Switch If it is more than eight ass...

Page 111: ...ction I Basic Operations 111 Chapter 8 Port Mirror This chapter explains the port mirror feature Sections in the chapter include Supported Platforms on page 112 Overview on page 113 Guidelines on page 113 ...

Page 112: ...irror Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 38 Management Interfaces for the Port Mirror Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch Yes Yes Yes Yes AT 9400...

Page 113: ... creating a port mirror A standalone switch can have only one destination port An AT 9400Ts Stack can have only one destination port You can mirror more than one source port at a time However the destination port may have to discard packets if the source ports are very active The source and destination ports for a port mirror on a stand alone switch must be located on the same switch The destinati...

Page 114: ...Chapter 8 Port Mirror 114 Section I Basic Operations ...

Page 115: ...System on page 117 Chapter 10 Event Logs and the Syslog Client on page 121 Chapter 11 Classifiers on page 125 Chapter 12 Access Control Lists on page 135 Chapter 13 Class of Service on page 147 Chapter 14 Quality of Service on page 155 Chapter 15 Denial of Service Defenses on page 177 Chapter 16 Power Over Ethernet on page 189 ...

Page 116: ...116 Section II Advanced Operations ...

Page 117: ...ations 117 Chapter 9 File System The chapter explains the switch s file system and contains the following sections Overview on page 118 File Naming Conventions on page 119 Using Wildcards to Specify Groups of Files on page 120 ...

Page 118: ...uration files refer to Configuration Files on page 48 and Stack Configuration Files on page 71 Public encryption keys public certificates and certificate enrollment request files are related to the Secure Sockets Layer SSL certificates feature described in Chapter 35 Encryption Keys on page 411 and Chapter 36 PKI Certificates and SSL on page 421 Refer to those chapters for background information o...

Page 119: ...nsion of three characters in length preceded by a period The extension is used by the switch to determine the file type The following is an example of a valid file name for a boot configuration file standardconfig cfg The following is an example of an invalid file name for a file stored in flash memory sys head_o cfg The backslash character is not a valid character for files stored in flash memory...

Page 120: ...dcards to Specify Groups of Files You can use the asterisk character as a wildcard character in some fields to identify groups of files In addition a wildcard can be combined with other characters The following are examples of valid wildcard expressions cfg key 28 cfg ...

Page 121: ...hapter describes how to monitor the activity of a switch by viewing the event messages in the event logs and sending the messages to a syslog server Sections in the chapter include Supported Platforms on page 122 Overview on page 123 Event Messages on page 123 Syslog Client on page 124 ...

Page 122: ... Event Logs and the Syslog Client Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 41 Management Interfaces for the Event Logs and the Syslog Client Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web B...

Page 123: ... help identify and solve system problems Event Messages Event messages include the following information The time and date of the event The severity of the event The management module that generated the event An event description The switch has two event logs for storing the event messages One log is located in temporary memory and has a storage capacity of up to 4 000 entries The events in this l...

Page 124: ...63 initialization are entered into the logs only if you enable the event log feature The default setting for the event log feature is enabled Observe the following guidelines when using this feature You can define up to 19 log output definitions The event logs on the switch must be activated in order for the switch to send events to a syslog server There must be a routing interface on a local subn...

Page 125: ...Classifiers This chapter explains classifiers for access control lists and Quality of Service policies The sections in this chapter include Supported Platforms on page 126 Overview on page 127 Classifier Criteria on page 129 Guidelines on page 134 ...

Page 126: ...ssifiers Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 43 Management Interfaces for Classifiers Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch Yes Yes Yes Yes AT 9400T...

Page 127: ...t you will never use a classifier by itself There are two AT S63 features that use classifiers They are Access control lists ACL Quality of Service QoS policies As explained in Chapter 12 Access Control Lists on page 135 an ACL filters ingress packets on a port by controlling which packets a port will accept and reject You can use this feature to improve the security of your network or enhance net...

Page 128: ...the QoS policy as explained in Chapter 14 Quality of Service on page 155 In summary a classifier is a list of variables that define a traffic flow You apply a classifier to an ACL or a QoS policy to define the traffic flow you want the ACL or QoS policy to affect or control ...

Page 129: ...a classifier that filters packets based on Ethernet frame type and whether a packet is tagged or untagged within a frame type A tagged Ethernet frame contains within it a field that specifies the ID number of the VLAN to which the frame belongs Untagged packets lack this field Options are Ethernet II tagged packets Ethernet II untagged packets Ethernet 802 2 tagged packets Ethernet 802 2 untagged ...

Page 130: ... A tagged Ethernet frame also contains within it a field of 12 bits that specifies the ID number of the VLAN to which the frame belongs The field illustrated in Figure 5 can be used to identify a traffic flow A classifier can contain only one VLAN ID To create a port ACL or QoS policy that applies to several different VLAN IDs multiple classifiers are required Protocol Layer 2 Traffic flows can be...

Page 131: ...lue is 0 to 7 The location of the field is shown in Figure 6 Figure 6 ToS field in an IP Header Observe these guidelines when using this criterion The Protocol variable must be left blank or set to IP You cannot specify both an IP ToS value and an IP DSCP value in the same classifier IP DSCP DiffServ Code Point ToS Layer 3 The Differentiated Services Code Point DSCP tag indicates the class of serv...

Page 132: ...ed to enter a source IP mask if you are filtering on the IP address of a specific end node A mask is required however when you filter on a subnet A binary 1 indicates the switch should filter on the corresponding bit of the IP address while a 0 indicates that it should not For example the subnet address 149 11 11 0 would have the mask 255 255 255 0 Observe this guideline when using these criteria ...

Page 133: ...urce Ports Layer 4 UDP Destination Ports Layer 4 A traffic flow can be identified by a source and or destination UDP port number contained within the header of an IP frame Observe the following guidelines when using these criteria The Protocol variable must be left blank or set to IP The IP Protocol variable must be left blank or set to UDP A classifier cannot contain criteria for both TCP and UDP...

Page 134: ...oS policy A classifier without any defined variables applies to all packets You cannot create two classifiers that have the same settings There can be only one classifier for any given type of traffic flow A classifier can have a maximum of eight defined criteria not including the classifier ID number and the description The switch can store up to 256 classifiers However the maximum number of clas...

Page 135: ...s chapter describes access control lists ACL and how they can improve network security and performance This chapter contains the following sections Supported Platforms on page 136 Overview on page 137 Parts of an ACL on page 139 Guidelines on page 140 Examples on page 141 ...

Page 136: ...ccess Control Lists Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 45 Management Interfaces for the Access Control Lists Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch ...

Page 137: ...cified end node destined for another specified node You specify the traffic using different criteria such as source and destination MAC addresses or protocol When you create an ACL you must specify the classifier that defines the traffic flow to permit or deny on a port There are two kinds of ACLs based on the two actions that an ACL can perform One is called a permit ACL Packets that meet the cri...

Page 138: ...Chapter 12 Access Control Lists 138 Section II Advanced Operations 4 Finally if a packet does not meet the criteria of any ACLs on a port it is accepted by the port ...

Page 139: ... for you to identify it Action The action of an ACL can be permit or deny Ingress traffic that meets the criteria of an ACL with the permit action is accepted by a port Ingress traffic that meets the criteria of an ACL with the deny action is discarded by a port unless the traffic also meets the criteria of a permit ACL on the same port in which case it is accepted Classifiers An ACL must have at ...

Page 140: ... ACL can be either permit or deny A permit ACL overrides a deny ACL on the same port when the ACLs define the same traffic The order in which the ACLs are added to a port is not important since the packets are compared against all of a port s ACLs Since classifiers cannot be assigned more than once to a port ACLs that have the same classifier cannot be assigned to the same port An ACL and a Qualit...

Page 141: ... from that subnet Since this is the only ACL on the port all other traffic is accepted As explained earlier a port automatically accepts all packets that do not meet the criteria of the classifiers assigned to its ACLs Figure 7 ACL Example 1 Create Access Control Lists ACL 1 ACL ID 4 2 Description 149 11 11 deny 3 Action Deny 4 Classifier List 22 5 Port List 4 Create Classifier 01 Classifier ID 22...

Page 142: ...same ACL Figure 8 ACL Example 2 Create Access Control Lists ACL 1 ACL ID 4 2 Description Subnets deny 3 Action Deny 4 Classifier List 22 24 62 5 Port List 4 Create Classifier 01 Classifier ID 24 02 Description 149 22 22 flow 12 Src IP Addr 149 22 22 0 13 Src IP Mask 255 255 255 0 Create Classifier 01 Classifier ID 22 02 Description 149 11 11 flow 12 Src IP Addr 149 11 11 0 13 Src IP Mask 255 255 2...

Page 143: ...rol Lists ACL 1 ACL ID 4 2 Description 149 11 11 deny 3 Action Deny 4 Classifier List 22 5 Port List 4 Create Access Control Lists ACL 1 ACL ID 23 2 Description 149 33 33 deny 3 Action Deny 4 Classifier List 62 5 Port List 4 Create Classifier 01 Classifier ID 24 02 Description 149 22 22 flow 12 Src IP Addr 149 22 22 0 13 Src IP Mask 255 255 255 0 Create Classifier 01 Classifier ID 22 02 Descriptio...

Page 144: ... or destination IP address for a specific end node If you wanted to include it it would be 255 255 255 255 Figure 11 ACL Example 5 Create Access Control Lists ACL 1 ACL ID 21 2 Description 149 44 44 permit 3 Action Permit 4 Classifier List 11 5 Port List 14 15 Create Classifier 01 Classifier ID 11 02 Description 149 44 44 flow 12 Src IP Addr 149 44 44 0 13 Src IP Mask 255 255 255 0 Create Access C...

Page 145: ...CL 1 ACL ID 4 2 Description ToS 6 traffic permit 3 Action Permit 4 Classifier List 6 5 Port List 17 Create Classifier 01 Classifier ID 6 02 Description ToS 6 subnet flow 09 IP ToS 6 12 Src IP Addr 149 22 11 0 13 Src IP Mask 255 255 255 0 14 Dst IP Addr 149 22 22 22 15 Dst IP Mask Create Access Control Lists ACL 1 ACL ID 23 2 Description All IP flow deny 3 Action Deny 4 Classifier List 8 67 5 Port ...

Page 146: ...Chapter 12 Access Control Lists 146 Section II Advanced Operations ...

Page 147: ...dvanced Operations 147 Chapter 13 Class of Service This chapter describes the Class of Service CoS feature Sections in the chapter include Supported Platforms on page 148 Overview on page 149 Scheduling on page 152 ...

Page 148: ...lass of Service Feature Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 47 Management Interfaces for the Class of Service Feature Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone...

Page 149: ...pal types of traffic found on the ports of a Gigabit Ethernet switch one being untagged packets and the other tagged packets As explained in Tagged VLAN Overview on page 279 one of the principal differences between them is that tagged packets contain VLAN information CoS applies mainly to tagged packets because in addition to carrying VLAN information these packets can also contain a priority leve...

Page 150: ...desirable This mapping also makes it possible to give some traffic a lower priority than the default traffic You can change these mappings For example you might decide that packets with a priority of 5 should be handled by egress queue Q3 and packets with a priority of 2 should be handled in Q1 The result is shown in Table 49 Table 48 Default Mappings of IEEE 802 1p Priority Levels to Priority Que...

Page 151: ... packets themselves CoS relates primarily to tagged packets rather than untagged packets because untagged packets do not contain a priority level By default all untagged packets are assigned a priority of 0 and are placed in a port s Q1 egress queue But you can override this and instruct a port s untagged frames to be stored in a different priority queue One last thing to note is that CoS does not...

Page 152: ...6 The value to this type of scheduling is that high priority packets are always handled before low priority packets The problem with this method is that some low priority packets might never be transmitted out the port because a port might never get to the low priority queues A port handling a large volume of high priority traffic may be so busy transmitting that traffic that it never has an oppor...

Page 153: ...hat no packets are transmitted from the lower priority queues so long as there are packets in Q7 This allows you to combine the two priority scheduling methods on the same port An example of Q7 with a weight of 0 is shown in Table 51 At these settings a port transmits all of the packets from Q7 until the queue is empty and then transmits a maximum of 15 packets from Q6 8 packets from Q5 and so for...

Page 154: ...Chapter 13 Class of Service 154 Section II Advanced Operations Q6 15 Q7 0 Table 51 Example of a Weight of Zero for Priority Queue 7 Continued Port Egress Queue Maximum Number of Packets ...

Page 155: ... on page 157 Classifiers on page 159 Flow Groups on page 160 Traffic Classes on page 161 Policies on page 162 QoS Policy Guidelines on page 163 Packet Processing on page 164 Bandwidth Allocation on page 164 Packet Prioritization on page 164 Replacing Priorities on page 166 VLAN Tag User Priorities on page 166 DSCP Values on page 166 DiffServ Domains on page 167 Examples on page 169 ...

Page 156: ...lity of Service Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 53 Management Interfaces for Quality of Service Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch Yes Yes Ye...

Page 157: ... in Chapter 11 Classifiers on page 125 Acting on these traffic flows Quality of Service is a broadly used term that encompasses as a minimum both Layer 2 and Layer 3 in the OSI model QoS is typically demonstrated by how the switch accomplishes the following Assigns priority to incoming frames if they do not carry priority information Maps prioritized frames to traffic classes or maps frames to tra...

Page 158: ...an apply bandwidth limits and QoS prioritization to traffic classes Create policies and add traffic classes to them Policies are groups of traffic classes A policy defines a complete QoS solution for a port or group of ports Associate policies with ports Note The steps listed above are in a conceptually logical order but the switch cannot check a policy for errors until the policy is attached to a...

Page 159: ...1 Classifiers on page 125 for more information Note that a single classifier should not be used in different flows that will end up through traffic classes assigned to the same policy A classifier should only be used once per policy Traffic is matched in the order of classifiers For example if a flow group has classifiers 1 3 2 and 5 that is the order in which the packets are matched ...

Page 160: ...ple if a traffic class has flow groups 1 3 2 and 5 this is the order in which the packets are matched QoS controls at the flow group level provide a QoS hierarchy Non default flow group settings are always used but if no setting is specified for a flow group the flow group uses the settings for the traffic class to which it belongs For example you can use a traffic class to limit the bandwidth ava...

Page 161: ...ow a QoS solution to be deployed A traffic class can be assigned to only one policy Traffic classes consist of a set of QoS parameters and a group of QoS flow groups Traffic can be prioritized marked IP TOS or DSCP field set and bandwidth limited Traffic is matched in the order of traffic class For example if a policy has traffic classes 1 3 2 and 5 this is the order in which the packets are match...

Page 162: ...never applied to the whole aggregated traffic of a designated egress port but rather to the individual ingress flows destined to the port The effects of this behavior become evident when using the maximum bandwidth feature of QoS Here is an example Suppose you have a policy that assigns 5 Mbps of maximum bandwidth to an egress port Now assume there are 10 ports on the switch where ingress traffic ...

Page 163: ...ffic class A traffic class may have many flow groups A traffic class may only be assigned to one policy A policy may have many traffic classes A policy may be assigned to many ports A port may only have one policy You can create a policy without assigning it to a port but the policy will be inactive A policy must have at least one action defined in the flow group traffic class or the policy itself...

Page 164: ...cedence over lower priority queues When the switch has information about a packet s priority it sends the packet to the appropriate queue You can specify the queue where the switch sends traffic how much precedence each queue has and whether priority remapping is written into the packet s header for the next hop to use Prioritizing packets cannot improve your network s performance when bandwidth i...

Page 165: ... eight CoS queues The switch s default mapping is shown in Table 48 on page 150 Note that priority 0 is mapped to CoS queue 1 instead of CoS queue 0 because tagged traffic that has never been prioritized has a VLAN tag User Priority of 0 If priority 0 was mapped to CoS queue 0 this default traffic goes to the lowest queue which is probably undesirable This mapping also makes it possible to give so...

Page 166: ...e to configure a DiffServ domain VLAN Tag User Priorities Within a flow group or traffic class the VLAN tag User Priority value of incoming packets can be replaced with the priority specified in the flow group or traffic class Replacement occurs before the packet is queued so this priority also sets the queue priority DSCP Values There are three methods for replacing the DSCP byte of an incoming p...

Page 167: ...e is written into the TOS field of the IP header Routers within the network then use this DSCP value to classify packets and assign QoS appropriately When a packet leaves the DiffServ domain the DSCP value can be replaced with a value appropriate for the next DiffServ domain A simple example of this process is shown in Figure 13 for limiting the amount of bandwidth used by traffic from a particula...

Page 168: ...lasses on the edge switches Assign the classifiers to flow groups and the flow groups to traffic classes with a different traffic class for each DiffServ code point grouping within the DiffServ domain Give each traffic class the priority and or bandwidth limiting controls that are required for that type of packet within this part of the domain These QoS controls need not be the same for each switc...

Page 169: ... latency interpacket delay and jitter delivery delay Voice applications can be set up to have the highest priority This example creates two policies that ensure low latency for all traffic sent by and destined to a voice application located on a node with the IP address 149 44 44 44 The policies raise the priority level of the packets to 7 the highest level Policy 6 is for traffic from the applica...

Page 170: ...e switch To change the packets priority level so that they leave with the new level you would change option 5 Remark Priority to Yes Create Classifier 01 Classifier ID 22 02 Description VoIP flow 12 Src IP Addr 149 44 44 44 13 Src IP Mask Create Flow Group 1 Flow Group ID 14 2 Description VoIP 3 DSCP Value 4 Priority 7 5 Remark Priority No 9 Classifier List 22 Create Traffic Class 01 Traffic Class...

