Page 1 ◆ Features Guide For Stand-alone AT-9400 Switches and AT-9400Ts Stacks AT-S63 Version 2.2.0 for AT-9400 Layer 2+ Switches AT-S63 Version 4.0.0 for AT-9400 Basic Layer 3 Switches 613-001022 Rev. B Software AT-S63...
Page 2 Allied Telesis, Inc. reserves the right to make changes in specifications and other information contained in this document without prior written notice. The information provided herein is subject to change without notice. In no event shall Allied Telesis, Inc. be liable for any incidental, special, indirect, or consequential damages whatsoever, including but not limited to lost profits, arising out of or related to this manual or the information contained herein, even if Allied Telesis, Inc.
Page 3: Table Of Contents
Management Software Updates... 26 Section I: Basic Operations ... 27 Chapter 1: Overview ... 29 Layer 2+ and Basic Layer 3 Switches ... 30 AT-S63 Management Software ... 36 Management Interfaces... 37 Management Access Methods ... 43 Local Management Sessions ... 43 Remote Telnet Sessions ...
Page 4 MAC Address Tables ... 73 File Systems ... 73 Compact Flash Memory Card Slots ... 73 Stack IP Address ... 74 Upgrading the AT-S63 Management Software ... 75 Chapter 3: Enhanced Stacking ... 77 Supported Platforms ... 78 Overview ... 79 Master and Slave Switches...
Page 5 Traffic Classes... 161 Policies ... 162 QoS Policy Guidelines... 163 Packet Processing... 164 Bandwidth Allocation ... 164 Packet Prioritization... 164 Replacing Priorities... 166 VLAN Tag User Priorities ... 166 DSCP Values... 166 DiffServ Domains... 167 Examples... 169 AT-S63 Management Software Features Guide...
Page 6 Contents Voice Applications ...169 Video Applications ...171 Critical Database ...173 Policy Component Hierarchy ...174 Chapter 15: Denial of Service Defenses ...177 Supported Platforms ...178 Overview ...179 SYN Flood Attack...180 Smurf Attack ...181 Land Attack ...182 Teardrop Attack ...184 Ping of Death Attack ...185 IP Options Attack ...186 Mirroring Traffic ...187 Denial of Service Defense Guidelines ...188...
Page 7 Port VLAN Identifier ... 274 Guidelines to Creating a Port-based VLAN... 275 Drawbacks of Port-based VLANs... 275 Port-based Example 1... 276 Port-based Example 2... 277 Tagged VLAN Overview ... 279 Tagged and Untagged Ports ... 280 AT-S63 Management Software Features Guide...
Page 8 Contents Port VLAN Identifier...280 Guidelines to Creating a Tagged VLAN ...280 Tagged VLAN Example ...281 Chapter 25: GARP VLAN Registration Protocol ...283 Supported Platforms ...284 Overview ...285 Guidelines ...288 GVRP and Network Security...289 GVRP-inactive Intermediate Switches ...290 Generic Attribute Registration Protocol (GARP) Overview ...291 Chapter 26: Multiple VLAN Modes ...295 Supported Platforms ...296 Overview ...297...
Page 9 Adding a Static Route and Default Route ... 350 Adding RIP ... 351 Selecting the Local Interface... 351 Non-routing Command Example ... 352 Upgrading from AT-S63 Version 1.3.0 or Earlier... 354 Chapter 30: BOOTP Relay Agent ... 355 Supported Platforms... 356 Overview... 357 Guidelines...
Page 10 Contents RADIUS Accounting...397 General Steps ...398 Guidelines ...399 Section IX: Management Security ...403 Chapter 34: Web Server ...405 Supported Platforms ...406 Overview ...407 Supported Protocols ...407 Configuring the Web Server for HTTP ...408 Configuring the Web Server for HTTPS...409 General Steps for a Self-signed Certificate ...409 General Steps for a Public or Private CA Certificate ...409 Chapter 35: Encryption Keys ...411 Supported Platforms ...412...
Page 11 IP Address... 458 Mask... 458 Application... 458 Guidelines... 459 Examples... 460 Appendix A: AT-S63 Management Software Default Settings ... 463 Address Resolution Protocol Cache... 465 Boot Configuration File ... 466 BOOTP Relay Agent ... 467 Class of Service... 468 Denial of Service Defenses ... 469 802.1x Port-Based Network Access Control ...
Page 12 Contents Appendix B: SNMPv3 Configuration Examples ...499 SNMPv3 Configuration Examples...500 SNMPv3 Manager Configuration...500 SNMPv3 Operator Configuration...501 SNMPv3 Worksheet ...502 Appendix C: Features and Standards ...505 10/100/1000Base-T Twisted Pair Ports ...506 Denial of Service Defenses...506 Ethernet Protection Switching Ring Snooping ...506 Fiber Optic Ports (AT-9408LC/SP Switch) ...507 File System ...507 DHCP and BOOTP Clients ...507...
Page 13 Figures Figure 1: AT-StackXG Stacking Module ...63 Figure 2: Duplex-chain Topology...66 Figure 3: Duplex-ring Topology ...67 Figure 4: Static Port Trunk Example...99 Figure 5: User Priority and VLAN Fields within an Ethernet Frame...130 Figure 6: ToS field in an IP Header ...131 Figure 7: ACL Example 1 ...141 Figure 8: ACL Example 2 ...142 Figure 9: ACL Example 3 ...143...
Page 14 Figures...
Page 15 Table 19: Management Interfaces for Management Security ...42 Table 20: Twisted Pair Ports Matched with GBIC and SFP Slots ...49 Table 21: New Features in AT-S63 Version 3.0.0 ...53 Table 22: New Features in AT-S63 Version 2.1.0 ...54 Table 23: New Features in AT-S63 Version 2.0.0 ...55 Table 24: New Features in AT-S63 Version 1.3.0 ...55...
Page 16 Tables Table 50: Example of Weighted Round Robin Priority ... 153 Table 51: Example of a Weight of Zero for Priority Queue 7 ... 153 Table 52: Support for Quality of Service ... 156 Table 53: Management Interfaces for Quality of Service ... 156 Table 54: Support for the Denial of Service Defenses ...
Page 17 AT-S63 Management Software Features Guide Table 110: Support for the Secure Shell Protocol ...438 Table 111: Management Interfaces for the Secure Shell Protocol ...438 Table 112: Support for the TACACS+ and RADIUS Protocols ...448 Table 113: Management Interfaces for the TACACS+ and RADIUS Protocols ...448 Table 114: Support for the Management Access Control List ...456...
Page 18 Tables...
Page 19: Preface
Preface This guide describes the features of the AT-9400 Layer 2+ and Basic Layer 3 Gigabit Ethernet Switches and the AT-S63 Management Software. This preface contains the following sections: “How This Guide is Organized” on page 20 “Product Documentation” on page 22 “Where to Go First”...
Page 20: How This Guide Is Organized
Preface How This Guide is Organized This guide has the following sections and chapters: Section I: Basic Operations Chapter 1, “Overview” on page 29 Chapter 2, “AT-9400Ts Stacks” on page 59 Chapter 3, “Enhanced Stacking” on page 77 Chapter 4, “SNMPv1 and SNMPv2c” on page 87 Chapter 5, “MAC Address Table”...
Page 21 Chapter 38, “TACACS+ and RADIUS Protocols” on page 447 Chapter 39, “Management Access Control List” on page 455 Appendices Appendix A, “AT-S63 Management Software Default Settings” on page Appendix B, “SNMPv3 Configuration Examples” on page 499 Appendix C, “Features and Standards” on page 505...
Page 22: Product Documentation
Switch, refer to: For instructions on how to install or manage an AT-9400Ts Stack, refer to: The installation and user guides for all the Allied Telesis products are available in portable document format (PDF) on our web site at www.alliedtelesis.com. You can view the documents online or download them onto a local workstation or server.
Page 23: Where To Go First
AT-S63 Management Software Features Guide Where to Go First Allied Telesis recommends that you read Chapter 1, “Overview” on page 29 in this guide before you begin to manage the switch for the first time. There you will find a variety of basic information about the unit and the management software, like the two levels of manager access levels and the different types of management sessions.
Page 24: Starting A Management Session
Preface Starting a Management Session For instructions on how to start a local or remote management session on the AT-9400 Switch, refer to the Starting an AT-S63 Management Session Guide.
Page 25: Document Conventions
AT-S63 Management Software Features Guide Document Conventions This document uses the following conventions: Note Notes provide additional information. Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data. Warning Warnings inform you that performing or omitting a specific action...
Page 26: Contacting Allied Telesis
Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions. Email and For Technical Support via email or telephone, refer to the Allied Telesis web site at www.alliedtelesis.com. Select your country from the list on Telephone the web site and then select the appropriate tab.
Page 27: Section I: Basic Operations
Section I Basic Operations The chapters in this section contain background information on basic switch features. The chapters include: Chapter 1, “Overview” on page 29 Chapter 2, “AT-9400Ts Stacks” on page 59 Chapter 3, ”Enhanced Stacking” on page 77 Chapter 4, ”SNMPv1 and SNMPv2c” on page 87 Chapter 5, ”MAC Address Table”...
Page 28 Section I: Basic Operations...
Page 29: Chapter 1: Overview
Overview This chapter has the following sections: “Layer 2+ and Basic Layer 3 Switches” on page 30 “AT-S63 Management Software” on page 36 “Management Interfaces” on page 37 “Management Access Methods” on page 43 “Manager Access Levels” on page 45 “Installation and Management Configurations”...
Page 30: Layer 2+ And Basic Layer 3 Switches
Chapter 1: Overview Layer 2+ and Basic Layer 3 Switches The switches in the AT-9400 Gigabit Ethernet Series are divided into two groups: Although the switches have many of the same features and capabilities, there are a number of significant differences. For instance, the Internet Protocol Version 4 packet routing feature is only supported on the Basic Layer 3 switches and is the reason for the group’s name.
Page 31 Access control lists Class of Service Quality of Service Table 1. Basic Operations Basic Layer 3 Switches 24Ts 24XP 48SP 48XP Table 2. Advanced Operations Basic Layer 3 Switches 24Ts 24XP 48SP 48XP AT-S63 Management Software Features Guide Stack Stack...
Page 32 Chapter 1: Overview Layer 2+ Switches 08LC 24GB 24SP Denial of service defenses Power over Ethernet 1. The only accessible file system in a stack is on the master switch. 2. The only active event logs in a stack are on the master switch. Layer 2+ Switches 08LC 24GB 24SP Internet Group...
Page 33 Registration Protocol Protected ports VLANs MAC address-based VLANs Table 5. Spanning Tree Protocols Basic Layer 3 Switches 24Ts 24XP 48SP 48XP Table 6. Virtual LANs Basic Layer 3 Switches 24Ts 24XP 48SP 48XP AT-S63 Management Software Features Guide Stack Stack...
Page 34 Chapter 1: Overview Layer 2+ Switches 08LC 24GB 24SP Static routes for Internet Protocol version 4 routing Routing Information Protocol (RIP) One routing interface Virtual Router Redundancy Protocol BOOTP and DHCP clients BOOTP relay agent 1. Used to assign the switch or stack an IP address configuration. Layer 2+ Switches 08LC 24GB 24SP MAC address-based...