Page 171: ...to the application will be received Video Applications Video applications typically require a larger bandwidth than voice applications Video applications can be set up to have a high priority and buffering depending on the application This example creates policies with low latency and jitter for video streams for example net conference calls The policies in Figure 15 assign the packets a priority ...

Page 172: ...vant only while the packets traverse the switch To alter the Create Classifier 01 Classifier ID 16 02 Desciption Video flow 12 Src IP Addr 149 44 44 44 13 Src IP Mask Create Flow Group 1 Flow Group ID 41 2 Description Video 3 DSCP Value 4 Priority 4 5 Remark Priority No 9 Classifier List 16 Create Traffic Class 1 Traffic Class ID 19 2 Desciption Video 6 Max Bandwidth 5 E Flow Group List 41 Create ...

Page 173: ...e switch Figure 16 QoS Critical Database Example Create Classifier 01 Classifier ID 42 02 Description Database 12 Src IP Addr 149 44 44 44 13 Src IP Mask Create Flow Group 1 Flow Group ID 36 2 Description Database 3 DSCP Value 4 Priority 5 Remark Priority No 9 Classifier List 42 Create Traffic Class 1 Traffic Class ID 21 2 Description Database 6 Max Bandwidth 50 E Flow Group List 36 Create Policy ...

Page 174: ...g of subnets defined by their destination IP addresses New DSCP values for the traffic flows are established at different levels within the policy Traffic flows 149 11 11 0 and 149 22 22 0 defined by classifiers 1 and 2 are attached to a flow group traffic class and policy that contain new DSCP values Because a setting in a flow group takes precedence over that of a traffic class or policy the val...

Page 175: ...ifier 01 Classifier ID 2 14 Dst IP Addr 149 22 22 0 15 Dst IP Addr 255 255 255 0 Create Classifier 01 Classifier ID 3 14 Dst IP Addr 149 33 33 0 15 Dst IP Mask 255 255 255 0 Create Classifier 01 Classifier ID 4 14 Dst IP Addr 149 44 44 0 15 Dst IP Addr 255 255 255 0 Create Classifier 01 Classifier ID 5 14 Dst IP Addr 149 55 55 0 15 Dst IP Mask 255 255 255 0 Create Classifier 01 Classifier ID 6 14 ...

Page 176: ...Chapter 14 Quality of Service 176 Section II Advanced Operations ...

Page 177: ...rk against denial of service DoS attacks Sections in the chapter include Supported Platforms on page 178 Overview on page 179 SYN Flood Attack on page 180 Smurf Attack on page 181 Land Attack on page 182 Teardrop Attack on page 184 Ping of Death Attack on page 185 IP Options Attack on page 186 Mirroring Traffic on page 187 Denial of Service Defense Guidelines on page 188 ...

Page 178: ...or the Denial of Service Defenses Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Table 55 Management Interfaces for the Denial of Service Defenses Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Sta...

Page 179: ...ks SYN Flood Attack Smurf Attack Land Attack Teardrop Attack Ping of Death Attack IP Options Attack The following sections describe each type of attack and the mechanism employed by the AT S63 Management Software to protect your network Note Be sure to read the following descriptions before implementing a DoS defense on a switch Some defense mechanisms are CPU intensive and can impact switch behav...

Page 180: ...attacker sends enough requests in a short enough period the victim may freeze operations when the number of requests exceeds the capacity of its connections queue To defend against this form of attack a switch port monitors the number of ingress TCP connection requests it receives If a port receives more than 60 requests per second the following occurs The switch sends an SNMP trap to the manageme...

Page 181: ...g replies from the other network nodes A switch port defends against this form of attack by examining the destination IP addresses of ingress ICMP Echo Ping request packets and discarding those that contain the network s IP broadcast address as a destination address To implement this defense you must specify an IP address of a node on your network and a mask The switch uses the two to determine th...

Page 182: ...n order for this defense mechanism to work you need to specify an uplink port This is the port on the switch that is connected to a device such as a DSL router that leads outside your network You can specify only one uplink port Note You should not use this defense mechanism on a switch that is not connected to a device that leads outside your network You also need to enter the IP address of one o...

Page 183: ... address that was learned on port 4 it examines the packet s source IP address before forwarding the packet 2 If the source IP address is local to the network uplink port 1 does not forward the packet to port 4 because it assumes that a packet with a source IP address that is local to the network should not be entering the network from outside the network on the uplink port 3 If the source IP addr...

Page 184: ...he switch s CPU The CPU samples related consecutive fragments checking for fragments with invalid offset values If one is found the following occurs The switch sends an SNMP trap to the management stations The switch port is blocked for one minute Because the CPU only samples the ingress IP traffic this defense mechanism may not catch all occurrences of this form of attack Caution This defense is ...

Page 185: ...hat the packet is oversized the following occurs The switch sends an SNMP trap to the management stations The switch port is blocked for one minute Note This defense mechanism requires some involvement by the switch s CPU though not as much as the Teardrop defense This does not impact the forwarding of traffic between the switch ports but it can affect the handling of CPU events such as the proces...

Page 186: ... of ingress IP packets containing IP options received on a port If the number exceeds 20 packets per second the switch considers this a possible IP options attack and the following occurs It sends an SNMP trap to the management stations The switch port is blocked for one minute This defense mechanism does not involve the switch s CPU You can activate it on as many ports as you want without it impa...

Page 187: ...nation port Should a violation occur then all ingress packets on the port where the violation occurred are mirrored As an example activating the mirroring feature in conjunction with the Teardrop defense on a port sends all examined ingress fragmented IP traffic to the destination mirror port If the switch detects a violation all ingress packets on the port are copied to the mirror port during the...

Page 188: ...d Operations Denial of Service Defense Guidelines Below are guidelines to observe when using this feature A switch port can support more than one DoS defense at a time The Teardrop and the Ping of Death defenses are CPU intensive Use these defenses with caution ...

Page 189: ...information on Power over Ethernet PoE for the AT 9424T POE Switch Sections in the chapter include Supported Platforms on page 190 Overview on page 191 Power Budgeting on page 192 Port Prioritization on page 193 PoE Device Classes on page 194 Note This chapter applies only to the AT 9424T POE Switch ...

Page 190: ... 56 Support for the Power Over Ethernet Feature Switch Supported Layer 2 Models AT 9408LC SP AT 9424T GB AT 9424T SP Basic Layer 3 Models AT 9424T AT 9424T POE Yes AT 9424Ts AT 9424Ts XP AT 9448T SP AT 9448Ts XP AT 9400Ts Stack Table 57 Management Interfaces for the Power Over Ethernet Feature Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch Y...

Page 191: ... can install PoE compatible devices wherever they are needed without having to worry about whether there are power sources nearby This feature can also add to the reliability of a network Since the switch acts as the central power source for your powered devices adding a redundant power supply RPS or uninterruptible power source UPS to the device increases the protection not just to the switch fro...

Page 192: ...four ports are connected to powered devices that are drawing the maximum of 15 4 W per port Given that the power budget of the switch exceeds the highest possible load it should be possible to connect powered devices to all of the ports without exceeding the power budget However you can disable PoE on a per port basis or reduce the maximum amount of power a port will deliver from the maximum of 15...

Page 193: ...levels Ports assigned to the other priority levels receive power only if all the Critical ports are receiving power Your most critical powered devices should be assigned to this level If there is not enough power to support all the ports set to the Critical priority level power is provided to the ports based on port number in ascending order The High level is the second highest level Ports set to ...

Page 194: ...s of a powered device is set by the manufacturer and it cannot be changed This is mentioned here because you can view the classes of the powered devices through the switch s management software According to the IEEE standard the maximum amount of power a powered device should consume is 12 95 W However the ports on the switch can deliver up to 15 4 W The reason for the difference is because some p...

Page 195: ... information on the snooping protocols The chapters include Chapter 17 Internet Group Management Protocol Snooping on page 197 Chapter 18 Multicast Listener Discovery Snooping on page 201 Chapter 19 Router Redundancy Protocol Snooping on page 205 Chapter 20 Ethernet Protection Switching Ring Snooping on page 209 ...

Page 196: ...196 Section III Snooping Protocols ...

Page 197: ...ocols 197 Chapter 17 Internet Group Management Protocol Snooping This chapter explains the Internet Group Management Protocol IGMP snooping feature in the following sections Supported Platforms on page 198 Overview on page 199 ...

Page 198: ...or Internet Group Management Protocol Snooping Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 59 Management Interfaces for Internet Group Management Protocol Snooping Switch or Stack Standard Command Line AlliedWare Plus Comm...

Page 199: ...router ports where host nodes are located There are three versions of IGMP versions 1 2 and 3 One of the differences between the versions is how a host node signals that it no longer wants to be a member of a multicast group In version 1 it stops sending reports If a router does not receive a report from a host node after a predefined length of time referred to as a time out value it assumes that ...

Page 200: ... it received the packet Such flooding of packets can negatively impact network performance The AT 9400 Switch maintains its list of multicast groups through an adjustable timeout value which controls how frequently it expects to see reports from end nodes that want to remain members of multicast groups and by processing leave requests Note The default setting for IGMP snooping on the switch is dis...

Page 201: ...Section III Snooping Protocols 201 Chapter 18 Multicast Listener Discovery Snooping This chapter explains Multicast Listener Discovery MLD snooping Supported Platforms on page 202 Overview on page 203 ...

Page 202: ...rt for Multicast Listener Discovery Snooping Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Table 61 Management Interfaces for Multicast Listener Discovery Snooping Switch or Stack Standard Command Line AlliedWare Plus Command Line Men...

Page 203: ...rts where there are host nodes that are members of the multicast groups The difference between the two is that MLD snooping is for IPv6 and IGMP snooping for IPv4 environments For background information on IGMP snooping refer to Overview on page 199 There are two versions of MLD MLDv1 is equivalent to IGMPv2 and MLDv2 is equivalent to IGMPv3 The AT 9400 Switch supports snooping of both MLDv1 and M...

Page 204: ...Chapter 18 Multicast Listener Discovery Snooping 204 Section III Snooping Protocols ...

Page 205: ...ols 205 Chapter 19 Router Redundancy Protocol Snooping This chapter explains Router Redundancy Protocol RRP snooping and contains the following sections Supported Platforms on page 206 Overview on page 207 Guidelines on page 208 ...

Page 206: ...rt for Router Redundancy Protocol Snooping Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Table 63 Management Interfaces for Router Redundancy Protocol Snooping Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus W...

Page 207: ...of having to manually reconfigure default gateway addresses on large numbers of network nodes when a router pathway fails RRP snooping on the AT 9400 Switch facilitates the transition to a new master router by minimizing the loss of traffic and so reduces the impact the transition could have on your network traffic RRP snooping monitors ingress RRP packets determined by their source MAC address So...

Page 208: ... setting for this feature is disabled Activating the feature flushes all dynamic MAC addresses from the MAC address table RRP snooping is supported on ports operating in the MAC address based port security level of automatic This feature is not supported on ports operating with a security level of limited secured or locked RRP snooping is supported on port trunks ...

Page 209: ...ooping Protocols 209 Chapter 20 Ethernet Protection Switching Ring Snooping This chapter has the following sections Supported Platforms on page 210 Overview on page 211 Restrictions on page 213 Guidelines on page 215 ...

Page 210: ...64 Support for Ethernet Protection Switching Ring Snooping Switch Supported Layer 2 Models AT 9408LC SP AT 9424T GB AT 9424T SP Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Table 65 Management Interfaces for Ethernet Protection Switching Ring Snooping Switch or Stack Standard Command Line AlliedWare Plus Command ...

Page 211: ...e ability to function as a transit node of a ring but with restrictions as explained in the next section The switch can forward healthcheck messages over the control VLAN from the master node and respond appropriately when notified of a ring fault by the master node The master node generates a variety of messages over the control VLAN for monitoring the health of the ring and for notifying the nod...

Page 212: ...creating the VLANs you activate EPSR snooping by specifying the control VLAN with the ENABLE EPSRSNOOPING command The switch immediately begins to monitor the VLAN for control messages from the master switch and reacts accordingly should it receive EPSR messages on one of the two ports of the VLAN ...

Page 213: ...e over the control VLAN of the ring This method of fault detection and notification can be a faster way for the master node to become aware of a problem than with the healthcheck message However since EPSR snooping can not generate the links down message the AT 9400 Switch can not initiate this type of fault notification The final restriction of EPSR snooping concerns how the switch responds in th...

Page 214: ... forward traffic over the data VLANs of the ring until it receives a links up message from the unit on the other side of the repaired break in this case the AT 9400 Switch Since EPSR snooping is not capable of generating EPSR messages the transit node does not receive the anticipated signal and so the data VLANs remain inactive As a result the AT 9400 Switch remains isolated from the ring until th...

Page 215: ...e EPSR snooping is not supported in the Multiple VLAN mode or the 802 1Q compliant Multiple VLAN mode The control VLAN must have exactly two ports The only exception to this rule is if the ports of the control VLAN are part of a static port trunk The ports which must be tagged members of the VLAN are used as the ring s ports of the EPSR instance The ports of the control VLAN and the data VLANs of ...

Page 216: ...Chapter 20 Ethernet Protection Switching Ring Snooping 216 Section III Snooping Protocols ...

Page 217: ...Section IV SNMPv3 217 Section IV SNMPv3 The chapter in this section contains overview information on SNMPv3 The chapter is Chapter 21 SNMPv3 on page 219 ...

Page 218: ...218 Section IV SNMPv3 ...

Page 219: ...following sections are provided Supported Platforms on page 220 Overview on page 221 SNMPv3 Authentication Protocols on page 222 SNMPv3 Privacy Protocol on page 223 SNMPv3 MIB Views on page 224 SNMPv3 Storage Types on page 226 SNMPv3 Message Notification on page 227 SNMPv3 Tables on page 228 SNMPv3 Configuration Example on page 232 ...

Page 220: ...tch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 67 Management Interfaces for the SNMPv3 Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch Yes Yes Yes AT 9400Ts Stack Yes Yes ...

Page 221: ...f data transmitted between two SNMP entities is encrypted In addition you can restrict user privileges by determining the user s view of the Management Information Bases MIB In this way you restrict which MIBs the user can display and modify In addition you can restrict the types of messages or traps the user can send A trap is a type of SNMP message After you have created a user you define SNMPv3...

Page 222: ...ion The keys for both protocols are generated locally using the Engine ID a unique identifier that is assigned to the switch automatically and the user password You modify a key only by modifying the user password In addition you have the option of assigning no user authentication In this case no authentication is performed for this user You may want to make this configuration for someone with sup...

Page 223: ...software In SNMPv3 protocol terminology privacy is equivalent to encryption Currently the DES protocol is the only encryption protocol supported The DES privacy protocol requires the authentication protocol to be configured as either MD5 or SHA If you assign a DES privacy protocol to a user then you are also required to assign a privacy password If you choose to not assign a privacy value then SNM...

Page 224: ...to specify MIBs in the Internet view you can enter the OID format 1 3 6 1 or the text name internet In addition you can define a MIB view that the user can access or a MIB view that the user cannot access When you want to permit a user to access a MIB view you include a particular view When you want to deny a user access to a MIB view you exclude a particular view root ccitt 0 joint iso ccitt 2 st...

Page 225: ...nalogous to the relationship between an IP address and a subnet mask The switch uses the subnet mask to determine which portion of an IP address represents the network address and which portion represents the node address In a similar way the subtree mask further refines the subtree view and enables you to restrict a MIB view to a specific row of the OID MIB table You need a thorough understanding...

Page 226: ...ows you to save the table entry or volatile storage which does not allow you to save an entry If you select the volatile storage type when you power off the switch your SNMPv3 configuration is lost and cannot be recovered At each SNMPv3 menu you are prompted to configure a storage type You do not have to configure the same storage type value for each table entry ...

Page 227: ...h does not expect a response to a Trap message These two message types are defined in the SNMPv3 RFC 2571 6 To determine the destination of the message you configure the IP address of the host This configuration is similar to the SNMPv1 and SNMPv2c configuration The SNMP security information consists of information about the following User View of the MIB Tree Security Level Security Model Authent...

Page 228: ...the Configure SNMPv3 Access Table Finally configure the Configure SNMPv3 SecurityToGroup menu to associate a user to a security group See Figure 20 for an illustration of how the user configuration tables are linked Figure 20 SNMPv3 User Configuration Process In general you focus on configuring security groups and then add and delete users from the groups as needed For example you may want to have...

Page 229: ...et Parameters Table See Figure 21 for an illustration of how the message notification tables are linked Figure 21 SNMPv3 Message Notification Process For a more detailed description of the SNMPv3 Tables see the following subsections SNMPv3 User Table on page 230 SNMPv3 View Table on page 230 SNMPv3 SecurityToGroup Table on page 230 SNMPv3 Notify Table on page 231 SNMPv3 Target Address Table on pag...

Page 230: ... entry which allows you to save this view to flash memory SNMPv3 Access Table The Configure SNMPv3 Access Table menu allows you to configure a security group After you create a security group you assign a set of users with the same access privileges to this group using the SNMPv3 SecurityToGroup Table Consider the types of groups you want to create and the types of access privileges each group wil...