Page 35 1. Stacks do not support the TACACS+ protocol. You can use the web browser interface to configure RADIUS accounting on a stack, but you cannot use the interface to enter the IP addresses of the RADIUS servers. Table 9. Management Security Basic Layer 3 Switches 24Ts 24XP 48SP 48XP AT-S63 Management Software Features Guide Stack...
Page 36: At-S63 Management Software
Chapter 1: Overview AT-S63 Management Software The AT-9400 Switch is managed with the AT-S63 Management Software. The software comes preinstalled on the unit with default settings for all the operating parameters of the switch. If the default settings are adequate for your network, you can use the switch as an unmanaged unit.
Page 37: Management Interfaces
Management Interfaces The AT-S63 Management Software has four management interfaces: Standard command line AlliedWare Plus command line Menus Web browser windows As shown in Table 10, the standard command line and the web browser windows are supported on all of the possible platforms: stand-alone AT-9400 Layer 2+ Switches, stand-alone AT-9400 Basic Layer 3 Switches, and AT-9400 Stacks.
Page 38 Chapter 1: Overview In other cases, a management interface might support only part of a function. For example, you can set a switch or stack’s name, contact or location with any of the management interfaces, except for the AlliedWare Plus commands, which only lets you set the name. The following tables list the features you can configure from the various management interfaces for stand-alone switches and AT-9400Ts Stacks.
Page 39 3. You can use the AlliedWare Plus command line to download new versions of the AT-S63 Management Software to stand-alone switches. You cannot use this interface to download new versions of the management software to stacks or to transfer files to the file system.
Page 40 Chapter 1: Overview 6. You cannot modify the event log full action from the web browser interface. Table 13. Management Interfaces for Snooping Protocols Internet Group Management Protocol (IGMP) snooping Multicast Listener Discovery (MLD) snooping Router Redundancy Protocol (RRP) snooping Ethernet Protection Switching Ring (EPSR) snooping SNMPv3...
Page 41 Address Resolution Protocol (ARP) table BOOTP and DHCP clients BOOTP relay agent Virtual Router Redundancy Protocol Table 18. Management Interfaces for Port Security MAC address-based port security AT-S63 Management Software Features Guide Stand-alone Switches Stand-alone Switches Stand-alone Switches Stacks Stacks Stacks...
Page 42 Chapter 1: Overview 802.1x port-based network access control Table 19. Management Interfaces for Management Security Web server Encryption keys Public Key Infrastructure (PKI) certificates and Secure Sockets Layer (SSL) protocol Secure Shell server TACACS+ and RADIUS authentication Management access control list 1.
Page 43: Management Access Methods
Management Access Methods You can access the AT-S63 Management Software on a switch several ways: Local session Remote Telnet session Remote Secure Shell (SSH) session Remote web browser (HTTP or HTTPS) session Remote SNMP session Local To establish a local management session, you connect a terminal or a PC...
Page 44: Remote Secure Shell (Ssh) Sessions
Chapter 1: Overview Remote Secure The AT-S63 Management Software also has a Secure Shell (SSH) server for remote management from SSH clients on your network. An SSH Shell (SSH) management session is similar to a Telnet management session except it Sessions uses encryption to protect the session from snooping.
Page 45: Manager Access Levels
AT-S63 Management Software Features Guide Manager Access Levels The AT-S63 Management Software has two manager access levels of manager and operator. The manager access level lets you view and configure the operating parameters, while the operator access level only lets you only view the parameters settings.
Page 46: Installation And Management Configurations
Chapter 1: Overview Installation and Management Configurations The AT-9400 Switches can be installed in three configurations. Stand-alone All the AT-9400 Switches can be installed as managed or unmanaged, stand-alone Gigabit Ethernet switches. Switches AT-9400Ts The AT-9424Ts, AT-9424Ts/XP and AT-9448Ts/XP Switches can be installed as a stack.
Page 47: Ip Configuration
AT-S63 Management Software Features Guide IP Configuration Do you intend to remotely manage the switch with a Telnet or Secure Shell client, or a web browser? Or, will the management software be accessing application servers on your network, like a Simple Network Network Time...
Page 48: Configuration Files
Chapter 1: Overview Configuration Files Stand-alone switches and stacks store their parameter settings in configuration files in their file systems. The devices use these files to configure their parameter settings whenever they initialize their management software, such as when you power on or reset the units. The switches do not update the files automatically after you change a parameter setting.
Page 49: Redundant Twisted Pair Ports
Auto-Negotiation on a twisted pair port and set the speed and duplex mode manually, the speed reverts to Auto-Negotiation when a GBIC or SFP module establishes a link with an end node. AT-S63 Management Software Features Guide Ports and Slots 23R with GBIC slot 23...
Page 50 Chapter 1: Overview Note These guidelines do not apply to the SFP slots on the AT-9408LC/SP Switch and the XFP slots on the AT-9424Ts/XP and AT-9448Ts/XP Switches.
Page 51: History Of New Features
The management software has a new command line interface based on the commands in the AlliedWare Plus operating system found on other Allied Telesis products, such as the Layer 3 switches. If you are already familiar with the commands in the AlliedWare Plus operating system, you may find this new interface more convenient to use than the standard command line.
Page 52 Chapter 1: Overview AT-9400 Stacks Here are the new and enhanced features in AT-S63 Management Software for AT-9400 Stacks: BOOTP/DHCP Relay Agent Access Control Lists Quality of Service policies IPv4 static routes Encrypted remote web browser management sessions with the...
Page 53: Version 3.2.0
Software or to the AT-S63 Stack Command Line User’s Guide. Version 3.2.0 did not include any new features for stand-alone AT-9400 Switches. Version 3.0.0 Table 21 lists the new features in version 3.0.0 of the AT-S63 Management Software. Stacking with the AT-StackXG Stacking Module...
Page 54: Version 2.1.0
Version 2.1.0 Table 22 lists the new features in version 2.1.0. Internet Protocol version 4 packet routing Table 21. New Features in AT-S63 Version 3.0.0 (Continued) Feature Table 22. New Features in AT-S63 Version 2.1.0 Feature Change Added the following authentication...
Page 55: Version 2.0.0
Version 2.0.0 Table 23 lists the new feature in version 2.0.0 of the AT-S63 Management Software. Internet Protocol version 4 packet routing with: Routing interfaces Static routes Router Information Protocol (RIP) versions 1 and 2 Version 1.3.0 Table 24 lists the new features in version 1.3.0 of the AT-S63 Management Software.
Page 56: Version 1.2.0
Table 25 lists the new features in version 1.2.0. MAC Address Table Quality of Service MLD Snooping MAC Address-based VLANs Table 25. New Features in AT-S63 Version 1.2.0 Feature Added the following new parameters to the CLI commands for displaying and deleting specific...
Page 57 Table 25. New Features in AT-S63 Version 1.2.0 (Continued) Feature 802.1x Port-based Network Access Control AT-S63 Management Software Features Guide Change Added a new parameter to authenticator ports: Supplicant Mode for supporting multiple supplicant accounts on an authenticator port. For background information, see “Authenticator...
Page 58 Chapter 1: Overview...
Page 59: Chapter 2: At-9400Ts Stacks
“Module ID Numbers” on page 70 “Stack Configuration Files” on page 71 “MAC Address Tables” on page 73 “File Systems” on page 73 “Compact Flash Memory Card Slots” on page 73 “Stack IP Address” on page 74 “Upgrading the AT-S63 Management Software” on page 75...
Page 60: Supported Platforms
Chapter 2: AT-9400Ts Stacks Supported Platforms Table 26 and Table 27 list the AT-9400 Switches and the management interfaces that support AT-9400Ts Stacks. Table 26. Support for AT-9400Ts Stacks Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts AT-9424Ts/XP...
Page 61: Introduction
In contrast, a static trunk on a stack can have ports from different switches in the same stack. AT-S63 Management Software Features Guide...
Page 62: At-S63 Management Software
Chapter 2: AT-9400Ts Stacks AT-S63 Management Software Stacking requires Version 3.0.0 or later of the AT-S63 Management Software. Supported Models Stacking is only supported on the following AT-9400 Switches: Note Version 3.0.0 is only supported on the AT-9424T, AT-9424T/POE, AT-9424Ts, AT-9424Ts/XP, AT-9448T/SP, and AT-9448Ts/XP Basic Layer 3 Switches.
Page 63: At-Stackxg Stacking Module
AT-S63 Management Software Features Guide AT-StackXG Stacking Module To be part of a stack, the AT-9400Ts Switch must have the AT-StackXG Stacking Module, shown in Figure 1. You install the module in the switch’s expansion slot on the back panel. The installation instructions are provided in the AT-9400Ts Stack Installation Guide.
Page 64: Maximum Number Of Switches In A Stack
A stack can have both models and either model can be the master switch of the stack. Allied Telesis does not recommend using the 48-port AT-9448Ts/XP Switch as the master switch of a stack. Consequently, a stack with one or more 48-port switches should have as the master switch the 24-port AT-9424Ts Switch or the AT-9424Ts/XP Switch.
Page 65: Enhanced Stacking
The feature is enhanced stacking and what it allows you to do is manage the different Allied Telesis switches in your network from one management session by redirecting the management session from switch to switch.
Page 66: Stack Topology
Chapter 2: AT-9400Ts Stacks Stack Topology The switches of an AT-9400Ts Stack are cabled with the AT-StackXG Stacking Module and its two full-duplex, 12-Gbps stacking ports. There are two supported topologies. The first topology is the duplex-chain topology, where a port on one stacking module is connected to a port on the stacking module in the next switch, which is connected to the next switch, and so on.
Page 67: Figure 3: Duplex-Ring Topology
This can protect a stack against the failure of a stacking port or cable. A disruption in the primary path automatically activates the secondary path. Section I: Basic Operations AT-S63 Management Software Features Guide AT-StackXG RPS INPUT STACK PORT 1...
Page 68: Discovery Process
In the first phase the switches initialize their AT-S63 Management Software. It takes about one minute for a switch to fully initialize its software.
Page 69: Master And Member Switches
AT-S63 Management Software Features Guide Master and Member Switches The activities of the devices of a stack are coordinated by a master switch. There can be only one master switch, but it can be any unit in a stack. The master switch is assigned module ID 1, as explained in “Module ID...
Page 70: Module Id Numbers
Previous to version 4.0.0 of the AT-S63 Management Software, there were two ways to assign the numbers. One way was to assign them yourself.
Page 71: Stack Configuration Files
If the number is set to AUTO, meaning automatic, the switch assumes that it is a stand-alone switch and uses the BOOT.CFG file, or whatever stand-alone file you’ve designated. This is the default setting for the switches. AT-S63 Management Software Features Guide...
Page 72 Chapter 2: AT-9400Ts Stacks By having two standard configuration files, a switch can retain its prior configuration settings when converted from a stand-alone configuration to a stack member, or vice versa. This saves you the trouble of having to reconfigure the device. Since there are two different configuration files, the parameter settings from a stand-alone configuration file cannot be automatically transferred to a stack configuration file.
Page 73: Mac Address Tables
The file systems on the member switches are not accessible. Compact Flash Memory Card Slots The master switch of a stack has the only active compact flash memory slot. The slots in the member switches are inactive. Section I: Basic Operations AT-S63 Management Software Features Guide...
Page 74: Stack Ip Address
Chapter 2: AT-9400Ts Stacks Stack IP Address If you do not intend to use the packet routing feature, you must still assign one routing interface to the stack if it will be performing any of the following management functions: To assign an IP address to the stack you have to create an IPv4 routing interface.
Page 75: Upgrading The At-S63 Management Software
Upgrading the AT-S63 Management Software The AT-9400 Switch must have Version 3.0.0 or later of the AT-S63 Management Software to be a member of a stack. To update the management software on an existing stack for versions after Version 3.0.0, you must disconnect the stacking cables and update the switches individually, either locally through the Terminal Port on the units or over the network using a TFTP server.
Page 76 Chapter 2: AT-9400Ts Stacks Section I: Basic Operations...
Page 77: Chapter 3: Enhanced Stacking
Chapter 3 Enhanced Stacking This chapter contains the following sections: “Supported Platforms” on page 78 “Overview” on page 79 “Master and Slave Switches” on page 80 “Common VLAN” on page 81 “Master Switch and the Local Interface” on page 82 “Slave Switches”...
Page 78: Supported Platforms
Chapter 3: Enhanced Stacking Supported Platforms Table 29 and Table 30 list the AT-9400 Switches and the management interfaces that support enhanced stacking. Table 29. Support for Enhanced Stacking Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts AT-9424Ts/XP...
Page 79: Overview
Allied Telesis recommends reviewing the information in this section before using this feature, even if you are familiar with it from earlier versions of the AT-S63 Management Software or from other Allied Telesis Ethernet switches that support this feature.
Page 80: Master And Slave Switches
Chapter 3: Enhanced Stacking Master and Slave Switches An enhanced stack must have at least one master switch. This switch is your management access point to the switches of a stack. After you have started a local or remote management session on a master switch, you can redirect the session to any of the other switches.
Page 81: Common Vlan
VLAN from the slave switch to the master switch. The Default_VLAN can be used as the common VLAN. The common VLAN does not have to be dedicated solely to the enhanced stacking feature. AT-S63 Management Software Features Guide...
Page 82: Master Switch And The Local Interface
Chapter 3: Enhanced Stacking Master Switch and the Local Interface Before a switch can function as the master switch of an enhanced stack, it needs to know which subnet is acting as the common subnet among the switches in the stack. It uses that information to know which subnet to send out its broadcast packets and to monitor for the management packets from the other switches and from remote management workstations.
Page 83: Slave Switches
AT-S63 Management Software Features Guide Slave Switches The slave switches of an enhanced stack must be connected to the master switch through a common VLAN. A slave switch can be connected indirectly to the master switch so long as there is an uninterrupted path of the common VLAN from the slave switch to the master switch.
Page 84: Enhanced Stacking Compatibility
Chapter 3: Enhanced Stacking Enhanced Stacking Compatibility This version of enhanced stacking is compatible with earlier AT-S63 versions and the enhanced stacking feature in the AT-8400 Series and AT-8500 Series Switches. As such, an enhanced stack can consist of various switch models, though the following issues need to be considered...
Page 85: Enhanced Stacking Guidelines
An enhanced stack must have at least one master switch. You designate the master by changing its stacking status to Master. An enhanced stack can consist of other Allied Telesis switches that support this feature, including the AT-8400, AT-8500, and AT-9400 Switches.
Page 86: General Steps
5. On the master switch designate the interface assigned to the common 6. On the slave switches, add a routing interface to the common VLAN. can be any Allied Telesis switch that supports this feature. In a stack with different switch models, Allied Telesis recommends using an AT-9400 Switch as the master switch.
Page 87: Chapter 4: Snmpv1 And Snmpv2C
Chapter 4 SNMPv1 and SNMPv2c This chapter describes SNMPv1 and SNMPv2c community strings for SNMP management of the switch. Sections in the chapter include: “Supported Platforms” on page 88 “Overview” on page 89 “Community String Attributes” on page 90 “Default SNMP Community Strings” on page 92 Section I: Basic Operations...
Page 88: Supported Platforms
Chapter 4: SNMPv1 and SNMPv2c Supported Platforms Refer to Table 31 and Table 32 for the AT-9400 Switches and the management interfaces that support SNMPv1 and SNMPv2c community strings. Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts AT-9424Ts/XP...
Page 89: Overview
Activate SNMP management on the switch. The default setting for SNMP management is disabled. Load the Allied Telesis MIBs for the switch onto your management workstation containing the SNMP application program. The MIBs are available from the Allied Telesis web site at www.alliedtelesis.com.
Page 90: Community String Attributes
Chapter 4: SNMPv1 and SNMPv2c Community String Attributes A community string has attributes for controlling who can use the string and what the string will allow a network management to do on the switch. The community string attributes are defined below: Community A community string must have a name of one to eight alphanumeric characters.
Page 91 AT-S63 Management Software Features Guide the community strings. Each community string can have up to eight trap IP addresses. It does not matter which community strings you assign your trap receivers. When the switch sends a trap, it looks at all the community strings and sends the trap to all trap receivers on all community strings.
Page 92: Default Snmp Community Strings
Chapter 4: SNMPv1 and SNMPv2c Default SNMP Community Strings The AT-S63 Management Software provides two default community strings: public and private. The public string has an access mode of just Read and the private string has an access mode of Read/Write. If you...
Page 93: Chapter 5: Mac Address Table
Chapter 5 MAC Address Table This chapter contains background information about the MAC address table.This chapter contains the following section: “Overview” on page 94 Section I: Basic Operations...
Page 94: Overview
Chapter 5: MAC Address Table Overview The AT-9400 Switch has a MAC address table with a storage capacity of 16,000 entries. The table stores the MAC addresses of the network nodes connected to its ports and the port numbers where the addresses were learned.
Page 95 AT-S63 Management Software Features Guide no longer active. The period of time a switch waits before purging inactive dynamic MAC addresses is called the aging time. This value is adjustable on the AT-9400 Switch. The default value is 300 seconds (5 minutes).
Page 96 Chapter 5: MAC Address Table Section I: Basic Operations...
Page 97: Chapter 6: Static Port Trunks
Chapter 6 Static Port Trunks This chapter describes static port trunks. Sections in the chapter include: “Supported Platforms” on page 98 “Overview” on page 99 “Load Distribution Methods” on page 100 “Guidelines” on page 102 Section I: Basic Operations...
Page 98: Supported Platforms
Chapter 6: Static Port Trunks Supported Platforms Refer to Table 33 and Table 34 for the AT-9400 Switches and the management interfaces that support static port trunks. Table 33. Support for Static Port Trunks Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE...
Page 99: Overview
For this reason, static trunks are typically employed only between devices from the same vendor. Section I: Basic Operations AT-S63 Management Software Features Guide CLASS 1 LASER PRODUCT CLASS 1 LASER PRODUCT Figure 4.
Page 100: Load Distribution Methods
When you create a static or LACP port trunk, you have to select a load distribution method that controls how the switch is to distribute the traffic load across the ports in the trunk. The AT-S63 Management Software offers the following load distribution methods: The load distribution methods examine the last three bits of a packet’s...
Page 101 AT-S63 Management Software Features Guide A similar method is used for the two load distribution methods that employ both the source and destination addresses. Only here the last three bits of both addresses are combined by an XOR process to derive a single value which is then compared against the mappings of the bits to ports.
Page 102: Guidelines
Chapter 6: Static Port Trunks Guidelines Here are the guidelines to static trunks: Allied Telesis recommends limiting static port trunks to Allied Telesis network devices to ensure compatibility. A static trunk can have up to eight ports. Stand-alone switches and AT-9400Ts Stacks can support up to six static and LACP trunks at a time (for example, four static trunks and two LACP trunks).
Page 103: Chapter 7: Lacp Port Trunks
Chapter 7 LACP Port Trunks This chapter explains Link Aggregation Control Protocol (LACP) port trunks. Sections in the chapter include: “Supported Platforms” on page 104 “Overview” on page 105 “LACP System Priority” on page 106 “Adminkey Parameter” on page 107 “LACP Port Priority Value”...
Page 104: Supported Platforms
Chapter 7: LACP Port Trunks Supported Platforms Refer to Table 35 and Table 36 for the AT-9400 Switches and the management interfaces that support LACP port trunks. Table 35. Support for LACP Port Trunks Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE...
Page 105: Overview
IEEE 802.3ad standard, making it interoperable with equipment from other vendors that also comply with the standard. Therefore, you can create an LACP trunk between an Allied Telesis device and network devices from other manufacturers. Another advantage is that ports in an LACP trunk can function in a standby mode.
Page 106: Lacp System Priority
Chapter 7: LACP Port Trunks LACP System Priority It is possible for two devices interconnected by an aggregate trunk to encounter a conflict when they form the trunk. For example, the two devices might not support the same number of active ports in an aggregate trunk or might not agree on which ports are to be active and which are to be in standby.
Page 107: Adminkey Parameter
LACPDU packets. If a port that is part of an aggregator does not receive LACPDU packets, it functions as a normal Ethernet port and forwards network packets along with LACPDU packets. Section I: Basic Operations AT-S63 Management Software Features Guide...
Page 108: Load Distribution Methods
Chapter 7: LACP Port Trunks Load Distribution Methods The load distribution method determines the manner in which the switch distributes the traffic across the active ports of an aggregate trunk. The method is assigned to an aggregator and applies to all aggregate trunks within it.
Page 109: Guidelines
The other device must be 802.3ad-compliant. An aggregator can consist of any number of ports. The AT-S63 Management Software supports up to eight active ports in an aggregate trunk at a time. Stand-alone switches and AT-9400Ts Stacks can support up to six static and LACP aggregate trunks at a time (for example, four static trunks and two LACP trunks).
Page 110 For example, an aggregator of ports 12 to 16 is assigned the default name DEFAULT_AGG12. Prior to creating an aggregate trunk between an Allied Telesis device and another vendor’s device, refer to the vendor’s documentation to determine the maximum number of active ports the device can support in a trunk.
Page 111: Chapter 8: Port Mirror
Chapter 8 Port Mirror This chapter explains the port mirror feature. Sections in the chapter include: “Supported Platforms” on page 112 “Overview” on page 113 “Guidelines” on page 113 Section I: Basic Operations...
Page 112: Supported Platforms
Chapter 8: Port Mirror Supported Platforms Refer to Table 37 and Table 38 for the AT-9400 Switches and the management interfaces that support the port mirror. Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts AT-9424Ts/XP AT-9448T/SP AT-9448Ts/XP AT-9400Ts Stack...
Page 113: Overview
You can mirror the ingress or egress traffic of the source ports, or both. To create a mirror port for the Denial of Service defenses, specify only the destination port for the mirrored traffic. The management software automatically determines the source ports. AT-S63 Management Software Features Guide...
Page 114 Chapter 8: Port Mirror Section I: Basic Operations...
Page 115: Section Ii: Advanced Operations
Section II Advanced Operations This section contains the following chapters: Chapter 9, ”File System” on page 117 Chapter 10, ”Event Logs and the Syslog Client” on page 121 Chapter 11, ”Classifiers” on page 125 Chapter 12, ”Access Control Lists” on page 135 Chapter 13, “Class of Service”...
Page 116 Section II: Advanced Operations...