Page 231: ... in an SNMPv3 Target Address Table entry you configure the values of the Tag List parameter with the previously defined Notify Tag parameter values The Notify Tag parameter is configured in the Configure SNMPv3 Notify Table In this way the Notify and Target Address tables are linked Lastly you can configure a storage type for this table entry which allows you to save the entry to flash memory SNMP...

Page 232: ...3 users Managers and Operators In this scenario you would configure one group called Managers with full access privileges Then you would configure a second group called Operators with monitoring privileges only For a detailed example of this configuration see Appendix B SNMPv3 Configuration Examples on page 499 ...

Page 233: ...g Tree Protocols 233 Section V Spanning Tree Protocols The section has the following chapters Chapter 22 Spanning Tree and Rapid Spanning Tree Protocols on page 235 Chapter 23 Multiple Spanning Tree Protocol on page 247 ...

Page 234: ...234 Section V Spanning Tree Protocols ...

Page 235: ...ons in this chapter include Supported Platforms on page 236 Overview on page 237 Bridge Priority and the Root Bridge on page 238 Forwarding Delay and Topology Changes on page 242 Mixed STP and RSTP Networks on page 245 Spanning Tree and VLANs on page 246 Note For detailed information on the Spanning Tree Protocol refer to IEEE Std 802 1D For detailed information on the Rapid Spanning Tree Protocol...

Page 236: ...anning Tree and Rapid Spanning Tree Protocols Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 69 Management Interfaces for the Spanning Tree and Rapid Spanning Tree Protocols Switch or Stack Standard Command Line AlliedWare Pl...

Page 237: ... activating a backup redundant path in case a main link fails Where the two protocols differ is in the time each takes to complete the process referred to as convergence When a change is made to the network topology such as the addition of a new bridge a spanning tree protocol must determine whether there are redundant paths that must be blocked to prevent data loops or activated to maintain commu...

Page 238: ...AC address is designated as the root bridge You can change the bridge priority number in the AT S63 Management Software You can designate which switch on your network you want as the root bridge by giving it the lowest bridge priority number You might also consider which bridge should function as the backup root bridge in the event you need to take the primary root bridge offline and assign that b...

Page 239: ...dge becomes the primary path and all other redundant paths are placed into blocking state Path cost is determined by evaluating port costs Every port on a bridge participating in STP has a cost associated with it The cost of a port on a bridge is typically based on port speed The faster the port the lower the port cost The exception to this is the ports on the root bridge where all ports have a po...

Page 240: ... of the port priority parameter This parameter is used as a tie breaker when two paths have the same cost The range for port priority is 0 to 240 As with bridge priority this range is broken into increments in this case multiples of 16 To select a port priority for a port you enter the increment of the desired value Table 75 lists the values and increments The default value is 128 which is increme...

Page 241: ...res Guide Section V Spanning Tree Protocols 241 Table 75 Port Priority Value Increments Increment Bridge Priority Increment Bridge Priority 0 0 8 128 1 16 9 144 2 32 10 160 3 48 11 176 4 64 12 192 5 80 13 208 6 96 14 224 7 112 15 240 ...

Page 242: ...rameter depends on a number of variables the size of your network is a primary factor For large networks you should specify a value large enough to allow the root bridge sufficient time to propagate a topology change throughout the entire network For small networks you should not specify a value so large that a topology change is unnecessarily delayed which could result in the delay or loss of som...

Page 243: ...mode and is not connected to any further bridges participating in STP or RSTP then the port is an edge port Figure 23 illustrates an edge port on an AT 9400 Switch The port is connected to an Ethernet hub which in turn is connected to a series of Ethernet workstations This is an edge port because it is connected to a device operating at half duplex mode and there are no participating STP or RSTP d...

Page 244: ...work well Edge Port FAULT RPS MASTER POWER CLASS 1 LASER PRODUCT STATUS TERMINAL PORT 1 3 5 7 9 11 2 4 6 8 10 12 13 15 17 19 21 23R 14 16 18 20 22 24R AT 9424T SP Gigabit Ethernet Switch 1 3 5 7 9 11 13 15 17 19 21 23R 2 4 6 8 10 12 14 16 18 20 22 24R 23 24 L A D C D C L A D C L A 1000 LINK ACT HDX COL FDX 10 100 LINK ACT PORT ACTIVITY L A 1000 LINK ACT SFP SFP 24 SFP 23 8 7 6 5 4 3 2 1 8 7 6 5 4 ...

Page 245: ...perate together to create a single spanning tree domain If you decide to activate spanning tree on the switch there is no reason not to activate RSTP on the AT 9400 Switch even when all other switches are running STP The switch can combine its RSTP with the STP of the other switches The switch monitors the traffic on each port for BPDU packets Ports that receive RSTP BPDU packets operates in RSTP ...

Page 246: ...links the two parts of the Production VLAN is changed to the block state This leaves the two parts of the Production VLAN unable to communicate with each other Figure 25 VLAN Fragmentation You can avoid this problem by not activating spanning tree or by connecting VLANs using tagged instead of untagged ports For information on tagged and untagged ports refer to Chapter 24 Port based and Tagged VLA...

Page 247: ... chapter include Supported Platforms on page 248 Overview on page 249 Multiple Spanning Tree Instance MSTI on page 250 MSTI Guidelines on page 254 VLAN and MSTI Associations on page 255 Ports in Multiple MSTIs on page 256 Multiple Spanning Tree Regions on page 257 Summary of Guidelines on page 261 Associating VLANs to MSTIs on page 263 Connecting VLANs Across Different Regions on page 265 ...

Page 248: ...r the Multiple Spanning Tree Protocol Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Table 77 Management Interfaces for the Multiple Spanning Tree Protocol Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Br...

Page 249: ...le VLANs simultaneously The drawback to this approach is that the link formed by the tagged ports can create a bottleneck to your Ethernet traffic resulting in reduced network performance Another approach is to use the Multiple Spanning Tree Protocol MSTP This spanning tree shares many of the same characteristics as RSTP in that it features rapid convergence and has many of the same parameters But...

Page 250: ...ter you have selected an MSTI ID you need to define the scope of the MSTI by assigning one or more VLANs to it An instance can contain any number of VLANs but a VLAN can belong to only one MSTI at a time Following are several examples Figure 26 illustrates two AT 9400 Switches each containing the two VLANs Sales and Production The two parts of each VLAN are connected with a direct link using untag...

Page 251: ...14 16 18 20 22 24R 23 24 L A D C D C L A D C L A 1000 LINK ACT HDX COL FDX 10 100 LINK ACT PORT ACTIVITY L A 1000 LINK ACT SFP SFP 24 SFP 23 FAULT RPS MASTER POWER GBIC 23 GBIC 24 CLASS 1 LASER PRODUCT STATUS TERMINAL PORT 1 3 5 7 9 11 2 4 6 8 10 12 13 15 17 19 21 23R 14 16 18 20 22 24R AT 9424T GB Gigabit Ethernet Switch 1 3 5 7 9 11 13 15 17 19 21 23R 2 4 6 8 10 12 14 16 18 20 22 24R 23 24 L A D...

Page 252: ...ERMINAL PORT 1 3 5 7 9 11 2 4 6 8 10 12 13 15 17 19 21 23R 14 16 18 20 22 24R AT 9424T SP Gigabit Ethernet Switch 1 3 5 7 9 11 13 15 17 19 21 23R 2 4 6 8 10 12 14 16 18 20 22 24R 23 24 L A D C D C L A D C L A 1000 LINK ACT HDX COL FDX 10 100 LINK ACT PORT ACTIVITY L A 1000 LINK ACT SFP SFP 24 SFP 23 FAULT RPS MASTER POWER GBIC 23 GBIC 24 CLASS 1 LASER PRODUCT STATUS TERMINAL PORT 1 3 5 7 9 11 2 4 ...

Page 253: ...hile the tagged link in MSTI 2 is carrying traffic for the Design and Engineering VLANs FAULT RPS MASTER POWER CLASS 1 LASER PRODUCT STATUS TERMINAL PORT 1 3 5 7 9 11 2 4 6 8 10 12 13 15 17 19 21 23R 14 16 18 20 22 24R AT 9424T SP Gigabit Ethernet Switch 1 3 5 7 9 11 13 15 17 19 21 23R 2 4 6 8 10 12 14 16 18 20 22 24R 23 24 L A D C D C L A D C L A 1000 LINK ACT HDX COL FDX 10 100 LINK ACT PORT ACT...

Page 254: ...A VLAN can belong to only one MSTI at a time A switch port can belong to more than one spanning tree instance at a time by being an untagged and tagged member of VLANs belonging to different MSTI s This is possible because a port can be in different MSTP states for different MSTI s simultaneously For example a port can be in the MSTP blocking state for one MSTI and the forwarding state for another...

Page 255: ...nd MSTI Associations Part of the task to configuring MSTP involves assigning VLANs to spanning tree instances The mapping of VLANs to MSTIs is called associations A VLAN either port based or tagged can belong to only one instance at a time but an instance can contain any number of VLANs ...

Page 256: ... group is referred to as generic parameters These are set just once on a port and apply to all the MSTI s where the port is a member One of these parameters is the external path cost which sets the operating cost of a port connected to a device outside its region A port even if it belongs to multiple MSTI s can have only one external path cost ANother generic parameter designates a port as an edge...

Page 257: ...eristic of the functions of the nodes and bridges of the region Examples are Sales Region and Engineering Region The revision number is an arbitrary number assigned to a region This number can be used to keep track of the revision level of a region s configuration For example you might use this value to maintain the number of times you revise a particular MSTP region It is not important that you m...

Page 258: ...TATUS TERMINAL PORT 1 3 5 7 9 11 2 4 6 8 10 12 13 15 17 19 21 23R 14 16 18 20 22 24R AT 9424T GB Gigabit Ethernet Switch 1 3 5 7 9 11 13 15 17 19 21 23R 2 4 6 8 10 12 14 16 18 20 22 24R 23 24 L A D C D C L A D C L A 1000 LINK ACT HDX COL FDX 10 100 LINK ACT PORT ACTIVITY L A 1000 LINK ACT GBIC Configuration Name Marketing Region Revision Level 1 VLAN to MSTI Associations MSTI ID 1 VLAN Sales VID 2...

Page 259: ... priority is used to determine the root bridge for an entire bridged network MSTI priority is used only to determine the regional root for a particular MSTI The range for this parameter is the same as the RSTP bridge priority from 0 to 61 440 in sixteen increments of 4 096 To set the parameter you specify the increment that represents the desired MSTI priority value Table 75 on page 241 lists the ...

Page 260: ...ally belongs solely to CIST even if it was assigned to an MSTI because only CIST is active outside of a region As mentioned earlier every MSTI must have a root bridge referred to as a regional root in order to locate loops that might exist within the instance CIST must also have a regional root However the CIST regional root communicates with the other MSTP regions and single instance spanning tre...

Page 261: ...e for another spanning tree instance A router or Layer 3 network device is required to forward traffic between VLANs A network can contain any number of regions and a region can contain any number of AT 9400 Switches The AT 9400 Switch can belong to only one region at a time A region can contain any number of VLANs All of the bridges in a region must have the same configuration name revision level...

Page 262: ...Protocol 262 Section V Spanning Tree Protocols Note The AT S63 MSTP implementation complies fully with the new IEEE 802 1s standard Any other vendor s fully compliant 802 1s implementation is interoperable with the AT S63 implementation ...

Page 263: ... to stop the loop However within a region MSTI takes precedence over CIST When switch B receives a packet from switch A it uses MSTI not CIST to determine whether a loop exists And because both ports on switch A belong to different MSTIs switch B determines that no loop exists A problem can arise if you assign some VLANs to MSTIs while leaving others just to CIST The problem is illustrated in Figu...

Page 264: ...ction is based on MSTI not CIST FAULT RPS MASTER POWER CLASS 1 LASER PRODUCT STATUS TERMINAL PORT 1 3 5 7 9 11 2 4 6 8 10 12 13 15 17 19 21 23R 14 16 18 20 22 24R AT 9424T SP Gigabit Ethernet Switch 1 3 5 7 9 11 13 15 17 19 21 23R 2 4 6 8 10 12 14 16 18 20 22 24R 23 24 L A D C D C L A D C L A 1000 LINK ACT HDX COL FDX 10 100 LINK ACT PORT ACTIVITY L A 1000 LINK ACT SFP SFP 24 SFP 23 FAULT RPS MAST...

Page 265: ...side in different spanning tree instances However the switches are part of different regions and MSTIs do not cross regions Consequently the result is that spanning tree would determine that a loop exists between the regions and Switch B would block a port Figure 32 Spanning Regions Example 1 There are several ways to address this issue One is to have only one MSTP region for each subnet in your n...

Page 266: ...ware Engineering Presales Software Engineering Marketing Technical Support Advertising Product Management Technical Support CAD Development Product Management Accounting Project Management Accounting The two regions share three VLANs Technical Support Product Management and Accounting You could group those VLANs into the same MSTI in each region For instance for Region 1 you might group the three ...

Page 267: ...of virtual LANs supported by the AT 9400 Switch The chapters include Chapter 24 Port based and Tagged VLANs on page 269 Chapter 25 GARP VLAN Registration Protocol on page 283 Chapter 26 Multiple VLAN Modes on page 295 Chapter 27 Protected Ports VLANs on page 301 Chapter 28 MAC Address based VLANs on page 307 ...

Page 268: ...268 Section VI Virtual LANs ...

Page 269: ...VLANs This chapter contains overview information about port based and tagged virtual LANs VLANs This chapter contains the following sections Supported Platforms on page 270 Overview on page 271 Port based VLAN Overview on page 273 Tagged VLAN Overview on page 279 ...

Page 270: ...sed and Tagged VLANs Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 79 Management Interfaces for the Port based and Tagged VLANs Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone...

Page 271: ...ce decreases VLANs improve network perform because VLAN traffic stays within the VLAN The nodes of a VLAN receive traffic only from nodes of the same VLAN This reduces the need for nodes to handle traffic not destined for them It also frees up bandwidth within all the logical workgroups In addition because each VLAN constitutes a separate broadcast domain broadcast traffic remains within the VLAN ...

Page 272: ...hips by moving cables from one switch port to another In addition a virtual LAN can span more than one switch This means that the end nodes of a VLAN do not need to be connected to the same switch and so are not restricted to being in the same physical location The AT 9400 Switch supports the following types of VLANs you can create yourself Port based VLANs Tagged VLANs These VLANs are described i...

Page 273: ... is preconfigured with one port based VLAN All ports on the switch are members of this VLAN called the Default_VLAN The parts that make up a port based VLAN are VLAN name VLAN Identifier Untagged ports Port VLAN Identifier VLAN Name To create a port based VLAN you must give it a name The name should reflect the function of the network devices that are be members of the VLAN Examples include Sales ...

Page 274: ...membership is determined by information within the frames themselves rather than by a port s PVID This type of VLAN is explained in Tagged VLAN Overview on page 279 A port on a switch can be an untagged member of only one port based VLAN at a time An untagged port cannot be assigned to two port based VLANs simultaneously Port VLAN Identifier Each port in a port based VLAN must have a port VLAN ide...

Page 275: ...before you can change its untagged VLAN assignment After the VLAN assignment is made the port s role can be changed back again to authenticator or supplicant if desired You cannot delete the Default VLAN from the switch Deleting an untagged port from the Default VLAN without assigning it to another VLAN results in the port being an untagged member of no VLAN Drawbacks of Port based VLANs There are...

Page 276: ... VLAN has a unique VID This number is assigned when you create a VLAN The ports have been assigned PVID values A port s PVID is assigned automatically by the AT S63 Management Software when you create the VLAN The PVID of a port is the same as the VID to which the port is an untagged member WAN 2 3 4 5 6 7 9 19 1 21 23 17 15 11 13 8 10 12 14 18 20 22 24 16 Router AT 9424T SP Gigabit Ethernet Switc...

Page 277: ...port based VLANs In this example two VLANs Sales and Engineering span two AT 9400 Switches Gigabit Ethernet switches Figure 34 Port based VLAN Example 2 WAN 2 3 4 5 6 7 9 19 1 21 23 17 15 11 13 8 10 12 14 18 20 22 24 16 2 3 4 5 6 7 9 19 1 21 23 17 15 11 13 8 10 12 14 18 20 22 24 16 Router Sales VLAN VID 2 Engineering VLAN VID 3 Production VLAN VID 4 Engineering VLAN VID 3 Sales VLAN VID 2 AT 9424T...

Page 278: ...nected to ports 9 to 13 on the top switch and ports 16 18 to 20 and 22 on the bottom switch Because this VLAN spans multiple switches it needs a direct connection between its various parts to provide a communications path This is provided in the example with a direct connection from port 10 on the top switch to port 19 on the bottom switch This VLAN uses port 12 on the top switch as a connection t...

Page 279: ...nt This is the standard that outlines the requirements and standards for tagging The device must be able to process the tagged information on received frames and add tagged information to transmitted frames The benefit of a tagged VLAN is that the tagged ports can belong to more than one VLAN at one time This can greatly simplify the task of adding shared devices to the network For example a serve...

Page 280: ...s the PVID of a port determines the VLAN where the port is an untagged member Because a tagged port determines VLAN membership by examining the tagged header within the frames that it receives and not the PVID you could conclude that there is no need for a PVID However the PVID is used if a tagged port receives an untagged frame a frame without any tagged information The port forwards the frame ba...