Page 117: Chapter 9: File System
Chapter 9 File System The chapter explains the switch’s file system and contains the following sections: “Overview” on page 118 “File Naming Conventions” on page 119 “Using Wildcards to Specify Groups of Files” on page 120 Section II: Advanced Operations...
Page 118: Overview
Event logs Note The certificate file, certificate enrollment request file, and key file are supported only on the version of AT-S63 Management Software that features SSL and PKI security. Note The file system may contain one or more ENC.UKF files. These are encryption key pairs.
Page 119: File Naming Conventions
(.). The extension is used by the switch to determine the file type. Table 39. File Extensions and File Types Extension .cfg Configuration file .cer Certificate file .csr Certificate enrollment request .key Public encryption key .log Event log AT-S63 Management Software Features Guide File Type...
Page 120: Using Wildcards To Specify Groups Of Files
Chapter 9: File System Using Wildcards to Specify Groups of Files You can use the asterisk character (*) as a wildcard character in some fields to identify groups of files. In addition, a wildcard can be combined with other characters. The following are examples of valid wildcard expressions: *.cfg *.key...
Page 121: Chapter 10: Event Logs And The Syslog Client
Chapter 10 Event Logs and the Syslog Client This chapter describes how to monitor the activity of a switch by viewing the event messages in the event logs and sending the messages to a syslog server. Sections in the chapter include: “Supported Platforms”...
Page 122: Supported Platforms
Chapter 10: Event Logs and the Syslog Client Supported Platforms Refer to Table 40 and Table 41 for the AT-9400 Switches and the management interfaces that support the event logs and the syslog client. Table 40. Support for the Event Logs and Layer 2+ Models AT-9408LC/SP AT-9424T/GB...
Page 123: Overview
Section II: Advanced Operations The time and date of the event The severity of the event The management module that generated the event An event description AT-S63 Management Software Features Guide...
Page 124: Syslog Client
Observe the following guidelines when using this feature: Note The event logs, even when disabled, log all the AT-S63 initialization events that occur when the switch is reset or power cycled. Any switch events that occur after the AT-S63 initialization are entered into the logs only if you enable the event log feature.
Page 125: Chapter 11: Classifiers
Chapter 11 Classifiers This chapter explains classifiers for access control lists and Quality of Service policies. The sections in this chapter include: “Supported Platforms” on page 126 “Overview” on page 127 “Classifier Criteria” on page 129 “Guidelines” on page 134 Section II: Advanced Operations...
Page 126: Supported Platforms
Chapter 11: Classifiers Supported Platforms Refer to Table 42 and Table 43 for the AT-9400 Switches and the management interfaces that support classifiers. Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts AT-9424Ts/XP AT-9448T/SP AT-9448Ts/XP AT-9400Ts Stack Switch or Stack Stand-alone Switch AT-9400Ts Stack...
Page 127: Overview
As a result, you will never use a classifier by itself. There are two AT-S63 features that use classifiers. They are: As explained in Chapter 12, “Access Control Lists” on page 135, an ACL filters ingress packets on a port by controlling which packets a port will accept and reject.
Page 128 Chapter 11: Classifiers is dictated by the QoS policy, as explained in Chapter 14, “Quality of Service” on page 155. In summary, a classifier is a list of variables that define a traffic flow. You apply a classifier to an ACL or a QoS policy to define the traffic flow you want the ACL or QoS policy to affect or control.
Page 129: Classifier Criteria
7 the highest. Figure 5 illustrates the location of the user priority field within an Ethernet frame. Section II: Advanced Operations Ethernet II tagged packets Ethernet II untagged packets Ethernet 802.2 tagged packets Ethernet 802.2 untagged packets AT-S63 Management Software Features Guide...
Page 130: Figure 5: User Priority And Vlan Fields Within An Ethernet Frame
Chapter 11: Classifiers Preamble 64 bits Tag Protocol Identifier You can identify a traffic flow of tagged packets using the user priority value. A classifier for such a traffic flow would instruct a port to watch for tagged packets containing the specified user priority level. The priority level criteria can contain only one value, and the value must be from 0 (zero) to 7.
Page 131: Figure 6: Tos Field In An Ip Header
Figure 6. ToS field in an IP Header The Protocol variable must be left blank or set to IP. You cannot specify both an IP ToS value and an IP DSCP value in the same classifier. AT-S63 Management Software Features Guide . . .
Page 132 Chapter 11: Classifiers Observe these guidelines when using this criterion: IP Protocol (Layer 3) You can define a traffic flow by the following Layer 3 protocols: If you choose to specify the protocol by its number, you can enter the value in decimal or hexadecimal format.
Page 133 The Protocol variable must be left blank or set to IP. The IP Protocol variable must be left blank or set to TCP. A classifier cannot contain both a TCP flag and a UDP source and/or destination port. AT-S63 Management Software Features Guide...
Page 134: Guidelines
Chapter 11: Classifiers Guidelines Follow these guidelines when creating a classifier: Each classifier represents a separate traffic flow. The variables within a classifier are linked by AND. The more variables you define within a classifier, the more specific it becomes in terms of the flow it defines.
Page 135: Chapter 12: Access Control Lists
Chapter 12 Access Control Lists This chapter describes access control lists (ACL) and how they can improve network security and performance. This chapter contains the following sections: “Supported Platforms” on page 136 “Overview” on page 137 “Parts of an ACL” on page 139 “Guidelines”...
Page 136: Supported Platforms
Chapter 12: Access Control Lists Supported Platforms Refer to Table 44 and Table 45 for the AT-9400 Switches and the management interfaces that support the access control lists. Table 44. Support for the Access Control Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T...
Page 137: Overview
ACL assigned to the same port, because a permit ACL always overrides a deny ACL. on the port, then the packet is discarded. AT-S63 Management Software Features Guide...
Page 138 Chapter 12: Access Control Lists 4. Finally, if a packet does not meet the criteria of any ACLs on a port, it is accepted by the port. Section II: Advanced Operations...
Page 139: Parts Of An Acl
AT-S63 Management Software Features Guide Parts of an ACL An ACL must have the following information: Name - An ACL must have a name. The name of an ACL should indicate the type of traffic flow being filtered and, perhaps, also the action.
Page 140: Guidelines
Chapter 12: Access Control Lists Guidelines Here are the rules to creating ACLs: A port can have multiple permit and deny ACLs. An ACL must have at least one classifier. An ACL can be assigned to more than one switch port. An ACL filters ingress traffic, but not egress traffic.
Page 141: Examples
3 - Action ... Deny 4 - Classifier List ... 22 5 - Port List ... 4 Section II: Advanced Operations AT-S63 Management Software Features Guide Create Classifier 01 - Classifier ID: ... 22 02 - Description: ... 149.11.11 flow 12 - Src IP Addr: ...
Page 142: Figure 8: Acl Example 2
Chapter 12: Access Control Lists To deny traffic from several subnets on the same port, you can create multiple classifiers and apply them to the same ACL, as illustrated in the next example. Three subnets are denied access to port 4. The three classifiers defining the subnets are applied to the same ACL.
Page 143: Figure 9: Acl Example 3
3 - Action ... Deny 4 - Classifier List ... 62 5 - Port List ... 4 Section II: Advanced Operations AT-S63 Management Software Features Guide Create Classifier 01 - Classifier ID: ... 22 02 - Description: ... 149.11.11 flow 12 - Src IP Addr: ...
Page 144: Figure 10: Acl Example 4
Chapter 12: Access Control Lists In this example, the traffic on ports 14 and 15 is restricted to packets from the source subnet 149.44.44.0. All other IP traffic is denied. Classifier ID 11, which specifies the traffic flow to be permitted by the ports, is assigned to an ACL with an action of permit.
Page 145: Figure 12: Acl Example 6
3 - Action ... Deny 4 - Classifier List ... 8,67 5 - Port List ... 17 Section II: Advanced Operations AT-S63 Management Software Features Guide Create Classifier 01 - Classifier ID: ... 6 02 - Description: ... ToS 6 subnet flow 09 - IP ToS: ...
Page 146 Chapter 12: Access Control Lists Section II: Advanced Operations...
Page 147: Chapter 13: Class Of Service
Chapter 13 Class of Service This chapter describes the Class of Service (CoS) feature. Sections in the chapter include: “Supported Platforms” on page 148 “Overview” on page 149 “Scheduling” on page 152 Section II: Advanced Operations...
Page 148: Supported Platforms
Chapter 13: Class of Service Supported Platforms Refer to Table 46 and Table 47 for the AT-9400 Switches and the management interfaces that support the Class of Service feature. Table 46. Support for the Class of Service Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
Page 149: Overview
AT-S63 Management Software Features Guide Overview When a port on an Ethernet switch becomes oversubscribed—its egress queues contain more packets than the port can handle in a timely manner—the port may be forced to delay the transmission of some packets, resulting in the delay of packets reaching their destinations. A port may be forced to delay transmission of packets while it handles other traffic.
Page 150 Chapter 13: Class of Service Table 48. Default Mappings of IEEE 802.1p Priority Levels to Priority For example, when a tagged packet with a priority level of 3 enters a port on the switch, the packet is stored in Q3 queue on the egress port. Note that priority 0 is mapped to CoS queue 1 instead of CoS queue 0 because tagged traffic that has never been prioritized has a VLAN tag User Priority of 0.
Page 151 The packet leaves the switch with the same priority it had when it entered. This is true even if you change the default priority-to- egress queue mappings. Section II: Advanced Operations Queues (Continued) IEEE 802.1p Priority Level Q7 (highest) AT-S63 Management Software Features Guide Port Priority Queue...
Page 152: Scheduling
This control mechanism is called scheduling. The AT-S63 Management Software has two types of scheduling: Strict Priority...
Page 153: Table 50: Example Of Weighted Round Robin Priority
Table 50. Example of Weighted Round Robin Priority Port Egress Queue Q0 (lowest) Table 51. Example of a Weight of Zero for Priority Queue 7 Port Egress Queue Q0 (lowest) AT-S63 Management Software Features Guide Maximum Number of Packets Maximum Number of Packets...
Page 154: Table 51: Example Of A Weight Of Zero For Priority Queue 7
Chapter 13: Class of Service Table 51. Example of a Weight of Zero for Priority Queue 7 (Continued) Port Egress Queue Maximum Number of Packets Section II: Advanced Operations...
Page 155: Chapter 14: Quality Of Service
Chapter 14 Quality of Service This chapter describes Quality of Service (QoS). Sections in the chapter include: “Supported Platforms” on page 156 “Overview” on page 157 “Classifiers” on page 159 “Flow Groups” on page 160 “Traffic Classes” on page 161 “Policies”...
Page 156: Supported Platforms
Chapter 14: Quality of Service Supported Platforms Refer to Table 52 and Table 53 for the AT-9400 Switches and the management interfaces that support Quality of Service. Table 52. Support for Quality of Service Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE...
Page 157: Overview
Note QoS is only performed on packets that are switched at wire speed. This includes IP, IP multicast, IPX, and Layer 2 traffic within VLANs. AT-S63 Management Software Features Guide...
Page 158 Chapter 14: Quality of Service The QoS functionality described in this chapter sorts packets into various flows, according to the QoS policy that applies to the port the traffic is received on. The switch then allocates resources to direct this traffic according to bandwidth or priority settings in the policy.
Page 159: Classifiers
AT-S63 Management Software Features Guide Classifiers Classifiers identify a particular traffic flow, and range from general to specific. (See Chapter 11, “Classifiers” on page 125 for more information.) Note that a single classifier should not be used in different flows that will end up, through traffic classes, assigned to the same policy.
Page 160: Flow Groups
Chapter 14: Quality of Service Flow Groups Flow groups group similar traffic flows together, and allow more specific QoS controls to be used, in preference to those specified by the traffic class. Flow groups consist of a small set of QoS parameters and a group of classifiers.
Page 161: Traffic Classes
AT-S63 Management Software Features Guide Traffic Classes Traffic classes are the central component of the QoS solution. They provide most of the QoS controls that allow a QoS solution to be deployed. A traffic class can be assigned to only one policy. Traffic classes consist of a set of QoS parameters and a group of QoS flow groups.
Page 162: Policies
Chapter 14: Quality of Service Policies QoS policies consist of a collection of user defined traffic classes. A policy can be assigned to more than one port, but a port may only have one policy. Note that the switch can only perform error checking of parameters and parameter values for the policy and its traffic classes and flow groups when the policy is set on a port.
Page 163: Qos Policy Guidelines
AT-S63 Management Software Features Guide QoS Policy Guidelines Following is a list of QoS policy guidelines: A classifier may be assigned to many flow groups. However, assigning a classifier more than once within the same policy may lead to undesirable results. A classifier may be used successfully in many different policies.
Page 164: Packet Processing
Chapter 14: Quality of Service Packet Processing You can use the switch’s QoS tools to perform any combination of the following functions on a packet flow: Bandwidth Allocation Bandwidth limiting is configured at the level of traffic classes, and encompasses the flow groups contained in the traffic class. Traffic classes can be assigned maximum bandwidths, specified in kbps, Mbps, or Gbps.
Page 165 AT-S63 Management Software Features Guide Both the VLAN tag User Priority and the traffic class / flow group priority setting allow eight different priority values (0-7). These eight priorities are mapped to the switch’s eight CoS queues. The switch’s default mapping is shown in Table 48 on page 150.
Page 166: Replacing Priorities
Chapter 14: Quality of Service Replacing Priorities The traffic class or flow group priority (if set) determines the egress queue a packet is sent to when it egresses the switch, but by default has no effect on how the rest of the network processes the packet. To permanently change the packet’s priority, you need to replace one of two priority fields in the packet header: VLAN Tag User Priorities...
Page 167: Diffserv Domains
AT-S63 Management Software Features Guide DiffServ Domains Differentiated Services (DiffServ) is a method of dividing IP traffic into classes of service, without requiring that every router in a network remember detailed information about traffic flows. DiffServ operates within a DiffServ domain, a network or subnet that is managed as a single QoS unit.
Page 168 Chapter 14: Quality of Service To use the QoS tool set to configure a DiffServ domain: 1. As packets come into the domain at edge switches, replace their 2. On switches and routers within the DiffServ domain, classify packets 3. As packets leave the DiffServ domain, classify them according to the DSCP value, if required.
Page 169: Examples
1. Policy 11 is for traffic arriving on port 8 going to the application. The components of the policies are shown in Figure 14. Section II: Advanced Operations “Voice Applications,” next “Video Applications” on page 171 “Critical Database” on page 173 AT-S63 Management Software Features Guide...
Page 170: Figure 14: Qos Voice Application Example
Chapter 14: Quality of Service Policy 6 Create Classifier 01 - Classifier ID: ... 22 02 - Description ... VoIP flow 12 - Src IP Addr ... 149.44.44.44 13 - Src IP Mask ... Create Flow Group 1 - Flow Group ID ... 14 2 - Description ...
Page 171: Video Applications
Policy 6 is applied to port 1 because this is where the application is located. Policy 11 is applied to port 8 because this is where traffic going to the application will be received. AT-S63 Management Software Features Guide...
Page 172: Figure 15: Qos Video Application Example
Chapter 14: Quality of Service Policy 17 Create Classifier 01 - Classifier ID: ... 16 02 - Desciption ... Video flow 12 - Src IP Addr ... 149.44.44.44 13 - Src IP Mask ... Create Flow Group 1 - Flow Group ID ... 41 2 - Description ...
Page 173: Critical Database
Policy - Specifies the traffic class and the port where the policy is to be assigned. Figure 16. QoS Critical Database Example AT-S63 Management Software Features Guide Policy 17 Create Classifier 01 - Classifier ID: ... 10 02 - Description ... Database 14 - Dst IP Addr ...
Page 174: Policy Component Hierarchy
Chapter 14: Quality of Service Policy The purpose of this example is to illustrate the hierarchy of the components of a QoS policy and how that hierarchy needs to be taken into Component account when assigning new priority and DSCP values. A new priority can Hierarchy be set at the flow group and traffic class levels, while a new DSCP value can be set at all three levels—flow group, traffic class and policy.
Page 175: Figure 17: Policy Component Hierarchy Example
5 - DSCP value ... 9 - Classifier List ...5,6 E - Flow Group List ... 3 Figure 17. Policy Component Hierarchy Example AT-S63 Management Software Features Guide Create Policy 1 - Policy ID: ... 1 3 - Remark DSCP ... All 4 - DSCP value ...
Page 176 Chapter 14: Quality of Service Section II: Advanced Operations...
Page 177: Chapter 15: Denial Of Service Defenses
Chapter 15 Denial of Service Defenses This chapter explains the defense mechanisms in the management software that can protect your network against denial of service (DoS) attacks. Sections in the chapter include: “Supported Platforms” on page 178 “Overview” on page 179 “SYN Flood Attack”...
Page 178: Supported Platforms
Chapter 15: Denial of Service Defenses Supported Platforms Refer to Table 54 and Table 55 for the AT-9400 Switches and the management interfaces that support the denial of service defenses. Table 54. Support for the Denial of Service Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
Page 179: Overview
Overview The AT-S63 Management Software can help protect your network against the following types of denial of service attacks. The following sections describe each type of attack and the mechanism employed by the AT-S63 Management Software to protect your network.
Page 180: Syn Flood Attack
Chapter 15: Denial of Service Defenses SYN Flood Attack In this type of attack, an attacker sends a large number of TCP connection requests (TCP SYN packets) with bogus source addresses to the victim. The victim responds with acknowledgements (SYN ACK packets), but because the original source addresses are bogus, the victim node does not receive any replies.
Page 181: Smurf Attack
AT-S63 Management Software Features Guide Smurf Attack This DoS attack is instigated by an attacker sending a ICMP Echo (Ping) request that has the network’s IP broadcast address as the destination address and the address of the victim as the source of the ICMP Echo (Ping) request.
Page 182: Land Attack
The most direct approach for defending against this form of attack is for the AT-S63 Management Software to check the source and destination IP addresses in the IP packets, searching for and discarding those with identical source and destination addresses.
Page 183 4. If you choose to use it, Allied Telesis recommends activating it on all ports on the switch, including the uplink port. You can specify only one uplink port.
Page 184: Teardrop Attack
This defense is extremely CPU intensive; use with caution. Unrestricted use can cause a switch to halt operations if the CPU becomes overwhelmed with IP traffic. To prevent this, Allied Telesis recommends activating this defense on only the uplink port and one other switch port at a time.
Page 185: Ping Of Death Attack
CPU events, such as the processing of IGMP packets and spanning tree BPDUs. For this reason, Allied Telesis recommends limiting the use of this defense, activating it only on those ports where an attack is most likely to originate.
Page 186: Ip Options Attack
In the basic scenario of an IP attack, an attacker sends packets containing bad IP options. There are several types of IP option attacks and the AT-S63 Management Software does not distinguish between them. Rather, the defense mechanism counts the number of ingress IP packets containing IP options received on a port.
Page 187: Mirroring Traffic
Implementing this feature requires configuring the port mirroring feature as follows: Section II: Advanced Operations Activate port mirroring. Specify a destination port. Do not specify any source ports. The source ports are defined by the Denial of Service defense mechanism. AT-S63 Management Software Features Guide...
Page 188: Denial Of Service Defense Guidelines
Chapter 15: Denial of Service Defenses Denial of Service Defense Guidelines Below are guidelines to observe when using this feature: A switch port can support more than one DoS defense at a time. The Teardrop and the Ping of Death defenses are CPU intensive. Use these defenses with caution.
Page 189: Chapter 16: Power Over Ethernet
Chapter 16 Power Over Ethernet This chapter contains background information on Power over Ethernet (PoE) for the AT-9424T/POE Switch. Sections in the chapter include: Section II: Advanced Operations “Supported Platforms” on page 190 “Overview” on page 191 “Power Budgeting” on page 192 “Port Prioritization”...
Page 190: Supported Platforms
Chapter 16: Power Over Ethernet Supported Platforms Refer to Table 56 and Table 57 for the AT-9400 Switch and the management interfaces that support the Power over Ethernet feature. Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts AT-9424Ts/XP...
Page 191: Overview
AT-S63 Management Software Menus User’s Guide Overview Power over Ethernet (PoE) is a mechanism for supplying power to network devices over the same twisted pair cables that carry the network traffic. This feature, defined in the IEEE 802.3af standard, can make the installation and maintenance of a network easier.
Page 192: Power Budgeting
Chapter 16: Power Over Ethernet Power Budgeting The AT-9424T/POE Switch has a maximum power budget of 380 watts. The maximum possible load on the switch from the powered devices is 360W. The latter number assumes that all of the twenty four ports are connected to powered devices that are drawing the maximum of 15.4 W per port.
Page 193: Port Prioritization
Power allocation is dynamic. Ports supplying power to powered devices may cease power transmission if the switch’s power budget has reached maximum usage and new powered devices, connected to ports with a higher priority, become active. Section II: Advanced Operations Critical High AT-S63 Management Software Menus User’s Guide...
Page 194: Poe Device Classes
Chapter 16: Power Over Ethernet PoE Device Classes The IEEE 802.3af standard specifies four levels of classes for powered devices that are defined by power usage. The classes are: (The standard actually specifies five levels; the fifth is reserved for future use.) The class of a powered device is set by the manufacturer and it cannot be changed.
Page 195: Section Iii: Snooping Protocols
Section III Snooping Protocols The chapters in this section contain overview information on the snooping protocols. The chapters include: Chapter 17, ”Internet Group Management Protocol Snooping” on page Chapter 18, “Multicast Listener Discovery Snooping” on page 201 Chapter 19, ”Router Redundancy Protocol Snooping” on page 205 Chapter 20, “Ethernet Protection Switching Ring Snooping”...
Page 196 Section III: Snooping Protocols...
Page 197: Chapter 17: Internet Group Management Protocol Snooping
Chapter 17 Internet Group Management Protocol Snooping This chapter explains the Internet Group Management Protocol (IGMP) snooping feature in the following sections: “Supported Platforms” on page 198 “Overview” on page 199 Section III: Snooping Protocols...
Page 198: Supported Platforms
Chapter 17: Internet Group Management Protocol Snooping Supported Platforms Refer to Table 58 and Table 59 for the AT-9400 Switches and the management interfaces that support the Internet Group Management Protocol (IGMP) snooping feature. Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE...
Page 199: Overview
AT-S63 Management Software Features Guide Overview IPv4 routers use IGMP to create lists of nodes that are members of multicast groups. (A multicast group is a group of end nodes that want to receive multicast packets from a multicast application.) The router creates a multicast membership list by periodically sending out queries to the local area networks connected to its ports.