Page 281: ...igure 35 Example of a Tagged VLAN WAN 2 3 4 5 6 7 9 19 1 21 23 17 15 11 13 8 10 12 14 18 20 22 24 16 2 3 4 5 6 7 9 19 1 21 23 17 15 11 13 8 10 12 14 18 20 22 24 16 Router Sales VLAN VID 2 Engineering VLAN VID 3 Production VLAN VID 4 Engineering VLAN VID 3 Sales VLAN VID 2 AT 9424T SP Gigabit Ethernet Switch AT 9424T GB Gigabit Ethernet Switch IEEE 802 1Q compliant Server Legacy Server ...

Page 282: ...hese ports have been made tagged members of the Sales and Engineering VLANs so that they can carry traffic from both VLANs simultaneously These ports provide a common connection that enables different parts of the same VLAN to communicate with each other while maintaining data separation between VLANs In comparison the Sales and Engineering VLANs in the Port based Example 2 on page 277 each had to...

Page 283: ...GARP VLAN Registration Protocol GVRP and contains the following sections Supported Platforms on page 284 Overview on page 285 Guidelines on page 288 GVRP and Network Security on page 289 GVRP inactive Intermediate Switches on page 290 Generic Attribute Registration Protocol GARP Overview on page 291 ...

Page 284: ...he GARP VLAN Registration Protocol Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Table 81 Management Interfaces for the GARP VLAN Registration Protocol Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Brows...

Page 285: ...a member When a switch receives a GVRP PDU on a port it examines the PDU to determine the VIDs of the VLANs on the device that sent it It then does the following If a VLAN does not exist on the switch it creates the VLAN and adds the port as a tagged member to the VLAN A VLAN created by GVRP is called a dynamic GVRP VLAN If the VLAN already exists on the switch but the port is not a member of it t...

Page 286: ...ded to VLANs when they receive not send a PDU 4 Switch 3 receives the PDU on port 4 and after examining it notes that one of the VLANs on switch 2 has the VID 11 which matches the VID of an already existing VLAN on the switch So it does not create the VLAN because it already exists It then determines whether the port that received the PDU in this case port 4 is a member of the VLAN If it is not a ...

Page 287: ... PDU out port 4 to switch 2 6 Switch 2 receives the PDU on port 3 and then adds the port as a tagged dynamic GVRP port to the dynamic GVRP_VLAN_11 VLAN There is now a communications path for the end nodes of the Sales VLAN on switches 1 and 3 GVRP created the new GVRP_VLAN_11 dynamic GVRP VLAN with a VID of 11 on switch 2 and added ports 2 and 3 to the VLAN as tagged dynamic GVRP ports ...

Page 288: ... valid link with a switch GVRP will not be aware of a VLAN where there are no active end nodes or if no end nodes have established a link with the switch Resetting a switch erases all dynamic GVRP VLANs and dynamic GVRP port assignments The switch relearns the dynamic assignments as it receives PDUs from the other switches GVRP has three timers that you can set join timer leave timer and leave all...

Page 289: ...would make the switch port a member of the VLANs and that could give the intruder access to restricted areas of your network To protect against this type of network intrusion consider the following Activating GVRP only on those switch ports that are connected to other devices that support GVRP Do not activate GVRP on ports that are connected to GVRP inactive devices Converting all dynamic GVRP VLA...

Page 290: ...that it receives from the GVRP active switches GVRP PDUs are management frames intended for a switch s CPU In all likelihood a GVRP inactive switch will discard the PDUs because it does not recognize them The second issue is that even if the GVRP inactive switch forwards GVRP PDUs it will not create the VLANs at least not automatically Consequently even if the GVRP active switches receive the PDUs...

Page 291: ...ribute represents GARP defines the architecture rules of operation state machines and variables for the registration and deregistration of attribute values By itself GARP is not directly used by devices in a bridged LAN It is the applications of GARP that perform meaningful actions The use of GVRP allows dynamic filter entries for VLAN membership to be distributed among the forwarding databases of...

Page 292: ...tion uses the GID component and the state machines associated with the operation of GID in order to control its protocol interactions An instance of GID consists of the set of state machines that define the current registration and declaration state of all attribute values associated with the GARP participant Separate state machines exist for the applicant and registrar This is shown in Figure 38 ...

Page 293: ...ty messages For the GARP protocol to be resilient against multiple lost messages a LeaveAll message is available Timers are used in the state machines to generate events and control state transitions The job of the applicant is twofold To ensure that this participant s declarations are registered by other participants registrars To ensure that other participants have a chance to redeclare rejoin a...

Page 294: ...ected ring propagate GID Join and Leave requests to notify each other of attribute registrations and deregistrations The operation of GIP allows ports in the switch to share information between themselves and the LANs end stations to which the ports are connected If a port enters the STP Forwarding state and the GARP application that the port belongs to is enabled then the port is added to the GIP...

Page 295: ...N Modes This chapter describes the multiple VLAN modes This chapter contains the following sections Supported Platforms on page 296 Overview on page 297 802 1Q Compliant Multiple VLAN Mode on page 298 Non 802 1Q Compliant Multiple VLAN Mode on page 300 ...

Page 296: ...he Multiple VLAN Modes Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Table 83 Management Interfaces for the Multiple VLAN Modes Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch Ye...

Page 297: ...le VLAN mode Each mode uses a different technique to isolate the ports and their traffic The first method uses VLANs while the second uses port mapping The uplink port is also different in each mode In one the port is a tagged port and in the other untagged This is explained in the following subsections Note The multiple VLAN mode feature is supported only in single switch i e edge switch environm...

Page 298: ...which can be connected to a shared device such as a router for access to a WAN This port is placed as a tagged port in each VLAN Thus while the switch ports are separated from each other in their individual VLANs they all have access to the uplink port The uplink port also has its own VLAN where it is an untagged member This VLAN is called Uplink_VLAN Note In 802 1Q Multiple VLAN mode the device c...

Page 299: ...e meaning that it can handle tagged packets When you select the 802 1Q compliant VLAN mode you are asked to specify the uplink VLAN port You can specify only one uplink port The switch automatically configures the ports into the separate VLANs Note The uplink VLAN is the management VLAN Any remote management of the switch must be made through the uplink VLAN Client_VLAN_10 10 10 22 Client_VLAN_11 ...

Page 300: ... port even when they receive a broadcast packet Another difference with this mode is that the uplink port is untagged Consequently you would use this mode when the device connected to the uplink port is not IEEE 802 1Q compatible meaning that the device cannot handle tagged packets Note When the uplink port receives a packet with a destination MAC address that is not in the MAC address table the p...

Page 301: ... VI Virtual LANs 301 Chapter 27 Protected Ports VLANs This chapter explains protected ports VLANs It contains the following sections Supported Platforms on page 302 Overview on page 303 Guidelines on page 305 ...

Page 302: ... the Protected Ports VLANs Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Table 86 Management Interfaces for the Protected Ports VLANs Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Swi...

Page 303: ...her groups of the VLAN The ports of a group can share traffic only amongst themselves and with the uplink port but not with ports in other groups of the VLAN A protected ports VLAN can consist of two or more groups and a group can consist of one or more ports The ports of a group can be either tagged or untagged This type of VLAN also shares some common features with tagged VLANs where one or more...

Page 304: ... protected ports VLAN The first table lists the name of the VLAN the VID and the tagged and untagged ports It also indicates which port will function as the uplink port in this case port 22 The second table lists the different groups in the VLAN and the ports for each group Allied Telesis recommends that you create tables similar to these before you create your own protected ports VLAN Having the ...

Page 305: ...ed VLANs Uplink ports can be either tagged or untagged Uplink ports can be shared among more than one protected ports VLAN but only if they are tagged A switch can contain a combination of port based and tagged VLANs and protected ports VLANs A port that is a member of a group in a protected ports VLAN cannot be a member of a port based or tagged VLAN A group can be a member of more than one prote...

Page 306: ...Chapter 27 Protected Ports VLANs 306 Section VI Virtual LANs ...

Page 307: ... information about MAC address based VLANs Sections in the chapter include Supported Platforms on page 308 Overview on page 309 Egress Ports on page 310 VLANs That Span Switches on page 313 VLAN Hierarchy on page 315 Steps to Creating a MAC Address based VLAN on page 316 Guidelines on page 317 ...

Page 308: ...rt for the MAC Address based VLANs Switch Supported Layer 2 Models AT 9408LC SP AT 9424T GB AT 9424T SP Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Table 88 Management Interfaces for MAC Address based VLANs Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch Ye...

Page 309: ...ce MAC addresses have been entered as members of the VLAN can share and access the VLAN resources This is in contrast to a port based or tagged VLAN where any node that has access a switch port can join a VLAN as a member One of the principle advantages of this type of VLAN is that it can make it easier to manage network users that roam These are users who access the network from different points ...

Page 310: ... 6 for the printer Obviously mapping source MAC addresses to egress ports can become cumbersome if you are dealing with a MAC address based VLAN that encompasses a large number of ports and nodes Fortunately the egress ports of a VLAN are considered as a community and as such need only be designated as an egress port of one address in the VLAN to be considered an egress port of all the addresses F...

Page 311: ...tions it can also result in VLAN leakage where the traffic of one VLAN crosses the boundary into other VLANs The problem arises in the case of unknown unicast traffic If the switch receives a packet from a member of a MAC address based VLAN with an unknown destination address it floods the packet on all egress ports of the VLAN If the VLAN contains a port that is also serving as an egress port of ...

Page 312: ...g actions If the packet s destination MAC address is not in the MAC address table the switch floods the packet out all egress ports of the VLAN excluding the port where the packet was received If the packet s destination MAC address is in the MAC address table and if the port where the address was learned is one of the VLAN s egress ports the switch forwards the packet to the port If the packet s ...

Page 313: ...VLAN that spans two AT 9400 Switches The VLAN consists of three nodes on each switch Table 91 on page 314 lists the details of the VLAN on the switches Note that each VLAN contains the complete set of MAC addresses of all VLAN nodes along with the appropriate egress ports on the switches Figure 39 Example of a MAC Address based VLAN Spanning Switches 2 3 4 5 6 7 9 19 1 21 23 17 15 11 13 8 10 12 14...

Page 314: ...ss based VLAN Spanning Switches Switch A Switch B VLAN Name Sales VLAN Name Sales MAC Address Egress Ports MAC Address Egress Ports Address_1 1 3 4 5 Address_1 11 12 14 16 Address_2 1 Address_2 11 Address_3 1 Address_3 11 Address_4 1 Address_4 11 Address_5 1 Address_5 11 Address_6 1 Address_6 11 ...

Page 315: ...ed VLAN When an untagged packet arrives on a port the switch first compares the source MAC address of the packet against the MAC addresses of all the MAC address based VLANs on the device If there is a match the switch considers the packet as a member of the corresponding MAC address based VLAN and not the port based VLAN and forwards it out the egress ports defined for the corresponding MAC addre...

Page 316: ...ddress based VLAN Here are the three main steps to creating a MAC address based VLAN 1 Assign the VLAN a name and a VID You must also set the VLAN type to MAC Based 2 Assign the MAC addresses to the VLAN 3 Add the egress ports to the MAC addresses The steps must be performed in this order ...

Page 317: ... based VLAN Otherwise VLAN membership is determined by the PVID of the port where the packets are received A port can be an egress port of more than one MAC address based VLAN An egress port cannot be part of a port trunk A MAC address can belong to only one MAC address based VLAN at a time A broadcast packet crosses VLAN boundaries when a port is an egress port of a MAC address based VLAN and an ...

Page 318: ... tagged packets it is not suitable in environments where a network device such as a network server needs to be shared between multiple VLANs Ports 49 and 50 on the AT 9448Ts XP switch cannot be designated as egress ports of a MAC address based VLAN SFP ports 45 to 48 on the AT 9448T SP switch cannot be designated as egress ports of a MAC address based VLAN ...

Page 319: ...uting 319 Section VII Routing This section has the following chapters Chapter 29 Internet Protocol Version 4 Packet Routing on page 321 Chapter 30 BOOTP Relay Agent on page 355 Chapter 31 Virtual Router Redundancy Protocol on page 361 ...

Page 320: ...320 Section VII Internet Protocol Routing ...

Page 321: ...e Names on page 329 Static Routes on page 330 Routing Information Protocol RIP on page 332 Default Routes on page 334 Equal cost Multi path ECMP Routing on page 335 Routing Table on page 337 Route Selection Process on page 338 Address Resolution Protocol ARP Table on page 339 Internet Control Message Protocol ICMP on page 340 Routing Interfaces and Management Features on page 342 Local Interface o...

Page 322: ...ng interface to assign the switches an IP configuration which is required by some management features For further information refer to Routing Interfaces and Management Table 92 Support for IPv4 Packet Routing Switch Supported Layer 2 Models AT 9408LC SP One interface AT 9424T GB One interface AT 9424T SP One interface Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Y...

Page 323: ...9408LC SP AT 9424T GB and AT 9424T SP Switches on page 346 AT 9400Ts Stacks support static routes but not RIP You can use the menus on a stand alone switch to configure the routing interfaces but not static routes or RIP To configure all of the feature s components you must use the command line ...

Page 324: ...hing the destination One method for specifying a route to a remote destination is to enter it manually This type of route is referred to as a static route A static route contains the IP addresses of the remote destination and the next hop You can also create a static route for packets with an unknown destination network or subnet This type of route is referred to as a default route For background ...

Page 325: ...enting the features described in this chapter You can refer there to see how the commands are used in practice The sections are Routing Command Example on page 348 and Non routing Command Example on page 352 In the following discussions unless stated otherwise the term remote destination refers to a network or subnet that is not directly connected to the switch ...

Page 326: ...mote destination is located Interfaces also act as anchor points for RIP You can add RIP to the interfaces so that the switch automatically learns routes to remote destinations by sharing its routing information with the neighboring routers In some limited network topologies you might be able to meet the routing requirements of the IPv4 packets of your network with just routing interfaces This wou...

Page 327: ...m number of interfaces permitted in a VLAN Interfaces in different VLANs on the same switch can have the same interface number but interfaces in the same VLAN must have different numbers For instance if a switch has four local subnets and each is in a different VLAN all of the interfaces could have the same interface number such as 0 However if two or more of the subnets reside in the same VLAN th...

Page 328: ...ple if there are four interfaces and each of their respective subnets resided in a separate VLAN then each interface can obtain its IP address and subnet mask from a DHCP or BOOTP server However if the four subnets share the same VLAN only one interface can obtain its IP address from a DHCP or BOOTP server The other three must be configured manually ...

Page 329: ...of an interface name that uses the VLAN name instead of the VID to identify the VLAN The interface is part of the Sales VLAN and has an interface number of 5 Note that a dash separates vlan from the VLAN name vlan Sales 5 The following is an example of a command that uses an interface name The example uses the ADD IP INTERFACE command to create a new interface for a subnet in a VLAN with a VID of ...

Page 330: ...0 interface the switch would automatically add the route to the VLAN4 0 interface A new static route immediately becomes available for all of the interfaces on a switch to use for routing packets to the remote subnet For example referring to the previous example a static route added to the VLAN4 0 interface would be available to all the other interfaces on the same switch The switch can store up t...

Page 331: ...AT S63 Management Software Features Guide Section VII Routing 331 The commands for managing static routes are ADD IP ROUTE DELETE IP ROUTE and SET IP ROUTE ...

Page 332: ...IP does not propagate an inactive route where there are no active ports in the VLAN RIP can be added to a maximum of 100 interfaces on a switch and the route table can store up to 1024 dynamic routes Since the interfaces on a switch can route packets among the local subnets without the presence of RIP or static routes the routing protocol is only necessary if the switch is to learn remote destinat...

Page 333: ...following exceptions Dynamic RIP routes that fall under the split horizon rule Inactive interface routes where there are no active ports in the VLAN Note The AT S63 Management Software does not support the RIP holddown and flush timers The commands for managing RIP are ADD IP RIP DELETE IP RIP and SET IP RIP Note RIP must be configured from the command line interface The menus and web browser inte...

Page 334: ...oute packets whose remote destinations are not in the routing table Rather than discard the packets the switch sends them to the next hop specified in the default route A default route has a destination IP address of 0 0 0 0 and no subnet mask A default route can be enter manually in the form of a static route or learned dynamically through RIP A switch can have multiple default routes ...

Page 335: ...ace changes from up to down in which case its traffic is redirected to one of the remaining routes When there are more than eight routes in the table to the same destination the active routes are selected by preference value metric value and age in that order The routes with the eight lowest preference values are selected as the active routes Where routes have the same preference value selection i...

Page 336: ...e route based on preference value metric value or age to route packets to a remote subnet even when there are multiple routes to the subnet A local subnet or directly connected network of a switch is usually represented just once in the routing table by its routing interface However in some situations a local subnet might have several routes to it if it is also remotely reachable through other rou...

Page 337: ...iscards the packet and sends an ICMP message to that effect back to the source The switch transmits its routing table every thirty seconds from those interfaces that have RIP The RIP timer is not adjustable The switch also transmits its routing table and resets the timer to zero whenever there is a change to the table to ensure that the neighboring routers are immediately informed of updates to th...

Page 338: ...lue If there is more than one route with the lowest preference value select the route with the lowest metric value If there is more than one route with the lowest metric value select the route with the most specific netmask If there is more than one route with the most specific netmask and if Equal Cost Multipath ECMP routing is enabled distribute the packets equally across the routes The default ...