Page 200 Chapter 17: Internet Group Management Protocol Snooping Without IGMP snooping a switch would have to flood multicast packets out all of its ports, except the port on which it received the packet. Such flooding of packets can negatively impact network performance. The AT-9400 Switch maintains its list of multicast groups through an adjustable timeout value, which controls how frequently it expects to see reports from end nodes that want to remain members of multicast groups,...
Page 201: Chapter 18: Multicast Listener Discovery Snooping
Chapter 18 Multicast Listener Discovery Snooping This chapter explains Multicast Listener Discovery (MLD) snooping: “Supported Platforms” on page 202 “Overview” on page 203 Section III: Snooping Protocols...
Page 202: Supported Platforms
Chapter 18: Multicast Listener Discovery Snooping Supported Platforms Refer to Table 60 and Table 61 for the AT-9400 Switches and the management interfaces that support Multicast Listener Discovery snooping. Table 60. Support for Multicast Listener Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T...
Page 203: Overview
There are two versions of MLD. MLDv1 is equivalent to IGMPv2 and MLDv2 is equivalent to IGMPv3. The AT-9400 Switch supports snooping of both MLDv1 and MLDv2. Section III: Snooping Protocols Note The default setting for MLD snooping on the switch is disabled. AT-S63 Management Software Features Guide...
Page 204 Chapter 18: Multicast Listener Discovery Snooping Section III: Snooping Protocols...
Page 205: Chapter 19: Router Redundancy Protocol Snooping
Chapter 19 Router Redundancy Protocol Snooping This chapter explains Router Redundancy Protocol (RRP) snooping and contains the following sections: “Supported Platforms” on page 206 “Overview” on page 207 “Guidelines” on page 208 Section III: Snooping Protocols...
Page 206: Supported Platforms
Chapter 19: Router Redundancy Protocol Snooping Supported Platforms Refer to Table 62 and Table 63 for the AT-9400 Switches and the management interfaces that support Router Redundancy Protocol Snooping. Table 62. Support for Router Redundancy Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T...
Page 207: Overview
RRP snooping monitors ingress RRP packets, determined by their source MAC address. Source MAC addresses considered by the AT-S63 Management Software as RRP packets are: A port receiving an RRP packet is deemed by the switch as the master RRP port.
Page 208: Guidelines
Chapter 19: Router Redundancy Protocol Snooping Guidelines The following guidelines apply to the RRP snooping feature: The default setting for this feature is disabled. Activating the feature flushes all dynamic MAC addresses from the MAC address table. RRP snooping is supported on ports operating in the MAC address- based port security level of automatic.
Page 209: Chapter 20: Ethernet Protection Switching Ring Snooping
Chapter 20 Ethernet Protection Switching Ring Snooping This chapter has the following sections: “Supported Platforms” on page 210 “Overview” on page 211 “Restrictions” on page 213 “Guidelines” on page 215 Section III: Snooping Protocols...
Page 210: Supported Platforms
Chapter 20: Ethernet Protection Switching Ring Snooping Supported Platforms Refer to Table 64 and Table 65 for the AT-9400 Switches and the management interfaces that support Ethernet Protection Switching Ring Snooping. Table 64. Support for Ethernet Protection Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
Page 211: Overview
VLAN groups. For information on VLANs, refer to Chapter 24, “Port-based and Tagged VLANs” on page 269. Section III: Snooping Protocols Note For background information and configuration examples of EPSR, refer to the AlliedWare OS Software Reference Guide. AT-S63 Management Software Features Guide...
Page 212 Chapter 20: Ethernet Protection Switching Ring Snooping After creating the VLANs, you activate EPSR snooping by specifying the control VLAN with the ENABLE EPSRSNOOPING command. The switch immediately begins to monitor the VLAN for control messages from the master switch and reacts accordingly should it receive EPSR messages on one of the two ports of the VLAN.
Page 213: Restrictions
The AT-9400 Switch cannot fulfill the role of master node of a ring because EPSR snooping does not generate EPSR control messages. That function must be assigned to another Allied Telesis switch that supports EPSR, such as the AT-x900 Advanced Layer 3 Switches. (For a list of Allied Telesis products that support EPSR, refer to the company’s web site or...
Page 214: Figure 18: Double Fault Condition In Epsr Snooping
Chapter 20: Ethernet Protection Switching Ring Snooping AT-8948 Switch Master Node Transit Node AT-9400 Switch Transit Node Figure 18. Double Fault Condition in EPSR Snooping Now assume the link is reestablished between the switch and transit node. At that point, the port on the transit node enters a preforwarding state in which it forwards EPSR packets over the control VLAN to the AT-9400 Switch.
Page 215: Guidelines
AT-S63 Management Software Features Guide Guidelines The guidelines to EPSR snooping are: The AT-9400 Switch can support up to sixteen control VLANs and so up to sixteen EPSR instances. The AT-9400 Switch cannot be the master node of a ring.
Page 216 Chapter 20: Ethernet Protection Switching Ring Snooping Section III: Snooping Protocols...
Page 217: Section Iv: Snmpv3
Section IV SNMPv3 The chapter in this section contains overview information on SNMPv3. The chapter is: Section IV: SNMPv3 Chapter 21, ”SNMPv3” on page 219...
Page 218 Section IV: SNMPv3...
Page 219: Chapter 21: Snmpv3
Chapter 21 SNMPv3 This chapter provides a description of the AT-S63 implementation of the SNMPv3 protocol. The following sections are provided: Section IV: SNMPv3 “Supported Platforms” on page 220 “Overview” on page 221 “SNMPv3 Authentication Protocols” on page 222 “SNMPv3 Privacy Protocol” on page 223 “SNMPv3 MIB Views”...
Page 220: Supported Platforms
Chapter 21: SNMPv3 Supported Platforms Refer to Table 66 and Table 67 for the AT-9400 Switches and the management interfaces that support SNMPv3. Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts AT-9424Ts/XP AT-9448T/SP AT-9448Ts/XP AT-9400Ts Stack Switch or Stack Stand-alone Switch AT-9400Ts Stack...
Page 221: Overview
This section further describes the features of the SNMPv3 protocol. The following subsections are included: Section IV: SNMPv3 Note For the SNMP RFCs supported by this release of the AT-S63 software, see “Remote SNMP Management” on page 44. “SNMPv3 Authentication Protocols” on page 222 “SNMPv3 Privacy Protocol” on page 223 “SNMPv3 MIB Views”...
Page 222: Snmpv3 Authentication Protocols
Chapter 21: SNMPv3 SNMPv3 Authentication Protocols The SNMPv3 protocol supports two authentication protocols—HMAC- MD5-96 (MD5) and HMAC-SHA-96 (SHA). Both MD5 and SHA use an algorithm to generate a message digest. Each authentication protocol authenticates a user by checking the message digest. In addition, both protocols use keys to perform authentication.
Page 223: Snmpv3 Privacy Protocol
After you have configured an authentication protocol, you have the option of assigning a privacy protocol if you have the encrypted version of the AT-S63 software. In SNMPv3 protocol terminology, privacy is equivalent to encryption. Currently, the DES protocol is the only encryption protocol supported.
Page 224: Snmpv3 Mib Views
(2) ip (4) The AT-S63 software supports the MIB tree, starting with the Internet MIBs, as defined by 1.3.6.1. There are two ways to specify a MIB view. You can enter the OID number of the MIB view or its equivalent text name.
Page 225 AT-S63 Management Software Features Guide After you specify a MIB subtree view you have the option of further restricting a view by defining a subtree mask. The relationship between a MIB subtree view and a subtree mask is analogous to the relationship between an IP address and a subnet mask.
Page 226: Snmpv3 Storage Types
Chapter 21: SNMPv3 SNMPv3 Storage Types Each SNMPv3 table entry has its own storage type. You can choose between nonvolatile storage which allows you to save the table entry or volatile storage which does not allow you to save an entry. If you select the volatile storage type, when you power off the switch your SNMPv3 configuration is lost and cannot be recovered.
Page 227: Snmpv3 Message Notification
Level, Privacy Protocol and Group—with the type of message and the host IP address. Section IV: SNMPv3 The type of message The destination of the message SNMP security information User View of the MIB Tree Security Level Security Model Authentication Level Privacy Protocol Group AT-S63 Management Software Features Guide...
Page 228: Snmpv3 Tables
Chapter 21: SNMPv3 SNMPv3 Tables The SNMPv3 configuration is neatly divided into configuring SNMPv3 user information and configuring the message notification. You must configure all seven tables to successfully configure the SNMPv3 protocol. You use the following tables for user configuration: First, you create a user in the Configure SNMPv3 User Table.
Page 229: Figure 21: Snmpv3 Message Notification Process
“SNMPv3 View Table” on page 230 “SNMPv3 SecurityToGroup Table” on page 230 “SNMPv3 Notify Table” on page 231 “SNMPv3 Target Address Table” on page 231 AT-S63 Management Software Features Guide Linked by Notify Tag Linked by Target Parameter Name Linked by User Name...
Page 230: Snmpv3 User Table
Chapter 21: SNMPv3 SNMPv3 User The Configure SNMPv3 User Table menu allows you to create an SNMPv3 user and provides the options of configuring authentication and Table privacy protocols. With the SNMPv3 protocol, users are authenticated when they send and receive messages. In addition, you can configure a privacy protocol and password so messages a user sends and receives are encrypted.
Page 231: Snmpv3 Notify Table
The Configure SNMPv3 Community Table menu allows you to configure SNMPv1 and SNMPv2c communities. If you are going to use the SNMPv3 Community Tables to configure SNMPv1 and SNMPv2c communities, start with the Table SNMPv3 Community Table. Section IV: SNMPv3 AT-S63 Management Software Features Guide...
Page 232: Snmpv3 Configuration Example
Chapter 21: SNMPv3 SNMPv3 Configuration Example You may want to have two classes of SNMPv3 users—Managers and Operators. In this scenario, you would configure one group, called Managers, with full access privileges. Then you would configure a second group, called Operators, with monitoring privileges only. For a detailed example of this configuration, see Appendix B, “SNMPv3 Configuration Examples”...
Page 233: Section V: Spanning Tree Protocols
Section V Spanning Tree Protocols The section has the following chapters: Chapter 22, “Spanning Tree and Rapid Spanning Tree Protocols” on page 235 Chapter 23, “Multiple Spanning Tree Protocol” on page 247 Section V: Spanning Tree Protocols...
Page 234 Section V: Spanning Tree Protocols...
Page 235: Chapter 22: Spanning Tree And Rapid Spanning Tree Protocols
Chapter 22 Spanning Tree and Rapid Spanning Tree Protocols This chapter provides background information on the Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). The sections in this chapter include: “Supported Platforms” on page 236 “Overview” on page 237 “Bridge Priority and the Root Bridge”...
Page 236: Supported Platforms
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols Supported Platforms Refer to Table 68 and Table 69 for the AT-9400 Switches and the management interfaces that support the Spanning Tree and Rapid Spanning Tree Protocols. Table 68. Support for the Spanning Tree and Layer 2+ Models AT-9408LC/SP AT-9424T/GB...