Page 339: ... ARP response from the destination node adds the IP address and MAC address of the node to its ARP table and begins to route packets to the device It should be noted that until it receives a respond to its ARP request the switch discards all routed packets intended to a destination node The switch can also learn addresses when it is the destination of an ARP request from another node such as when ...

Page 340: ...y packet in response to an Echo request Destination unreachable 3 This message is sent out when the switch drops a packet because it did not have a route to the destination Source Quench 4 The switch will send a Source Quench if it must drop a packet due to limited internal resources This could be because the source was sending data too fast to be forwarded Redirect 5 The switch will issue a redir...

Page 341: ...xceeded 11 If the TTL field in a packet falls to zero the switch will send a Time to live exceeded packet This could occur if a route was excessively long or if too many hops were in the path Table 94 ICMP Messages Implemented on the AT 9400 Switch ICMP Packet Type Switch Response ...

Page 342: ...h The switch uses the IP address of the interface as its source address when communicating with a network server Without a routing interface on the subnet the switch will not have a source IP address to include in its packets For example in order to set its date and time using an SNTP server the switch must have a routing interface on the local subnet from where it is reaching the server The serve...

Page 343: ... each of the switches Furthermore the routing interface in the common VLAN on the master switch must be designated as the local interface as described in Local Interface on page 345 There is an important difference between the need for interfaces with enhanced stacking versus network servers as explained in the previous subsection Network servers can be reached by the switch through different inte...

Page 344: ... on the local subnet from where the device is reached In previous versions of the AT S63 Management Software the device to be pinged had to be reached through the management VLAN of the switch This restriction no longer applies A remote device can be pinged from any subnet of the switch that has an interface Accessing DHCP or BOOTP Servers You can use a DHCP or BOOTP server to assign IP addresses ...

Page 345: ...om where the remote management workstation will access the switch The switch uses the local interface to watch for the management packets from the remote workstation and to send packets back to the remote station For example assume you wanted to remotely manage a switch that had four subnets and four interfaces named VLAN4 0 VLAN11 0 VLAN12 0 and VLAN12 1 and the remote workstation was reaching th...

Page 346: ... that it eliminates the need of the switch to issue unnecessary ARP broadcast packets when performing some management functions This can improve the switch s response time as well as reduce the number of broadcast packets on your network There are two types of entries One type is permanent There is only one permanent entry and it is used by the switch for internal diagnostics It can never be remov...

Page 347: ...nt subnet than the local interface and needed the switch to access a RADIUS authentication server also on a different subnet Here you would need to define a default gateway on the switch so that the unit would know the next hop to reaching the remote workstation and the RADIUS server The default gateway is only used for management functions such as communicating with a remote management workstatio...

Page 348: ...on page 352 This example has the following sections Creating the VLANs on page 349 Creating the Routing Interfaces on page 349 Adding a Static Route and Default Route on page 350 Adding RIP on page 351 Selecting the Local Interface on page 351 This example assumes an AT 9448T SP Switch with four local subnets Two subnets will reside in their own VLANs and two will share a VLAN The table below list...

Page 349: ...individual subnets There are four local subnets in the example so there will need to be four interfaces to support routing on all of them The following command creates the routing interface for the Sales subnet The interface name is based on the VID of the VLAN which is 4 and an interface number in this case 0 The interface is assigned the unique IP address 149 35 67 11 and a subnet mask to make i...

Page 350: ...e IP address of the next hop is 149 35 70 26 making it part of the subnet of the VLAN11 1 interface Consequently the static route must be added to that interface though you do not need to specify it in the command Here is the command for adding the static route add ip route 149 35 22 0 nexthop 149 35 70 26 mask 255 255 255 0 A static route becomes active as soon as it is defined and is available t...

Page 351: ...n none You could if you wanted add RIP to the other interfaces But since in our example those interfaces do not have links to other RIP routers they would not learn any routes Selecting the Local Interface This last part of the example designates a local interface This step is necessary on a master switch of an enhanced stack to designate the common VLAN of the switches in the stack This is also n...

Page 352: ...the VLAN is 149 44 55 0 with a subnet mask of 255 255 255 0 The following command assigns an interface to the VLAN It identifies the VLAN by its VID of 12 and assigns it the interface number 0 The interface is given the IP address 149 44 55 22 to make it a member of the subnet add ip interface vlan12 0 ipaddress 149 44 55 22 netmask 255 255 255 0 In order to manage the switch remotely the interfac...

Page 353: ...63 Management Software Features Guide Section VII Routing 353 The following command creates a default route for the example and specifies the next hop as 149 44 55 6 add ip route 0 0 0 0 nexthop 149 44 55 6 ...

Page 354: ...thermore the interface is designated as the local interface of the switch For example a switch with the static IP address 149 55 55 55 subnet mask 255 2552 255 0 and a management VLAN with a VID of 12 will have after the upgrade a routing interface with the name VLAN12 0 and the same static IP address and subnet mask By retaining the IP configuration those management functions e g remote Telnet ma...

Page 355: ...355 Chapter 30 BOOTP Relay Agent This chapter has the following sections Supported Platforms on page 356 Overview on page 357 Guidelines on page 359 ...

Page 356: ...or the BOOTP Relay Agent Switch Supported Layer 2 Models AT 9408LC SP AT 9424T GB AT 9424T SP Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 97 Management Interfaces for the BOOTP Relay Agent Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch Yes AT 940...

Page 357: ...kets between different local subnets on the switch in the IPv4 packet routing feature Each routing interface functions as the BOOTP relay agent for the clients in its subnet forwarding BOOTP requests from the clients and responses from the servers If you will be using the IPv4 packet routing feature on all the local subnets then by default all of the clients will have access to a BOOTP relay agent...

Page 358: ... switch by specifying the IP address of the BOOTP server on your network with the ADD BOOTP RELAY command You can enter up to eight BOOTP or DHCP servers The IP addresses apply to all the routing interfaces on the switch BOOTP requests are forwarded to all the specified servers simultaneously You activate the BOOTP relay agent on the switch with the ENABLE BOOTP RELAY command As soon as the agent ...

Page 359: ...t for the local clients in its subnet You can specify up to eight DHCP or BOOTP servers The TTL for BOOTP request relay packets is preset on the AT 9400 Switch to 4 It cannot be changed Routing interfaces discard BOOTP requests when the TTL is decremented to zero i e after 4 hops Because both BOOTP and DHCP use BOOTP messages the BOOTP relay agents can relay both their packets ...

Page 360: ...Chapter 30 BOOTP Relay Agent 360 Section VII Routing ...

Page 361: ...otocol The chapter has the following sections Supported Platforms on page 362 Overview on page 363 Master Switch on page 364 Backup Switches on page 365 Interface Monitoring on page 366 Port Monitoring on page 367 VRRP on the Switch on page 368 ...

Page 362: ...rt for the Virtual Router Redundancy Protocol Switch Supported Layer 2 Models AT 9408LC SP AT 9424T GB AT 9424T SP Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Table 99 Management Interfaces for the Virtual Router Redundancy Protocol Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Bro...

Page 363: ...he WAN However if a statically configured first hop switch fails the hosts on the LAN will not be able to communicate with the WAN If there are a large number of hosts it can be time consuming and cumbersome if you have to reconfigure the static routes on all of the affected hosts The Virtual Router Redundancy Protocol provides a solution to the problem It combines two or more physical switches in...

Page 364: ...the participating switches owns the IP address the virtual router has no preferred master When a switch takes the role of master for a virtual router it does the following Responds to ARP packets for the IP addresses associated with the virtual router The ARP response contains the virtual MAC address of the virtual router so that the hosts on the LAN associate the virtual MAC address with their co...

Page 365: ...not received for a given period of time the master down period based on the specified advertisement interval The master down time is approximately three times the advertisement interval Assumes the role of master switch if it receives an advertisement packet from another switch with a lower priority than its own if preempt mode is on When the master switch fails the backup switch assumes control a...

Page 366: ...the priority of the switch when an important interface connection is lost The reduction in priority causes a backup switch with a higher priority to take over as the master switch and restore connectivity If a master switch loses its connection to the outside world the connection to the LAN is not affected Advertisement packets are still sent by the master and received by the backup switches but t...

Page 367: ...of the VLAN s ports that are out of service If the switch is the master and a backup switch has a higher priority the backup switch preempts the master and becomes the new master Note the following about port monitoring You can delete an IP interface if it is a monitored interface because VRRP is only monitoring the state of the interface and does not require that the interface have an IP address ...

Page 368: ...l MAC address with which they associate the configured first hop IP address even though the switch that owns the IP address is not currently available When the preferred switch that owns the IP address becomes available again it resumes the role of master By default when a switch becomes available with a higher priority than the master it takes over as master This is referred to as preempt mode an...

Page 369: ...with the Ethernet interface over which the IP address of the virtual router is operating Such secondary addresses must be added to all the switches in the virtual router The virtual router s primary IP address cannot be deleted To add or remove secondary IP addresses use the ADD VRRP IPADDRESS and DELETE VRRP IPADDRESS commands A monitored interface is one that the virtual router is dependent on f...

Page 370: ...Chapter 31 Virtual Router Redundancy Protocol 370 Section VII Routing ...

Page 371: ...rity The chapters in this section contain overview information on the port security features of the AT 9400 Switch The chapters include Chapter 32 MAC Address based Port Security on page 373 Chapter 33 802 1x Port based Network Access Control on page 379 ...

Page 372: ...372 Section VIII Port Security ...

Page 373: ... Security 373 Chapter 32 MAC Address based Port Security The sections in this chapter include Supported Platforms on page 374 Overview on page 375 Invalid Frames and Intrusion Actions on page 377 Guidelines on page 378 ...

Page 374: ...XFP modules Table 100 Support for MAC Address based Port Security Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 101 Management Interfaces for MAC Address based Port Security Switch or Stack Standard Command Line AlliedWare P...

Page 375: ...mic MAC addresses a port can learn The port forwards only packets of learned source MAC addresses and discards ingress frames with unknown source MAC addresses When the Limited security mode is initially activated on a port all dynamic MAC addresses learned by the port are deleted from the MAC address table The port then begins to learn new addresses up to the maximum allowed After the port has le...

Page 376: ... level you must enter the static MAC addresses of the end nodes that are to forward frames through the port Locked A port set to this security level immediately stops learning new dynamic MAC addresses and forwards frames using the dynamic MAC addresses it has already learned and any static MAC addresses assigned to it Ingress frames with an unknown MAC address are discarded Dynamic MAC addresses ...

Page 377: ...dress Secured Security Level An invalid frame for this security level is an ingress frame with a source MAC address that was not entered as a static address on the port Locked An invalid frame for this security level is an ingress frame with a source MAC address that the port has not already learned or that was not assigned as a static address Intrusion action defines what a port does when it rece...

Page 378: ...t security and 802 1x port based access control on the same port To configure a port as an Authenticator or Supplicant in 802 1x port based access control you must set its MAC address security level to Automatic which is the default setting This type of port security is not supported on optional GBIC SFP or XFP modules All of a port s static MAC addresses are deleted when its security level is cha...

Page 379: ...orted Platforms on page 380 Overview on page 381 Authentication Process on page 383 Port Roles on page 384 Authenticator Ports with Single and Multiple Supplicants on page 387 Supplicant and VLAN Associations on page 394 Guest VLAN on page 396 RADIUS Accounting on page 397 General Steps on page 398 Guidelines on page 399 ...

Page 380: ... Port based Network Access Control Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 103 Management Interfaces for 802 1x Port based Network Access Control Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus...

Page 381: ...y method uses the RADIUS authentication protocol The AT S63 Management Software is shipped with RADIUS client software If you have already read Chapter 38 TACACS and RADIUS Protocols on page 447 then you know that you can use the RADIUS client software on the switch along with a RADIUS server on your network to also create new manager accounts that control who can manage and change the AT S63 para...

Page 382: ...network device that has the RADIUS server software This is the device that does the actual authenticating of the supplicants The AT 9400 Switch does not authenticate any of the supplicants connected to its ports It s function is to act as an intermediary between a supplicant and the authentication server during the authentication process ...

Page 383: ... with an EAPOL Start packet to which the authenticator responds with a EAP Request Identity packet The supplicant responds with an EAP Response Identity packet to the authentication server via the authenticator The authentication server responds with an EAP Request packet to the supplicant via the authenticator The supplicant responds with an EAP Response MD5 packet containing a username and passw...

Page 384: ...ccess control on the port A port in the role of authenticator does not forward network traffic to or from the end node until the client has been authenticated by a RADIUS server Determining whether a switch port should be set to the authenticator role is straightforward You should set a port on a switch to the authenticator role if you want the user of the end node connected to the port to be auth...

Page 385: ...tage to this approach is that the supplicant need not have 802 1x client software The disadvantage is that because the client is not prompted for a username and password combination it does not guard against an unauthorized individual from gaining access to the network through an unattended network node or by counterfeiting a valid network MAC address Operational Settings A port in the authenticat...

Page 386: ...es it must log in by providing a valid user name and password to whatever device it is connected to typically another switch port Figure 40 illustrates the port role Port 11 on switch B has been set to the supplicant role Now whenever switch B is power cycled or reset and initiates a link with switch A it must log on by providing a username and password You enter this information when you configur...

Page 387: ...s on the RADIUS server This is referred to as piggy backing After one client has successfully logged the port permits the other clients to piggy back onto the initial client s log on allowing all clients to forward packets through the port To implement this configuration you have to set the operating mode of an authenticator port to Single and also toggle the piggy back mode feature When piggy bac...

Page 388: ...r port on the AT 9400 Switch is set to Single and the piggy back mode is enabled This allows all clients to forward packets through the port after one client logs on AT 9400 Switch FAULT RPS MASTER POWER CLASS 1 LASER PRODUCT STATUS TERMINAL PORT 1 3 5 7 9 11 2 4 6 8 10 12 13 15 17 19 21 23R 14 16 18 20 22 24R AT 9424T SP Gigabit Ethernet Switch 1 3 5 7 9 11 13 15 17 19 21 23R 2 4 6 8 10 12 14 16 ...

Page 389: ...he port is used for authentication When that client is authenticated all supplicants have access to the port As mentioned earlier should the client who performed the initial log on fail to reauthenticate when necessary or log out the port reverts to the unauthenticated state blocking all traffic to and from all clients Another client must be authenticated in order for all remaining clients to cont...

Page 390: ...he next figure again illustrates two 802 1x compliant switches The primary difference between this and the previous example is that the clients in the previous example did not have to log on to access switch B In this example the clients have to log on to have any access at all to the network AT 9400 Switch A FAULT RPS MASTER POWER CLASS 1 LASER PRODUCT STATUS TERMINAL PORT 1 3 5 7 9 11 2 4 6 8 10...

Page 391: ... mode because this operating mode does not permit piggy backing AT 9400 Switch A FAULT RPS MASTER POWER CLASS 1 LASER PRODUCT STATUS TERMINAL PORT 1 3 5 7 9 11 2 4 6 8 10 12 13 15 17 19 21 23R 14 16 18 20 22 24R AT 9424T SP Gigabit Ethernet Switch 1 3 5 7 9 11 13 15 17 19 21 23R 2 4 6 8 10 12 14 16 18 20 22 24R 23 24 L A D C D C L A D C L A 1000 LINK ACT HDX COL FDX 10 100 LINK ACT PORT ACTIVITY L...

Page 392: ...e of the multiple mode in Figure 46 shows two AT 9400 Switches The clients connected to switch B have to log on to port 6 on Switch A when they pass a packet to that switch for the first time There are several items to note when interconnecting two 802 1x compliant devices using the Multiple operating mode of an authenticator port In order for switch B in our example to pass the RADIUS messages to...

Page 393: ...ng Mode Example 2 AT 9400 Switch A FAULT RPS MASTER POWER CLASS 1 LASER PRODUCT STATUS TERMINAL PORT 1 3 5 7 9 11 2 4 6 8 10 12 13 15 17 19 21 23R 14 16 18 20 22 24R AT 9424T SP Gigabit Ethernet Switch 1 3 5 7 9 11 13 15 17 19 21 23R 2 4 6 8 10 12 14 16 18 20 22 24R 23 24 L A D C D C L A D C L A 1000 LINK ACT HDX COL FDX 10 100 LINK ACT PORT ACTIVITY L A 1000 LINK ACT SFP SFP 24 SFP 23 RADIUS Auth...

Page 394: ...rements and security levels The problem with a port based VLAN is that VLAN membership is determined by the port on the switch to which the device is connected If a different device that needs to belong to a different VLAN is connected to the port the port must be manually moved to the new VLAN using the management software With 802 1x port based network access control you can link a username and ...

Page 395: ...m the RADIUS server it moves the authenticator port to the designated VLAN and changes the port to the authorized state How the switch handles subsequent authentications on the same port depends on how you set the Secure VLAN parameter Your options are as follows If you activate the Secure VLAN feature only those supplicants with the same VLAN assignment as the initial supplicant are authenticated...

Page 396: ...the port is not required to log on and has full access to the resources of the Guest VLAN If the switch receives 802 1x packets on the port signalling that a supplicant is logging on it moves the port to its predefined VLAN and places it in the unauthorized state The port remains in the unauthorized state until the log on process between the supplicant and the RADIUS server is completed When the s...

Page 397: ...nds to the RADIUS server for an event includes The port number where an event occurred The date and time when an event occurred The number of packets transmitted and received by a switch port during a supplicant s session This information is sent only when a client logs off You can also configure the accounting feature to send interim updates so you can monitor which clients are still active Here ...