Page 237: Overview
Only one spanning tree can be active on the switch at a time. The default is RSTP. The STP implementation on the AT-S63 Management Software complies with the IEEE 802.1d standard. The RSTP implementation complies with the IEEE 802.1w standard. The following subsections provide a basic overview on how STP and RSTP operate and define the different parameters that you can adjust.
Page 238: Bridge Priority And The Root Bridge
MAC address is designated as the root bridge. You can change the bridge priority number in the AT-S63 Management Software. You can designate which switch on your network you want as the root bridge by giving it the lowest bridge priority number. You might...
Page 239: Path Costs And Port Costs
The port cost of a port on the AT-9400 Switch is adjustable through the AT-S63 Management Software. For STP, the range is 0 to 65,535. For RSTP, the range is 0 to 20,000,000. Port cost also has an Auto-Detect feature. This feature allows spanning tree to automatically set the port cost according to the speed of the port, assigning a lower value for higher speeds.
Page 240: Port Priority
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols Table 72 lists the STP port costs with Auto-Detect when a port is part of a port trunk. Table 73 lists the RSTP port costs with Auto-Detect. Table 74 lists the RSTP port costs with Auto-Detect when the port is part of a port trunk.
Page 241: Table 75: Port Priority Value Increments
Section V: Spanning Tree Protocols Table 75. Port Priority Value Increments Bridge Increment Priority AT-S63 Management Software Features Guide Bridge Increment Priority...
Page 242: Forwarding Delay And Topology Changes
The forwarding delay value is adjustable in the AT-S63 Management Software. The appropriate value for this parameter depends on a number of variables; the size of your network is a primary factor. For large...
Page 243: Point-To-Point And Edge Ports
RSTP devices connected to it. Section V: Spanning Tree Protocols Note This section applies only to RSTP. Point-to-point port Edge port Figure 22. Point-to-Point Ports AT-S63 Management Software Features Guide AT-9424T/SP PORT ACTIVITY CLASS 1 1000 LINK / 10/100 LINK / LASER PRODUCT...
Page 244: Figure 23: Edge Port
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols A port can be both a point-to-point and an edge port at the same time. It operates in full-duplex and has no STP or RSTP devices connected to it. Figure 24 illustrates a port functioning as both a point-to-point and edge port.
Page 245: Mixed Stp And Rstp Networks
AT-S63 Management Software Features Guide Mixed STP and RSTP Networks RSTP IEEE 802.1w is fully compliant with STP IEEE 802.1d. Your network can consist of bridges running both protocols. STP and RSTP in the same network can operate together to create a single spanning tree domain.
Page 246: Spanning Tree And Vlans
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols Spanning Tree and VLANs The spanning tree implementation in the AT-S63 Management Software is a single-instance spanning tree. The switch supports just one spanning tree. You cannot define multiple spanning trees.
Page 247: Chapter 23: Multiple Spanning Tree Protocol
Chapter 23 Multiple Spanning Tree Protocol This chapter provides background information on the Multiple Spanning Tree Protocol (MSTP). The sections in this chapter include: “Supported Platforms” on page 248 “Overview” on page 249 “Multiple Spanning Tree Instance (MSTI)” on page 250 “MSTI Guidelines”...
Page 248: Supported Platforms
Chapter 23: Multiple Spanning Tree Protocol Supported Platforms Refer to Table 76 and Table 77 for the AT-9400 Switches and the management interfaces that support the Multiple Spanning Tree Protocol. Table 76. Support for the Multiple Spanning Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
Page 249: Overview
Note The AT-S63 MSTP implementation complies fully with the new IEEE 802.1s standard and should be interoperable with any other vendor’s fully compliant 802.1s implementation. AT-S63 Management Software Features Guide...
Page 250: Multiple Spanning Tree Instance (Msti)
Chapter 23: Multiple Spanning Tree Protocol Multiple Spanning Tree Instance (MSTI) The individual spanning trees in MSTP are referred to as Multiple Spanning Tree Instances (MSTIs). A MSTI can span any number of AT-9400 Switches. The switch can support up to 16 MSTIs at a time. To create a MSTI, you first assign it a number, referred to as the MSTI ID.
Page 251: Figure 26: Vlan Fragmentation With Stp Or Rstp
Ports Section V: Spanning Tree Protocols Sales Production VLAN VLAN GBIC Figure 26. VLAN Fragmentation with STP or RSTP AT-S63 Management Software Features Guide AT-9424T/SP Gigabit Ethernet Switch PORT ACTIVITY CLASS 1 1000 LINK / 10/100 LINK / LASER PRODUCT...
Page 252: Figure 27: Mstp Example Of Two Spanning Tree Instances
Chapter 23: Multiple Spanning Tree Protocol Figure 27 illustrates the same two AT-9400 Switches and the same two virtual LANs. But in this example, the two switches are running MSTP and the two VLANs have been assigned different spanning tree instances. Now that they reside in different MSTIs, both links remain active, enabling the VLANs to forward traffic over their respective direct link.
Page 253: Figure 28: Multiple Vlans In A Msti
MSTI 2 GBIC Engineering Sales Design VLAN VLAN VLAN Figure 28. Multiple VLANs in a MSTI AT-S63 Management Software Features Guide AT-9424T/SP Gigabit Ethernet Switch PORT ACTIVITY CLASS 1 1000 LINK / 10/100 LINK / LASER PRODUCT HDX / TERMINAL...
Page 254: Msti Guidelines
Chapter 23: Multiple Spanning Tree Protocol MSTI Guidelines The following are several guidelines to keep in mind about MSTIs: The AT-9400 Switch can support up to 16 spanning tree instances, including the CIST. A MSTI can contain any number of VLANs. A VLAN can belong to only one MSTI at a time.
Page 255: Vlan And Msti Associations
AT-S63 Management Software Features Guide VLAN and MSTI Associations Part of the task to configuring MSTP involves assigning VLANs to spanning tree instances. The mapping of VLANs to MSTIs is called associations. A VLAN, either port-based or tagged, can belong to only one instance at a time, but an instance can contain any number of VLANs.
Page 256: Ports In Multiple Mstis
Chapter 23: Multiple Spanning Tree Protocol Ports in Multiple MSTIs A port can be a member of more than one MSTI at a time if it is a tagged member of one or more VLANs assigned to different MSTI’s. In this circumstance, a port might be have to operate in different spanning tree states simultaneously, depending on the requirements of the MSTIs.
Page 257: Multiple Spanning Tree Regions
If any of the above information is different on two bridges, MSTP does consider the bridges as residing in different regions. Section V: Spanning Tree Protocols Configuration name Revision number VLANs VLAN to MSTI ID associations AT-S63 Management Software Features Guide...
Page 258: Figure 29: Multiple Spanning Tree Region
Chapter 23: Multiple Spanning Tree Protocol Figure 29 illustrates the concept of regions. It shows one MSTP region consisting of two AT-9400 Switches. Each switch in the region has the same configuration name and revision level. The switches also have the same five VLANs and the VLANs are associated with the same MSTIs.
Page 259: Region Guidelines
MSTIs can share the same regional root or have different roots. A regional root is determined by the MSTI priority value and a bridge’s MAC address. The regional root of a MSTI must be in the same region as the MSTI. AT-S63 Management Software Features Guide...
Page 260: Common And Internal Spanning Tree (Cist)
Chapter 23: Multiple Spanning Tree Protocol Common and MSTP has a default spanning tree instance called the Common and Internal Spanning Tree (CIST). This instance has an MSTI ID of 0. Internal Spanning Tree This instance has unique features and functions that make it different from (CIST) the MSTIs that you create yourself.
Page 261: Summary Of Guidelines
A port transmits CIST information even when it is associated with another MSTI ID. However, in determining network loops, MSTI takes precedence over CIST. (This is explained more in “Associating VLANs to MSTIs” on page 263. AT-S63 Management Software Features Guide...
Page 262 Chapter 23: Multiple Spanning Tree Protocol Note The AT-S63 MSTP implementation complies fully with the new IEEE 802.1s standard. Any other vendor’s fully compliant 802.1s implementation is interoperable with the AT-S63 implementation. Section V: Spanning Tree Protocols...
Page 263: Associating Vlans To Mstis
Associating VLANs to MSTIs Allied Telesis recommends that you assign all VLANs on a switch to an MSTI. You should not leave a VLAN assigned to just the CIST, including the Default_VLAN. This is to prevent the blocking of a port that should be in the forwarding state.
Page 264: Figure 31: Cist And Vlan Guideline - Example 2
Chapter 23: Multiple Spanning Tree Protocol Port 1 Switch A Port 8 When port 4 on switch B receives a BPDU, the switch notes the port sending the packet belongs only to CIST. Therefore, switch B uses CIST in determining whether a loop exists. The result would be that the switch detects a loop because the other port is also receiving BPDU packets from CIST 0.
Page 265: Connecting Vlans Across Different Regions
FAULT GBIC 1000 LINK / MASTER POWER 22 24R Switch A Figure 32. Spanning Regions - Example 1 AT-S63 Management Software Features Guide Region 2 AT-9424T/SP Gigabit Ethernet Switch PORT ACTIVITY CLASS 1 1000 LINK / 10/100 LINK / LASER PRODUCT...
Page 266 Chapter 23: Multiple Spanning Tree Protocol Another approach is to group those VLANs that need to span regions into the same MSTI. Those VLANs that do not span regions can be assigned to other MSTIs. Here is an example. Assume that you have two regions that contain the following VLANS: Region 1 VLANs Sales...
Page 267: Section Vi: Virtual Lans
Section VI Virtual LANs The chapters in this section discuss the various types of virtual LANs supported by the AT-9400 Switch. The chapters include: Section VI: Virtual LANs Chapter 24, “Port-based and Tagged VLANs” on page 269 Chapter 25, “GARP VLAN Registration Protocol” on page 283 Chapter 26, “Multiple VLAN Modes”...
Page 268 Section VI: Virtual LANs...
Page 269: Chapter 24: Port-Based And Tagged Vlans
Chapter 24 Port-based and Tagged VLANs This chapter contains overview information about port-based and tagged virtual LANs (VLANs). This chapter contains the following sections: Section VI: Virtual LANs “Supported Platforms” on page 270 “Overview” on page 271 “Port-based VLAN Overview” on page 273 “Tagged VLAN Overview”...
Page 270: Supported Platforms
Chapter 24: Port-based and Tagged VLANs Supported Platforms Refer to Table 78 and Table 79 for the AT-9400 Switches and the management interfaces that support the port-based and tagged VLANs. Table 78. Support for the Port-based and Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
Page 271: Overview
VLAN remains within the VLAN. With VLANs, you can segment your network through the switch’s AT-S63 Management Software and so be able to group nodes with related functions into their own separate, logical LAN segments. These VLAN groupings can be based on similar data needs or security requirements.
Page 272 Chapter 24: Port-based and Tagged VLANs The AT-9400 Switch supports the following types of VLANs you can create yourself: These VLANs are described in the following sections. Management Software. You can change the VLAN memberships through the management software without moving the workstations physically, or changing group memberships by moving cables from one switch port to another.
Page 273: Port-Based Vlan Overview
Section VI: Virtual LANs Note The AT-9400 Switch is preconfigured with one port-based VLAN. All ports on the switch are members of this VLAN, called the Default_VLAN. VLAN name VLAN Identifier Untagged ports Port VLAN Identifier AT-S63 Management Software Features Guide...