Page 398: ... and Meeting House Aegis client software have been verified as fully compatible with the AT S63 Management Software 802 1x client software is not required when an authenticator port is set to the MAC address based authentication method 3 You must configure and activate the RADIUS client software in the AT S63 Management Software The default setting for the authentication protocol is disabled You w...

Page 399: ...fter the maximum is reached and starts accepting new authentications as supplicants log out or are timed out An 802 1x username and password combination is not tied to the MAC address of an end node This allows end users to use the same username and password when working at different workstations After a client has successfully logged on the MAC address of the end node is added to the switch s MAC...

Page 400: ...cant port you must set its port role to none You can change the port s role back to authenticator or supplicant after you have changed the port s VLAN assignment To use the Guest VLAN feature the designated VLAN must already exist on the switch A Guest VLAN can be either port based or tagged The switch must be running in the user configured VLAN mode to support 802 1x port based network access con...

Page 401: ...AN assignments to supplicant accounts on a RADIUS server The VLAN can be either port based or tagged The VLAN must already exist on the switch A client can have only one VLAN associated with it on the RADIUS server When a supplicant logs on the switch port is moved as an untagged port to the designated VLAN ...

Page 402: ...Chapter 33 802 1x Port based Network Access Control 402 Section VIII Port Security ...

Page 403: ...urity features of the AT 9400 Switch The chapters include Chapter 34 Web Server on page 405 Chapter 35 Encryption Keys on page 411 Chapter 36 PKI Certificates and SSL on page 421 Chapter 37 Secure Shell SSH on page 437 Chapter 38 TACACS and RADIUS Protocols on page 447 Chapter 39 Management Access Control List on page 455 ...

Page 404: ...404 Section IX Management Security ...

Page 405: ...nt Security 405 Chapter 34 Web Server The sections in this chapter are Supported Platforms on page 406 Overview on page 407 Configuring the Web Server for HTTP on page 408 Configuring the Web Server for HTTPS on page 409 ...

Page 406: ...e Web Server Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 105 Management Interfaces for the Web Server Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch Yes Yes Yes AT 9...

Page 407: ...session conducted in the HTTPS mode is secure because the load in the management packets is encrypted with the Secure Sockets Layer SSL protocol This mode requires an encryption key pair and a certificate For background information refer to Chapter 35 Encryption Keys on page 411 and Chapter 36 PKI Certificates and SSL on page 421 The default setting for the web server is disabled with the non secu...

Page 408: ...r for non secure HTTP operation The steps reference only the command line commands but the web server can be configured from the menus interface too 1 Disable the web server with the DISABLE HTTP SERVER command 2 Activate HTTP in the web server with the SET HTTP SERVER command 3 Enable the web server with the ENABLE HTTP SERVER command ...

Page 409: ... certificate to the certificate database with the ADD PKI CERTIFICATE command 5 Disable the web server with the DISABLE HTTP SERVER command 6 Activate HTTPS in the web server with the SET HTTP SERVER command 7 Enable the web server with the ENABLE HTTP SERVER command For an example of this command sequence refer to the SET HTTP SERVER command in the AT S63 Management Software Command Line Interfac...

Page 410: ... certificates to the certificate database with the ADD PKI CERTIFICATE command 8 Disable the web server with the DISABLE HTTP SERVER command 9 Activate HTTPS in the web server with the SET HTTP SERVER command 10 Enable the web server with the ENABLE HTTP SERVER command For an example of this command sequence refer to the SET HTTP SERVER command in the AT S63 Management Software Command Line Interf...

Page 411: ...pported Platforms on page 412 Overview on page 413 Encryption Key Length on page 414 Encryption Key Guidelines on page 415 Technical Overview on page 416 For an overview of the procedures to configuring the switch s web server for encryption refer to Configuring the Web Server for HTTPS on page 409 ...

Page 412: ...T 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 107 Management Interfaces for Encryption Keys Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch Yes Yes Yes Yes1 AT 9400Ts Stack Yes Yes 1 You can view the encryption keys on...

Page 413: ...session are able to decode each other s packets A fundamental part of encryption is the encryption key The key converts plaintext into encrypted text and back again A key consists of two separate keys a private key and a public key Together they create a key pair The AT S63 Management Software supports encryption for remote web browser management sessions using the Secure Sockets Layer SSL protoco...

Page 414: ...tions Creating a key is a very CPU intensive operation for the switch Although the switch does not stop forwarding packets between the ports the process can impact the CPU s handling of network events such as the processing of spanning tree BPDU packets which can result in unexpected and unwanted switch behavior A key with the default length should take the switch less than a minute to create Long...

Page 415: ...ts apart The recommended size for the server key is 768 bits and the recommended size for the host key is 1024 bits The AT 9400 Switch can only use those key pairs it has generated itself The switch cannot use a key created on another system and imported onto the switch The AT S63 Management Software does not allow you to copy or export a private key from a switch However you can export a public k...

Page 416: ...ryption There are two main classes of encryption algorithm in use symmetrical encryption and asymmetrical encryption Symmetrical Encryption Symmetrical encryption refers to algorithms in which a single key is used for both the encryption and decryption processes Anyone who has access to the key used to encrypt the plaintext can decrypt the ciphertext Because the encryption key must be kept secret ...

Page 417: ...optimized to produce very high speed hardware implementations making it ideal for networks where high throughput and low latency are essential Triple DES Encryption Algorithms The Triple DES 3DES encryption algorithm is a simple variant on the DES CBC algorithm The DES function is replaced by three rounds of that function an encryption followed by a decryption followed by an encryption This can be...

Page 418: ...on systems decrypting RSA encrypted messages is almost impossible using current technology The AT S63 Management Software uses the RSA algorithm Asymmetrical encryption algorithms require enormous computational resources making them very slow when compared to symmetrical algorithms For this reason they are normally only used on small blocks of data for example exchanging symmetrical algorithm keys...

Page 419: ...t practical to change the session keys manually Key exchange algorithms enable switches to re generate session keys automatically and on a frequent basis The most important property of any key exchange algorithm is that only the negotiating parties are able to decode or generate the shared secret Because of this requirement public key cryptography plays an important role in key exchange algorithms...

Page 420: ...gorithm depends on these values Public key values less than 768 bits in length are considered to be insecure A Diffie Hellman exchange starts with both parties generating a large random number These values are kept secret while the result of a public key operation on the random number is transmitted to the other party A second public key operation this time using the random number and the exchange...

Page 421: ...icates and SSL The sections in this chapter are Supported Platforms on page 422 Overview on page 423 Types of Certificates on page 423 Distinguished Names on page 425 SSL and Enhanced Stacking on page 427 Guidelines on page 428 Technical Overview on page 429 ...

Page 422: ...r 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 109 Management Interfaces for PKI Certificates and SSL Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch Yes Yes Yes1 AT 9400Ts Stack Yes 1 You can use the web browser interface on a stand alone switch to view the P...

Page 423: ...he public key from the switch when you begin a management session The quickest and easiest way to create a certificate is to have the switch create it This type of certificate is called a self signed certificate If you have a small to medium sized network this will probably be the best approach To review all the steps to configuring the web server for a self signed certificate refer to Configuring...

Page 424: ...The first step to creating a CA certificate is to create a key pair After that you must generate a digital document called an enrollment request and send the document to the CA The document contains the public key and other information that the CA will use to create the certificate Before sending an enrollment request to a CA it is best to first contact the CA to determine what other documents or ...

Page 425: ...all of these parts You can use as many or as few as you want You separate the parts with a comma You can use alphanumeric characters as well as spaces in the name strings You cannot use quotation marks To use the following special characters CR type a before the character Following are a few examples This distinguished name contains only one part the name of the switch cn Production Switch This di...

Page 426: ...ates to what happens when you start a web browser management session with a switch using SSL The web browser on your management station checks to see if the name to whom the certificate was issued matches the name of the web site In the case of the AT 9400 Switch the web site s name is the switch s IP address or domain name or in the case of an enhanced stack the master switch s IP address If the ...

Page 427: ...at consist of enhanced stacking switches where some switches support SSL and others do not there are two approaches you can take One is to create different enhanced stacks for the different switches with one enhanced stack for those switches that support SSL and another for those that do not You create different enhanced stacks by connecting the switches with different common VLANs Another workaro...

Page 428: ...enerated on the switch You can create multiple certificates on a switch but the device uses the certificate whose key pair has been designated as the active key pair for the switch s web server Most web browsers support both unsecured plaintext and secured encrypted operation These modes are referred to as HTTP and HTTPS respectively If you choose to use encryption when you manage a switch the web...

Page 429: ...nsparent to the end user who is accessing a web site with the following exceptions The site s URL changes from HTTP to HTTPS The browser indicates that it is a secured connection by displaying an icon such as a padlock icon By default HTTP and HTTPS use the separate well known ports 80 and 443 respectively Secure connections over the Internet are important when transmitting confidential data such ...

Page 430: ... messages exist they are Handshake Change Cipher Spec Alert Application data HTTP FTP or NNTP As discussed previously the Handshake message initiates the SSL session The Change Cipher Spec message informs the receiving party that all subsequent messages are encrypted using previously negotiated security options The parties use the strongest cryptographic systems that they both support The Alert me...

Page 431: ... for each user one private and one public Material encrypted with a private key can only be decrypted with the corresponding public key and vice versa An individual s private key must be kept secret but the public key may be distributed as widely as desired because it is impossible to calculate the private key from the public key The advantage of public key encryption is that the private key need ...

Page 432: ... should only be used with an SSL enabled HTTP server or where third party trust is not required X 509 Certificates The X 509 specification specifies a format for certificates Almost all certificates use the X 509 version 3 format described in RFC 2459 Internet X 509 Public Key Infrastructure Certificate and CRL Profile This is the format which is supported by the switch An X 509 v3 certificate con...

Page 433: ...ssues updates revokes and otherwise manages public keys and their certificates A CA receives requests for certification validates the requester s identity according to the CA s requirements and issues the certificate signed with one of the CA s keys CAs may also perform the functions of end entities in that they may make use of other CAs certificates for message encryption and verification of digi...

Page 434: ...hain is formed if both CA X and CA Y hold a certificate signed by a root CA Z which the switches have verified out of band Switch X can validate switch Y s certificate and vice versa by following the chain up to CA Z Root CA Certificates A root CA must sign its own certificate The root CA is the most critical link in the certification chain because the validity of all certificates issued by any CA...

Page 435: ... Retrieval and Storage Certificates are stored by CAs in publicly accessible repositories for retrieval by end entities The following repositories used in PKI are commonly accessed via the following protocols Hypertext Transfer Protocol HTTP File Transfer Protocol FTP Before the switch can use a certificate it must be retrieved and manually added to the switch s certificate database which is store...

Page 436: ...Chapter 36 PKI Certificates and SSL 436 Section IX Management Security ...

Page 437: ...ns in this chapter are Supported Platforms on page 438 Overview on page 439 Support for SSH on page 440 SSH Server on page 441 SSH Clients on page 442 SSH and Enhanced Stacking on page 443 SSH Configuration Guidelines on page 445 General Steps to Configuring SSH on page 446 ...

Page 438: ...ure Shell Protocol Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes Table 111 Management Interfaces for the Secure Shell Protocol Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch...

Page 439: ... protected by plaintext usernames and passwords which are vulnerable to wiretapping and password guessing The Secure Shell SSH protocol provides encrypted and strongly authenticated remote login sessions similar to the Telnet and rlogin protocols between a host running a Secure Shell server and a machine with a Secure Shell client The AT S63 Management Software features Secure Shell server softwar...

Page 440: ...andard AES 192 bit AES and 256 bit AES Arcfour RC4 security algorithm is supported Triple DES 3DES encryption for SSH sessions is supported RSA public keys with lengths of 512 to 2048 bits are supported Keys are stored in a format compatible with other Secure Shell implementations and mechanisms are provided to copy keys to and from the switch Compression of SSH traffic The following SSH options a...

Page 441: ...f your switch is in a network that is protected by a firewall you may need to configure the firewall to permit SSH connections The SSH server accepts connections from configured users only Acceptable users are those with a Manager or Operator login as well as users configured with the RADIUS and TACACS protocols You can add delete and modify users with the RADIUS and TACACS feature SSH encryption ...

Page 442: ...lients After you have configured the SSH server you need to install SSH client software on your management workstations The AT S63 Management Software supports both SSH1 and SSH2 clients You can download client software from the Internet Two popular SSH clients are PuTTY and CYGWIN To install SSH client software follow the directions from the vendor ...

Page 443: ... illustrated in Figure 47 The figure shows an SSH management station that is managing a slave switch of an enhanced stack The packets exchanged between the slave switch and the master switch are transmitted in plaintext and those exchanged between the master switch and the SSH management station are encrypted Figure 47 SSH Remote Management of a Slave Switch FAULT RPS MASTER POWER CLASS 1 LASER PR...

Page 444: ...nagement Security Because enhanced stacking does not allow for SSH encrypted management sessions between a management station and a slave switch you configure SSH only on the master switch of a stack Activating SSH on a slave switch has no affect ...

Page 445: ...s the host key and the other as the server key The two encryption key pairs must be of different lengths of at least one increment 256 bits apart The recommended bit size for a server key is 768 bits The recommended size for the host key is 1024 bits You activate and configure SSH on the master switch of an enhanced stack not on slave switches The AT S63 software uses well known port 22 as the SSH...

Page 446: ...ing the two encryption keys in the server software 3 Install SSH client software on your management station Follow the directions provided with the client software You can download SSH client software from the Internet Two popular SSH clients are PuTTY and CYGWIN 4 Disable the Telnet server Although the switch allows the SSH and Telnet servers to be enabled simultaneously allowing Telnet to be ena...

Page 447: ...ity 447 Chapter 38 TACACS and RADIUS Protocols This chapter describes the two authentication protocols TACACS and RADIUS Sections in the chapter include Supported Platforms on page 448 Overview on page 449 Guidelines on page 451 ...

Page 448: ...s Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Yes1 1 Stacks do not support the TACACS protocol Table 113 Management Interfaces for the TACACS and RADIUS Protocols Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web Browser Stand alone Switch Yes Yes Yes Yes AT 9400Ts Stack Yes Yes Yes1 1...

Page 449: ... you change a switch s parameter settings while the operator account lets you view the settings but not change them Each account has its own password The manager account has a default password of friend and the operator account has a default password operator For those networks managed by just one or two network managers you might not need any additional accounts However for larger networks that a...

Page 450: ...do after logging in to a switch The AT 9400 Switch supports two management levels Manager and Operator The Manager level lets you view and configure a switch s parameter settings while the Operator level only lets you view the settings You must assign an authorization level to each manager username and password combination on the authentication server The final function of an authentication protoc...

Page 451: ...CS controls this through the sixteen 0 to 15 different levels of the Privilege attribute A privilege level of 0 gives the combination Operator status Any value from 1 to 15 gives the combination Manager status For RADIUS management level is controlled by the Service Type attribute This attribute has 11 different values only two apply to the AT S63 Management Software A value of Administrative for ...

Page 452: ...cket Routing on page 321 Note Prior to version 2 0 0 of the AT S63 Management Software TACACS or RADIUS server had to be a member of the switch s management VLAN This restriction no longer applies The server can be located on any local subnet that has a routing interface By default authentication protocol is disabled in the AT S63 Management Software Before activating it you need the following inf...

Page 453: ...f no authentication server responds or if no servers have been defined the AT S63 Management Software defaults to the standard manager and operator accounts Note For more information on TACACS refer to the RFC 1492 standard For more information on RADIUS refer to the RFC 2865 standard ...

Page 454: ...Chapter 38 TACACS and RADIUS Protocols 454 Section IX Management Security ...

Page 455: ...explains how to restrict Telnet and web browser management access to the switch with the management access control list ACL Sections in this chapter include Supported Platforms on page 456 Overview on page 457 Parts of a Management ACE on page 458 Guidelines on page 459 Examples on page 460 ...

Page 456: ...for the Management Access Control List Switch Supported Layer 2 Models AT 9408LC SP Yes AT 9424T GB Yes AT 9424T SP Yes Basic Layer 3 Models AT 9424T Yes AT 9424T POE Yes AT 9424Ts Yes AT 9424Ts XP Yes AT 9448T SP Yes AT 9448Ts XP Yes AT 9400Ts Stack Table 115 Management Interfaces for the Management Access Control List Switch or Stack Standard Command Line AlliedWare Plus Command Line Menus Web B...

Page 457: ...ns are to have remote management access You can even control which method Telnet or web browser that a remote manager can use For example you can create a management ACL that allows the switch to accept management packets only from the management stations in one subnet or from just one or two specific management stations An access control list ACL is a list of one or more statements that define wh...

Page 458: ... not If you are filtering on a specific IP address use the mask 255 255 255 255 If you are filtering on a subnet the mask would depend on the address For example to allow all management stations in the subnet 149 11 11 0 to manage the switch you would enter the mask 255 255 255 0 Application The application parameter allows you control whether the remote management station can manage the switch us...

Page 459: ...CE is immediately processed by the switch and is not compared against any remaining ACEs in the management ACL The ACEs are performed in the order of their identification number starting with 1 The management ACL does not control local management or remote SSH or SNMP management of a switch Activating this feature without specifying any ACEs prohibits you from managing the switch remotely using a ...

Page 460: ...It also permits the management stations to ping the switch IP Address 149 11 11 0 Mask 255 255 255 0 Application Type All This ACE permits remote web browser management of the switch from the subnet 149 11 11 0 The management workstations can also ping the device However since this ACE does not include Telnet management as an application type that form of management is not permitted IP Address 149...

Page 461: ...9 11 11 11 and all management stations in the subnet 149 22 22 0 ACE 1 IP Address 149 11 11 11 Mask 255 255 255 255 Application Type All ACE 2 IP Address 149 22 22 0 Mask 255 255 255 0 Application Type All This example allows the switch to be pinged but not managed by the management station with the IP address 149 11 11 4 IP Address 149 11 11 4 Mask 255 255 255 255 Application Type Ping ...

Page 462: ...Chapter 39 Management Access Control List 462 Section IX Management Security ...

Page 463: ...Snooping on page 476 Internet Protocol Version 4 Packet Routing on page 477 MAC Address based Port Security on page 478 MAC Address Table on page 479 Management Access Control List on page 480 Manager and Operator Account on page 481 Multicast Listener Discovery Snooping on page 482 Public Key Infrastructure on page 483 Port Settings on page 484 RJ 45 Serial Terminal Port on page 485 Router Redund...

Page 464: ...Appendix A AT S63 Management Software Default Settings 464 Telnet Server on page 495 Virtual Router Redundancy Protocol on page 496 VLANs on page 497 Web Server on page 498 ...

Page 465: ...AT S63 Management Software Features Guide 465 Address Resolution Protocol Cache The following table lists the ARP cache default setting ARP Cache Setting Default ARP Cache Timeout 150 seconds ...

Page 466: ...ttings 466 Boot Configuration File The following table lists the names of the default configuration files Boot Configuration File Default Stand alone Switch boot cfg Stack of AT 9400 Basic Layer 3 Switches and the AT StackXG Stacking Module stack cfg ...

Page 467: ...ment Software Features Guide 467 BOOTP Relay Agent The following table lists the default setting for the BOOTP relay agent BOOTP Relay Agent Setting Default Status Disabled Hop Count1 1 Hop count is not adjustable 4 ...

Page 468: ...ult Settings 468 Class of Service The following table lists the default mappings of IEEE 802 1p priority levels to egress port priority queues IEEE 802 1p Priority Level Port Priority Queue 0 Q1 1 Q0 lowest 2 Q2 3 Q3 4 Q4 5 Q5 6 Q6 7 Q7 highest ...

Page 469: ... the Denial of Service prevention feature Denial of Service Prevention Setting Default IP Address 0 0 0 0 Subnet Mask 0 0 0 0 Uplink Port Highest numbered existing port SYN Flood Defense Disabled Smurf Defense Disabled Land Defense Disabled Teardrop Defense Disabled Ping of Death Defense Disabled IP Options Defense Disabled ...

Page 470: ...1x Port based Network Access Control Settings Default Port Access Control Disabled Authentication Method RADIUS EAP Port Role None RADIUS Accounting Settings Default Status Disabled Port 1813 Type Network Trigger Type Start_Stop Update Status Disabled Update Interval 60 Authenticator Port Setting Default Authentication Mode 802 1x Supplicant Mode Single Port Control Auto Quiet Period 60 seconds TX...

Page 471: ...supplicant port VLAN Assignment Enabled Secure VLAN On Control Direction Both Piggyback Mode Disabled Guest VLAN None Supplicant Port Setting Default Auth Period 30 seconds Held Period 60 seconds Max Start 3 Start Period 30 seconds User Name none User Password none Authenticator Port Setting Default ...

Page 472: ...Appendix A AT S63 Management Software Default Settings 472 Enhanced Stacking The following table lists the enhanced stacking default setting Enhanced Stacking Setting Default Switch State Slave ...

Page 473: ...AT S63 Management Software Features Guide 473 Ethernet Protection Switching Ring EPSR Snooping The following table lists the EPSR default setting EPSR Setting Default EPSR State Disabled ...

Page 474: ...T S63 Management Software Default Settings 474 Event Logs The following table lists the default settings for both the permanent and temporary event logs Event Log Setting Default Status Enabled Full Log Action Wrap ...

Page 475: ...ures Guide 475 GVRP This section provides the default settings for GVRP GVRP Setting Default Status Disabled GIP Status Enabled Join Timer 20 centiseconds Leave Timer 60 centiseconds Leave All Timer 1000 centiseconds Port Mode Normal ...

Page 476: ... following table lists the IGMP Snooping default settings IGMP Snooping Setting Default IGMP Snooping Status Disabled Multicast Host Topology Single Host Port Edge Host Router Timeout Interval 260 seconds Maximum IGMP Multicast Groups 64 Multicast Router Ports Mode Auto Detect ...

Page 477: ...te The update and invalid timers are not adjustable The switch does not support the IPv4 routing holddown and flush timers Packet Routing Setting Default Equal Cost Multi path ECMP Enabled Default Route None Update Timer 30 seconds Invalid Timer 180 seconds Split Horizon Enabled Split Horizon with Poison Reverse Disabled Autosummarization of Routes Disabled ...

Page 478: ...78 MAC Address based Port Security The following table lists the MAC address based port security default settings MAC Address based Port Security Setting Default Security Mode Automatic no security Intrusion Action Discard Participating No MAC Limit No Limit ...

Page 479: ...T S63 Management Software Features Guide 479 MAC Address Table The following table lists the default setting for the MAC address table MAC Address Table Setting Default MAC Address Aging Time 300 seconds ...

Page 480: ... AT S63 Management Software Default Settings 480 Management Access Control List The following table lists the default setting for the management access control list Management ACL Setting Default Status Disabled ...

Page 481: ... manager and operator account default settings Note Login names and passwords are case sensitive Manager Account Setting Default Manager Login Name manager Manager Password friend Operator Login Name operator Operator Password operator Console Disconnect Timer Interval 10 minutes Console Startup Mode CLI ...

Page 482: ...y Snooping The following table lists the MLD Snooping default settings MLD Snooping Setting Default MLD Snooping Status Disabled Multicast Host Topology Single Host Port Edge Host Router Timeout Interval 260 seconds Maximum MLD Multicast Groups 64 Multicast Router Ports Mode Auto Detect ...

Page 483: ... Infrastructure The following table lists the PKI default settings including the generate enrollment request settings PKI Setting Default Switch Distinguished Name None Maximum Number of Certificates 256 Request Name None Key Pair ID 0 Format PEM Type PKCS10 ...

Page 484: ...tting Default Status Enabled 10 100 1000Base T Speed Auto Negotiation Duplex Mode Auto Negotiation MDI MDI X Auto MDI MDIX Packet Filtering Disabled Packet Rate Limiting Disabled Override Priority No override Head of Line Blocking Threshold 682 cells Back Pressure Disabled Back Pressure Threshold 7 935 cells Flow Control Auto Flow Control Threshold 7 935 cells ...

Page 485: ...erminal Port The following table lists the RJ 45 serial terminal port default settings The baud rate is the only adjustable parameter on the port RJ 45 Serial Terminal Port Setting Default Data Bits 8 Stop Bits 1 Parity None Flow Control None Baud Rate 9600 bps ...

Page 486: ...dix A AT S63 Management Software Default Settings 486 Router Redundancy Protocol Snooping The following table lists the RRP Snooping default setting RRP Snooping Setting Default RRP Snooping Status Disabled ...

Page 487: ...ollowing table lists the TACACS client configuration default settings Server based Authentication Setting Default Server based Authentication Disabled Active Authentication Method TACACS RADIUS Configuration Setting Default Global Encryption Key ATI Global Server Timeout Period 30 seconds RADIUS Server 1 Configuration 0 0 0 0 RADIUS Server 2 Configuration 0 0 0 0 RADIUS Server 3 Configuration 0 0 ...

Page 488: ...lowing table describes the SNMP default settings SNMP Communities Setting Default SNMP Status Disabled Authentication Failure Trap Status Disabled Community Name public Read only Community Name private Read Write Status public Enabled Status private Enabled Open Status public No Open Status private No ...

Page 489: ...ple Network Time Protocol The following table lists the SNTP default settings SNTP Setting Default System Time 00 00 00 on January 1 1980 SNTP Status Disabled SNTP Server 0 0 0 0 UTC Offset 0 Daylight Savings Time DST Enabled Poll Interval 600 seconds ...

Page 490: ...he STP default settings Rapid Spanning Tree Protocol The following table describes the RSTP default settings Spanning Tree Setting Default Spanning Tree Status Disabled Active Protocol Version RSTP STP Setting Default Bridge Priority 32768 Bridge Hello Time 2 Bridge Forwarding 15 Bridge Max Age 20 Port Cost Automatic Update Port Priority 128 RSTP Setting Default Force Version RSTP Bridge Priority ...

Page 491: ...ng Default Status Disabled Force Version MSTP Bridge Hello Time 2 Bridge Forwarding Delay 15 Bridge Max Age 20 Maximum Hops 20 Configuration Name null Revision Level 0 CIST Priority Increment 8 32768 Port Priority Increment 8 128 Port Internal Path Cost Auto Update Port External Path Cost Auto Detect Point to Point Auto Detect Edge Port Yes ...

Page 492: ...e Shell Server The following table lists the SSH default settings The SSH port number is not adjustable SSH Setting Default Status Disabled Host Key ID Not Defined Server Key ID Not Defined Server Key Expiry Time 0 hours Login Timeout 180 seconds SSH Port Number 22 ...

Page 493: ...AT S63 Management Software Features Guide 493 Secure Sockets Layer The following table lists the SSL default settings SSL Setting Default Maximum Number of Sessions 50 Session Cache Timeout 300 seconds ...

Page 494: ...S63 Management Software Default Settings 494 System Name Administrator and Comments Settings The following table describes the IP default settings IP Setting Default System Name None Administrator None Comments None ...

Page 495: ... Features Guide 495 Telnet Server The following table lists the Telnet server default settings The Telnet port number is not adjustable Telnet Server Setting Default Telnet Server Enabled Telnet Port Number 23 NULL Character Off ...

Page 496: ...Appendix A AT S63 Management Software Default Settings 496 Virtual Router Redundancy Protocol The following table lists the VRRP default setting VRRP Setting Default Status Disabled ...

Page 497: ...res Guide 497 VLANs This section provides the VLAN default settings VLAN Setting Default Default VLAN Name Default_VLAN all ports Management VLAN ID 1 Default_VLAN VLAN Mode User Configured Uplink Port None Ingress Filtering Disabled ...

Page 498: ...gement Software Default Settings 498 Web Server The following table lists the web server default settings Web Server Configuration Setting Default Status Enabled Operating Mode HTTP HTTP Port Number 80 HTTPS Port Number 443 ...

Page 499: ...amples of SNMPv3 configuration using the SNMPv3 Table menus and a worksheet to use as an aid when configuring the SNMPv3 protocol It includes the following sections SNMPv3 Manager Configuration on page 500 SNMPv3 Operator Configuration on page 501 SNMPv3 Worksheet on page 502 ...

Page 500: ... sample configuration for a Manager with a User Name of systemadmin24 Each table is listed with its parameters Configure SNMPv3 User Table Menu User Name systemadmin24 Authentication Protocol MD5 Privacy Protocol DES Storage Type NonVolatile Configure SNMPv3 View Table Menu View Name internet View Subtree OID internet or 1 3 6 1 Subtree Mask View Type Included Storage Type NonVolatile Configure SN...

Page 501: ...minTag Target Parms Name SNMPmanagerPC Storage Type NonVolatile Configure SNMPv3 Target Parameters Table Target Parameters Name SNMPmanagerPC User Name systemadmin24 Security Model v3 Security Level P Authentication and Privacy Storage Type NonVolatile SNMPv3 Operator Configuration This section provides a sample configuration for an Operator with a User Name of nikoeng73 Because this user will onl...

Page 502: ...tication Read View Name internet Write View Name Notify View Name SNMPv3 Worksheet This section supplies a table that you can use a worksheet when configuring SNMPv3 Each SNMPv3 Table is listed with its associated parameters SNMPv3 Parameters SNMPv3 User Table User Name Authentication Protocol Authentication Password Privacy Protocol Privacy Password Storage Type SNMPv3 View Table Menu View Name V...

Page 503: ...oup Table User Name Security Model Group Name Storage Type SNMPv3 Notify Table Notify Name Notify Tag Notify Type Storage Type SNMPv3 Target Address Table Target Address Name Target IP Address UDP Port Timeout Retries Tag List Target Parms Name Storage Type SNMPv3 Target Parameters Table Target Parameters Name User Security Name SNMPv3 Parameters Continued ...

Page 504: ...Appendix B SNMPv3 Configuration Examples 504 Security Model Security Level Storage Type SNMPv3 Parameters Continued ...

Page 505: ...ge 507 Internet Protocol Version 4 Routing on page 507 MAC Address Table on page 508 Management Access and Security on page 508 Management Access Methods on page 509 Management Interfaces on page 509 Management MIBs on page 509 Port Security on page 510 Port Trunking and Mirroring on page 510 Spanning Tree Protocols on page 510 System Monitoring on page 510 Traffic Control on page 511 Virtual LANs...

Page 506: ...EEE 802 3u Auto Negotiation IEEE 802 3x 10 100 Mbps Flow Control Backpressure IEEE 802 3z 1000 Mbps Flow Control Auto MDI MDIX Head of Line Blocking Eight Egress Queues Per Port Bad cable detection Denial of Service Defenses Smurf SYN Flood Teardrop Land IP Option Ping of Death Ethernet Protection Switching Ring Snooping Ethernet Protection Switching Ring Snooping ...

Page 507: ...torage capacity DHCP and BOOTP Clients RFC 2131 DHCP client RFC 951 1542 BOOTP client Internet Protocol Multicasting RFC 1112 IGMP Snooping Ver 1 0 RFC 2236 IGMP Snooping Ver 2 0 RFC 3376 IGMP Snooping Ver 3 0 RFC 2710 MLD Snooping Ver 1 0 RFC 3810 MLD Snooping Ver 2 0 RFC 3768 RRP Snooping Internet Protocol Version 4 Routing Routing Interfaces Static Routes RFC 1058 RIP version 1 RFC 1723 RIP ver...

Page 508: ... Storage capacity of 16K entries Management Access and Security RFC 1157 SNMPv1 RFC 1901 SNMPv2 RFC 3411 SNMPv3 RFC 1492 TACACS Client RFC 2865 RADIUS Client RFC 2068 HTTP RFC 2616 HTTPS RFC 1866 HTML RFC 854 Telnet Server Secure Sockets Layer SSL RFC 4325 X 509 Public Key Infrastructure PKI Encryption Keys Secure Shell SSH Vers 1 3 1 5 2 0 Management Access Control List RFC 1350 TFTP client RFC 2...

Page 509: ...ent over the network using Telnet SSH web browser and SNMP Management Interfaces Menus Command Line Web Browser SNMP v1 v2 v3 Management MIBs RFC 1213 MIB II RFC 1215 TRAP MIB RFC 1493 Bridge MIB RFC 2863 Interface Group MIB RFC 2933 IGMP RFC 1643 Ethernet like MIB RFC 2674 IEEE 802 1Q MIB RFC 1757 RMON 4 groups Allied Telesis Private MIBs ...

Page 510: ... Accounting MAC Address based security Port Trunking and Mirroring IEEE 802 3ad Link Aggregation Control Protocol LACP Static Port Trunking Port Mirroring Spanning Tree Protocols IEEE 802 1D Spanning Tree Protocol IEEE 802 1w Rapid Spanning Tree Protocol IEEE 802 1s Multiple Spanning Tree Protocol System Monitoring RFC 3195 Syslog Client Temporary Event Log 4 000 events maximum Permanent Event Log...

Page 511: ...2 1q Priority Replacement 802 1q Priority to Type of Service Replacement Maximum Bandwidth Control Burst Size Control Support on Ingress and Egress Ports IEEE 802 1p Class of Service with Strict and Weighted Round Robin Scheduling Port Access Control Lists Ingress and Egress Control of Broadcast Multicast and Unknown Unicast Traffic Ingress Packet Rate Limiting Virtual LANs IEEE 802 1Q Tagged VLAN...

Page 512: ...ess based VLANs Not supported on the AT 9408LC SP AT 9424T GB and AT 9424T SP switches IEEE 802 3ac VLAN Tag Frame Extension IEEE 802 1P GARP VLAN Registration Protocol Virtual Router Redundancy Protocol RFC 3768 Virtual Router Redundancy Protocol ...

Page 513: ...Address Table on page 521 Management Access Control List on page 522 Miscellaneous on page 523 Port Mirroring on page 524 Quality of Service on page 525 Port Configuration and Status on page 527 Spanning Tree on page 528 Static Port Trunk on page 529 VLANs on page 530 The Allied Telesis MIB files for the AT 9400 Switch are atiStackSwitch mib version 2 31 atiStackInfo mib version 1 3 The MIB files ...

Page 514: ...gEntry 1 3 6 1 4 1 207 8 17 9 1 1 atiStkSwACLModuleId 1 3 6 1 4 1 207 8 17 9 1 1 1 atiStkSwACLId 1 3 6 1 4 1 207 8 17 9 1 1 2 atiStkSwACLDescription 1 3 6 1 4 1 207 8 17 9 1 1 3 atiStkSwACLAction 1 3 6 1 4 1 207 8 17 9 1 1 4 atiStkSwACLClassifierList 1 3 6 1 4 1 207 8 17 9 1 1 5 atiStkSwACLPortList 1 3 6 1 4 1 207 8 17 9 1 1 6 atiStkSwACLRowStatus 1 3 6 1 4 1 207 8 17 9 1 1 7 ...

Page 515: ... Table 34 CoS Packet Weights of Egress Queues AtiStackSwitch MIB Object Name OID atiStkSwQoSGroupQueueToWeightTable 1 3 6 1 4 1 207 8 17 7 4 AtiStkSwQoSGroupQueueToWeightEntry 1 3 6 1 4 1 207 8 17 7 4 1 atiStkSwQoSGroupQueue 1 3 6 1 4 1 207 8 17 7 4 1 1 atiStkSwQoSGroupQueueWeight 1 3 6 1 4 1 207 8 17 7 4 1 2 Table 35 CoS Port Settings AtiStackSwitch MIB Object Name OID atiStkSwQoSGroupPortCoSPrio...

Page 516: ... 1 3 6 1 4 1 207 8 17 1 5 1 atiStkSwSysCurrentDate 1 3 6 1 4 1 207 8 17 1 5 2 atiStkSwSysSNTPStatus 1 3 6 1 4 1 207 8 17 1 5 3 atiStkSwSysSNTPServerIPAddress 1 3 6 1 4 1 207 8 17 1 5 4 atiStkSwSysSNTPUTCOffset 1 3 6 1 4 1 207 8 17 1 5 5 atiStkSwSysSNTPDSTStatus 1 3 6 1 4 1 207 8 17 1 5 6 atiStkSwSysSNTPPollingInterval 1 3 6 1 4 1 207 8 17 1 5 7 atiStkSwSysSNTPLastDelta 1 3 6 1 4 1 207 8 17 1 5 8 ...

Page 517: ...Mask 1 3 6 1 4 1 207 8 17 2 6 2 Table 38 Denial of Service Defenses AtiStackSwitch MIB Object Name OID atiStkPortDOSAttackConfigTable 1 3 6 1 4 1 207 8 17 2 6 3 atiStkPortDOSAttackConfigEntry 1 3 6 1 4 1 207 8 17 2 6 3 1 atiStkPortDOSAttackType 1 3 6 1 4 1 207 8 17 2 6 3 1 1 atiStkPortDOSAttackActionStatus 1 3 6 1 4 1 207 8 17 2 6 3 1 2 atiStkPortDOSAttackMirrorPort 1 3 6 1 4 1 207 8 17 2 6 3 1 3 ...

Page 518: ... of an Enhanced Stack AtiStackInfo MIB Object Name OID atiswitchEnhStackTable 1 3 6 1 4 1 207 8 16 1 4 atiswitchEnhStackEntry 1 3 6 1 4 1 207 8 16 1 4 1 atiswitchEnhStackSwId 1 3 6 1 4 1 207 8 16 1 4 1 1 atiswitchEnhStackSwMacAddr 1 3 6 1 4 1 207 8 16 1 4 1 2 atiswitchEnhStackSwName 1 3 6 1 4 1 207 8 16 1 4 1 3 atiswitchEnhStackSwMode 1 3 6 1 4 1 207 8 16 1 4 1 4 atiswitchEnhStackSwSoftwareVersion...

Page 519: ... 17 3 7 1 atiStkSwGVRPPortConfigModuleId 1 3 6 1 4 1 207 8 17 3 7 1 1 atiStkSwGVRPPortConfigPortId 1 3 6 1 4 1 207 8 17 3 7 1 2 atiStkSwGVRPPortConfigStatus 1 3 6 1 4 1 207 8 17 3 7 1 3 Table 43 GVRP Counters AtiStackSwitch MIB Object Name OID atiStkSwGVRPCountersTable 1 3 6 1 4 1 207 8 17 3 8 atiStkSwGVRPCountersEntry 1 3 6 1 4 1 207 8 17 3 8 1 atiStkSwGVRPCountersModuleId 1 3 6 1 4 1 207 8 17 3 ...

Page 520: ...VRPCountersRxMsgLeaveEmpty 1 3 6 1 4 1 207 8 17 3 8 1 16 atiStkSwGVRPCountersRxMsgLeaveIn 1 3 6 1 4 1 207 8 17 3 8 1 17 atiStkSwGVRPCountersRxMsgEmpty 1 3 6 1 4 1 207 8 17 3 8 1 18 atiStkSwGVRPCountersRxMsgBadMsg 1 3 6 1 4 1 207 8 17 3 8 1 19 atiStkSwGVRPCountersRxMsgBadAttribute 1 3 6 1 4 1 207 8 17 3 8 1 20 atiStkSwGVRPCountersTxMsgLeaveAll 1 3 6 1 4 1 207 8 17 3 8 1 21 atiStkSwGVRPCountersTxMsg...

Page 521: ... 3 3 1 4 atiStkSwMacAddrPortId 1 3 6 1 4 1 207 8 17 3 3 1 5 atiStkSwMacAddrPortList 1 3 6 1 4 1 207 8 17 3 3 1 6 Table 45 Static MAC Address Table AtiStackSwitch MIB Object Name OID atiStkSwMacAddrGroup 1 3 6 1 4 1 207 8 17 4 atiStkSwStaticMacAddrEntry 1 3 6 1 4 1 207 8 17 4 1 1 atiStkSwStaticMacAddress 1 3 6 1 4 1 207 8 17 4 1 1 1 atiStkSwStaticMacAddrVlanId 1 3 6 1 4 1 207 8 17 4 1 1 2 atiStkSwS...

Page 522: ... Object Name OID atiStkSwSysMgmtACLConfigTable 1 3 6 1 4 1 207 8 17 1 7 2 atiStkSwSysMgmtACLConfigEntry 1 3 6 1 4 1 207 8 17 1 7 2 1 atiStkSwSysMgmtACLConfigModuleId 1 3 6 1 4 1 207 8 17 1 7 2 1 1 atiStkSwSysMgmtACLConfigId 1 3 6 1 4 1 207 8 17 1 7 2 1 2 atiStkSwSysMgmtACLConfigIpAddr 1 3 6 1 4 1 207 8 17 1 7 2 1 3 atiStkSwSysMgmtACLConfigMask 1 3 6 1 4 1 207 8 17 1 7 2 1 4 atiStkSwSysMgmtACLConfi...

Page 523: ...StkSwSysGroup 1 3 6 1 4 1 207 8 17 1 atiStkSwSysConfig 1 3 6 1 4 1 207 8 17 1 1 atiStkSwSysIpAddress 1 3 6 1 4 1 207 8 17 1 1 2 atiStkSwSysSubnetMask 1 3 6 1 4 1 207 8 17 1 1 3 atiStkSwSysGateway 1 3 6 1 4 1 207 8 17 1 1 4 atiStkSwSysIpAddressStatus 1 3 6 1 4 1 207 8 17 1 1 5 Table 50 Saving the Configuration and Returning to Default Settings AtiStackSwitch MIB Object Name OID atiStkSwSysGroup 1 3...

Page 524: ...3 6 1 4 1 207 8 17 2 2 atiStkSwPortMirroringState 1 3 6 1 4 1 207 8 17 2 2 1 atiStkSwPortMirroringDestinationModuleId 1 3 6 1 4 1 207 8 17 2 2 4 atiStkSwPortMirroringDestinationPortId 1 3 6 1 4 1 207 8 17 2 2 5 atiStkSwPortMirroringSourceRxList 1 3 6 1 4 1 207 8 17 2 2 6 atiStkSwPortMirroringSourceTxList 1 3 6 1 4 1 207 8 17 2 2 7 ...

Page 525: ...7 7 5 1 8 atiStkSwQosFlowGrpPriorityToTos 1 3 6 1 4 1 207 8 17 7 5 1 9 atiStkSwQosFlowGrpClassifierList 1 3 6 1 4 1 207 8 17 7 5 1 10 atiStkSwQosFlowGrpRowStatus 1 3 6 1 4 1 207 8 17 7 5 1 11 Table 53 Traffic Classes AtiStackSwitch MIB Object Name OID atiStkSwQosTrafficClassTable 1 3 6 1 4 1 207 8 17 7 6 atiStkSwQosTrafficClassEntry 1 3 6 1 4 1 207 8 17 7 6 1 atiStkSwQosTrafficClassModuleId 1 3 6 ...

Page 526: ...sPolicyEntry 1 3 6 1 4 1 207 8 17 7 7 1 atiStkSwQosPolicyModuleId 1 3 6 1 4 1 207 8 17 7 7 1 1 atiStkSwQosPolicyId 1 3 6 1 4 1 207 8 17 7 7 1 2 atiStkSwQosPolicyDescription 1 3 6 1 4 1 207 8 17 7 7 1 3 atiStkSwQosPolicyRemarkDSCP 1 3 6 1 4 1 207 8 17 7 7 1 4 atiStkSwQosPolicyDSCPValue 1 3 6 1 4 1 207 8 17 7 7 1 5 atiStkSwQosPolicyDSCPValue 1 3 6 1 4 1 207 8 17 7 7 1 6 atiStkSwQosPolicyMoveToSToPri...

Page 527: ...tiStkSwPortLinkState 1 3 6 1 4 1 207 8 17 2 1 1 5 atiStkSwPortNegotiation 1 3 6 1 4 1 207 8 17 2 1 1 6 atiStkSwPortSpeed 1 3 6 1 4 1 207 8 17 2 1 1 7 atiStkSwPortDuplexStatus 1 3 6 1 4 1 207 8 17 2 1 1 8 atiStkSwPortFlowControl 1 3 6 1 4 1 207 8 17 2 1 1 9 atiStkSwPortBackPressure 1 3 6 1 4 1 207 8 17 2 1 1 10 atiStkSwPortPriority 1 3 6 1 4 1 207 8 17 2 1 1 11 atiStkSwPortBroadcastProcessing 1 3 6...

Page 528: ...panning Tree Table 56 Spanning Tree AtiStackSwitch MIB Object Name OID atiStkSwSysConfig 1 3 6 1 4 1 207 8 17 1 1 atiStkSwSysSpanningTreeStatus 1 3 6 1 4 1 207 8 17 1 1 9 atiStkSwSysSpanningTreeVersion 1 3 6 1 4 1 207 8 17 1 1 10 ...

Page 529: ...tkSwStaticTrunkModuleId 1 3 6 1 4 1 207 8 17 8 1 1 1 atiStkSwStaticTrunkIndex 1 3 6 1 4 1 207 8 17 8 1 1 2 atiStkSwStaticTrunkId 1 3 6 1 4 1 207 8 17 8 1 1 3 atiStkSwStaticTrunkName 1 3 6 1 4 1 207 8 17 8 1 1 4 atiStkSwStaticTrunkMethod 1 3 6 1 4 1 207 8 17 8 1 1 5 atiStkSwStaticTrunkPortList 1 3 6 1 4 1 207 8 17 8 1 1 6 atiStkSwStaticTrunkStatus 1 3 6 1 4 1 207 8 17 8 1 1 7 atiStkSwStaticTrunkRow...

Page 530: ...e1 1 3 6 1 4 1 207 8 17 3 1 1 3 atiStkSwVlanUntaggedPortListModule1 1 3 6 1 4 1 207 8 17 3 1 1 4 atiStkSwVlanConfigEntryStatus 1 3 6 1 4 1 207 8 17 3 1 1 19 atiStkSwVlanActualUntaggedPortListModule1 1 3 6 1 4 1 207 8 17 3 1 1 20 Table 59 VLAN Table AtiStackSwitch MIB Object Name OID atiStkSwPort2VlanTable 1 3 6 1 4 1 207 8 17 3 2 atiStkSwPort2VlanEntry 1 3 6 1 4 1 207 8 17 3 2 1 atiStkSwPortVlanId...

Page 531: ...able 61 PVID Table AtiStackSwitch MIB Object Name OID atiStkSwPort2VlanTable 1 3 6 1 4 1 207 8 17 3 2 atiStkSwPort2VlanEntry 1 3 6 1 4 1 207 8 17 3 2 1 atiStkSwPortVlanId 1 3 6 1 4 1 207 8 17 3 2 1 1 atiStkSwPortVlanName 1 3 6 1 4 1 207 8 17 3 2 1 2 ...

Page 532: ...Appendix D MIB Objects 532 ...

Page 533: ...er 382 authenticator port role 381 384 Auto Detect feature 239 automatic port security mode 375 autosummarization of routes 333 B backup switches in Virtual Router Redundancy Protocol VRRP 365 boot configuration files default names 466 BOOTP relay agent default settings 467 described 357 guidelines 359 supported platforms 356 bridge identifier 238 bridge priority 238 bridge protocol data units BPD...

Page 534: ...ule ID numbers described 70 E edge ports 243 egress ports 310 egress queues 149 encryption SSL 429 encryption keys described 413 431 guidelines 415 Secure Shell SSH 440 supported platforms 412 technical overview 416 End Entity 433 Engine ID defined 222 enhanced stacking 65 and Secure Sockets Layer SSL 427 and SSH 443 common VLAN 81 described 79 guidelines 85 local interface 82 master switches 80 s...

Page 535: ...rface 82 345 local management session 43 locked port security mode 376 M MAC address table 94 MAC address based port security default settings 478 described 375 guidelines 378 intrusion actions 377 levels 375 MAC address based VLANs described 309 egress ports 310 general steps 316 guidelines 317 multiple switches 313 supported platforms 308 management access control list default setting 480 descri...

Page 536: ... protected ports VLANs described 303 guidelines 305 supported platforms 302 protocols in classifiers 130 public encryption key See encryption key Public Key Infrastructure PKI See also certificates encryption keys certificate database 435 certificates adding 435 fingerprint 435 retrieving 435 validating 434 certification authority CA described 433 root 434 default settings 483 described 431 End En...

Page 537: ...ned 222 SNMPv3 entities 221 SNMPv3 Notify Table described 231 SNMPv3 protocol authentication protocols 222 Configure SNMPv3 Community Table 231 Engine ID 222 message notification 227 MIB views 224 overview 221 privacy protocols 223 SNMPv3 Access Table 230 SNMPv3 Notify Table 231 SNMPv3 SecurityToGroup Table 230 SNMPv3 Target Address Table 231 SNMPv3 Target Parameters Table 231 storage types 226 su...

Page 538: ...ource ports in classifiers 133 untagged ports 274 User based Security Model USM authentication 221 username default 45 V Virtual LAN See MAC address based VLANs multiple VLAN modes port based VLANs protected ports VLANs tagged VLANs Virtual Router Redundancy Protocol VRRP backup switches 365 default settings 496 described 363 interface monitoring 366 master switch 364 port monitoring 367 supported...

Reviews:

No comments

Related manuals for AT-S63

F-SECURE ANTI-VIRUS FOR MIMESWEEPER - Administrator'S Manual preview
ANTI-VIRUS FOR MIMESWEEPER -
Brand: F-SECURE Pages: 44
MACROMEDIA FLEX-CREATING ADVANCED COMPONENTS Manual preview
FLEX-CREATING ADVANCED COMPONENTS
Brand: MACROMEDIA Pages: 24
Adobe 65007312 - Photoshop Lightroom User Manual preview
65007312 - Photoshop Lightroom
Brand: Adobe Pages: 184
FARONICS DEEP FREEZE - INTEGRATING WITH ALTIRIS... Manual preview
DEEP FREEZE - INTEGRATING WITH ALTIRIS...
Brand: FARONICS Pages: 22
MACROMEDIA DIRECTOR MX 2004-USING DIRECTOR Use Manual preview
DIRECTOR MX 2004-USING DIRECTOR
Brand: MACROMEDIA Pages: 500
Billion English CO1 User Manual preview
English CO1
Brand: Billion Pages: 42
Tascam HS-P82 Release Note preview
HS-P82
Brand: Tascam Pages: 6
LinPlug MorphoX User Manual preview
MorphoX
Brand: LinPlug Pages: 46
MACROMEDIA Director MX Use Manual preview
Director MX
Brand: MACROMEDIA Pages: 624
IRIS READIRIS 12 PRO Getting Started Manual preview
READIRIS 12 PRO
Brand: IRIS Pages: 6
Red Hat Application Server Manual preview
Application Server
Brand: Red Hat Pages: 296
AVG RESCUE CD - FOR WINDOWS V 85.2 User Manual preview
RESCUE CD - FOR WINDOWS V 85.2
Brand: AVG Pages: 83
AVG ANTI-VIRUS BUSINESS EDITION 2011 - REV 2011.01 User Manual preview
ANTI-VIRUS BUSINESS EDITION 2011 - REV 2011.01
Brand: AVG Pages: 128
Intel IT DIRECTOR Manual preview
IT DIRECTOR
Brand: Intel Pages: 43
Sun Microsystems VIRTUALBOX 3.0.0 User Manual preview
VIRTUALBOX 3.0.0
Brand: Sun Microsystems Pages: 259
Bay Networks Manager User Manual preview
Manager
Brand: Bay Networks Pages: 488
MACROMEDIA COLDFUSION 4.5-CFML LANGUAGE Reference preview
COLDFUSION 4.5-CFML LANGUAGE
Brand: MACROMEDIA Pages: 608
Nortel Symposium TAPI Service Provider for Succession 3.0 User Manual preview
Symposium TAPI Service Provider for Succession 3.0
Brand: Nortel Pages: 198

Brands by name

Popular brands

Load more brands