Page 274: Untagged Ports
AT-9400 Switches, you would assign the Marketing VLAN on each switch the same VID. You can assign this number manually or allow the AT-S63 Management Software to do it automatically. If you allow the management software to do it automatically, it selects the next available VID. This is acceptable when you are creating a new, unique VLAN.
Page 275: Guidelines To Creating A Port-Based Vlan
VLAN that spans three switches would require one port on each switch to interconnect the various sections of the VLAN. In network configurations where there are many individual VLANs that span switches, many ports could end up being used ineffectively just to interconnect the various VLANs. AT-S63 Management Software Features Guide...
Page 276: Port-Based Example 1
The ports have been assigned PVID values. A port’s PVID is assigned automatically by the AT-S63 Management Software when you create the VLAN. The PVID of a port is the same as the VID to which the port is an untagged member.
Page 277: Port-Based Example 2
18 20 22 24 11 13 21 23 8 10 12 14 18 20 22 24 Figure 34. Port-based VLAN - Example 2 AT-S63 Management Software Features Guide Production VLAN (VID 4) AT-9424T/SP Gigabit Ethernet Switch Router AT-9424T/GB Gigabit Ethernet Switch...
Page 278 Chapter 24: Port-based and Tagged VLANs The table below lists the port assignments for the Sales, Engineering, and Production VLANs on the switches: Sales VLAN AT-9424T/SP Ports 1 - 6 Switch (top) (PVID 2) AT-9424T/GB Ports 2 - 4, 6, 8 Switch (bottom) (PVID 2) Engineering VLAN...
Page 279: Tagged Vlan Overview
Tagged VLAN Overview The second type of VLAN supported by the AT-S63 Management Software is the tagged VLAN. VLAN membership in a tagged VLAN is determined by information within the frames that are received on a port. This differs from a port-based VLAN, where the PVIDs assigned to the ports determine VLAN membership.
Page 280: Tagged And Untagged Ports
Chapter 24: Port-based and Tagged VLANs Tagged and You need to specify which ports will be members of the VLAN. In the case of a tagged VLAN, it is usually a combination of both untagged ports and Untagged Ports tagged ports. You specify which ports are tagged and which untagged when you create the VLAN.
Page 281: Tagged Vlan Example
18 20 22 24 11 13 21 23 8 10 12 14 18 20 22 24 Figure 35. Example of a Tagged VLAN AT-S63 Management Software Features Guide Production VLAN (VID 4) Legacy Server AT-9424T/SP Gigabit Ethernet Switch Router AT-9424T/GB Gigabit Ethernet Switch...
Page 282 Chapter 24: Port-based and Tagged VLANs The port assignments for the VLANs are as follows: Sales VLAN (VID 2) Untagged Ports AT-9424T/ 1, 3 to 5 SP Switch (PVID 2) (top) AT-9424T/ 2, 4, 6, 8 GB Switch (PVID 2) (bottom) This example is nearly identical to the “Port-based Example 2”...
Page 283: Chapter 25: Garp Vlan Registration Protocol
Chapter 25 GARP VLAN Registration Protocol This chapter describes the GARP VLAN Registration Protocol (GVRP) and contains the following sections: Section VI: Virtual LANs “Supported Platforms” on page 284 “Overview” on page 285 “Guidelines” on page 288 “GVRP and Network Security” on page 289 “GVRP-inactive Intermediate Switches”...
Page 284: Supported Platforms
Chapter 25: GARP VLAN Registration Protocol Supported Platforms Refer to Table 80 and Table 81 for the AT-9400 Switches and the management interfaces that support the GARP VLAN Registration Protocol. Table 80. Support for the GARP VLAN Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
Page 285: Overview
Generic Attribute Registration Protocol (GARP), does this for you automatically. The AT-S63 Management Software uses GVRP protocol data units (PDUs) to share VLAN information among GVRP-active devices. The PDUs contain the VID numbers of the VLANs on the switch. A PDU contains the VIDs of all the VLANs on the switch, not just the VID of which the transmitting port is a member.
Page 286: Figure 36: Gvrp Example
Chapter 25: GARP VLAN Registration Protocol Figure 36 provides an example of how GVRP works. Port 1 PORT ACTIVITY CLASS 1 1000 LINK / 10/100 LINK / LASER PRODUCT HDX / 21 23R GBIC GBIC 22 24R Switch #1 Static VLAN Sales VID=11 Switches #1 and #3 contain the Sales VLAN, but switch #2 does not.
Page 287 VLAN as tagged dynamic GVRP ports. Section VI: Virtual LANs as an tagged dynamic GVRP port. If the port is already a member of the VLAN, then no change is made. tagged dynamic GVRP port to the dynamic GVRP_VLAN_11 VLAN. AT-S63 Management Software Features Guide...
Page 288: Guidelines
VLANs and static port assignments. The default port settings on the switch for GVRP is active, meaning that the ports participate in GVRP. Allied Telesis recommends disabling GVRP on those ports that are connected to GVRP-inactive devices, meaning devices that do not feature GVRP.
Page 289: Gvrp And Network Security
GVRP-inactive devices. Converting all dynamic GVRP VLANs and dynamic GVRP ports to static assignments, and then turning off GVRP on all switches. This preserves the new VLAN assignments while protecting against network intrusion. AT-S63 Management Software Features Guide...
Page 290: Gvrp-Inactive Intermediate Switches
Chapter 25: GARP VLAN Registration Protocol GVRP-inactive Intermediate Switches If two GVRP-active devices are separated by a GVRP-inactive switch, the GVRP-active devices may not be able to share VLAN information. There are two issues involved. The first is whether the intermediate switch forwards the GVRP PDUs that it receives from the GVRP-active switches.
Page 291: Generic Attribute Registration Protocol (Garp) Overview
AT-S63 Management Software Features Guide Generic Attribute Registration Protocol (GARP) Overview The following is a technical overview of GARP. An understanding of GARP may prove helpful when you use GVRP. The purpose of the Generic Attribute Registration Protocol (GARP) is to...
Page 292: Figure 37: Garp Architecture
Chapter 25: GARP VLAN Registration Protocol GARP architecture is shown in Figure 37. GARP Participant GARP Application MAC Layer: Port 1 The GARP application component of the GARP participant is responsible for defining the semantics associated with the parameter values and operators received in GARP PDUs, and for generating GARP PDUs for transmission.
Page 293: Figure 38: Gid Architecture
Figure 38. GID Architecture To ensure that this participant’s declarations are registered by other participants’ registrars To ensure that other participants have a chance to redeclare (rejoin) after anyone withdraws a declaration (leaves). AT-S63 Management Software Features Guide Attribute ... state: Registrar State...
Page 294 Chapter 25: GARP VLAN Registration Protocol To control the applicant state machine, an applicant administrative control parameter is provided. This parameter determines whether or not the applicant state machine participates in GARP protocol exchanges. The default value has the applicant participating in the exchanges. To control the registrar state machine, a registrar administrative control parameter is provided.
Page 295: Chapter 26: Multiple Vlan Modes
Chapter 26 Multiple VLAN Modes This chapter describes the multiple VLAN modes. This chapter contains the following sections: Section VI: Virtual LANs “Supported Platforms” on page 296 “Overview” on page 297 “802.1Q- Compliant Multiple VLAN Mode” on page 298 “Non-802.1Q Compliant Multiple VLAN Mode” on page 300...
Page 296: Supported Platforms
Chapter 26: Multiple VLAN Modes Supported Platforms Refer to Table 82 and Table 83 for the AT-9400 Switches and the management interfaces that support the multiple VLAN modes. Table 82. Support for the Multiple VLAN Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T...
Page 297: Overview
The AT-S63 Management Software supports two types of multiple VLAN modes: Each mode uses a different technique to isolate the ports and their traffic.
Page 298: Q- Compliant Multiple Vlan Mode
Chapter 26: Multiple VLAN Modes 802.1Q- Compliant Multiple VLAN Mode In this mode, each port is placed into a separate VLAN as an untagged port. The VLAN names and VID numbers are based on the port numbers. For example, the VLAN for port 4 is named Client_VLAN_4 and is given the VID of 4, the VLAN for port 5 is named Client_VLAN_5 and has a VID of 5, and so on.
Page 299 Section VI: Virtual LANs Table 84. 802.1Q-Compliant Multiple VLAN Example (Continued) VLAN Name Note The uplink VLAN is the management VLAN. Any remote management of the switch must be made through the uplink VLAN. AT-S63 Management Software Features Guide Untagged Port Tagged Port...
Page 300: Non-802.1Q Compliant Multiple Vlan Mode
Chapter 26: Multiple VLAN Modes Non-802.1Q Compliant Multiple VLAN Mode Unlike the 802.1Q-compliant VLAN mode, which isolates port traffic by placing each port in a separate VLAN, this mode forms one VLAN with a VID of 1 that encompasses all ports. To establish traffic isolation, it uses port mapping.
Page 301: Chapter 27: Protected Ports Vlans
Chapter 27 Protected Ports VLANs This chapter explains protected ports VLANs. It contains the following sections: Section VI: Virtual LANs “Supported Platforms” on page 302 “Overview” on page 303 “Guidelines” on page 305...
Page 302: Supported Platforms
Chapter 27: Protected Ports VLANs Supported Platforms Refer to Table 85 and Table 86 for the AT-9400 Switches and the management interfaces that support the protected ports VLANs. Table 85. Support for the Protected Ports Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T...
Page 303: Overview
802.1Q compliant. Section VI: Virtual LANs Note For explanations of VIDs and tagged and untagged ports, refer to Chapter 24, “Port-based and Tagged VLANs” on page 269. AT-S63 Management Software Features Guide...
Page 304 VLAN Uplink Port(s) Group Number Allied Telesis recommends that you create tables similar to these before you create your own protected ports VLAN. Having the tables handy will make your job easier when the switch prompts you for this information.
Page 305: Guidelines
AT-S63 Management Software Features Guide Guidelines Following are the guidelines for implementing protected ports VLANS: A protected ports VLAN should contain a minimum of two groups. A protected ports VLAN of only one group can be replaced with a port- based or tagged VLAN instead.
Page 306 Chapter 27: Protected Ports VLANs Section VI: Virtual LANs...
Page 307: Chapter 28: Mac Address-Based Vlans
Chapter 28 MAC Address-based VLANs This chapter contains overview information about MAC address-based VLANs. Sections in the chapter include: Section VI: Virtual LANs “Supported Platforms” on page 308 “Overview” on page 309 “Egress Ports” on page 310 “VLANs That Span Switches” on page 313 “VLAN Hierarchy”...
Page 308: Supported Platforms
Chapter 28: MAC Address-based VLANs Supported Platforms Refer to Table 87 and Table 88 for the AT-9400 Switches and the management interfaces that support MAC address-based VLANs. Table 87. Support for the MAC Address- Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE...
Page 309: Overview
LAN segments within a network and are typically employed to improve network performance and security. The AT-S63 Management Software offers several different types of VLANs, including port-based, tagged, and protected ports. Membership in these VLANs is determined either by the port VLAN identifier (PVID) assigned to a port on a switch or, in the case of tagged traffic, by the VLAN identifier within the packets themselves.
Page 310: Egress Ports
Chapter 28: MAC Address-based VLANs Egress Ports Implementing a MAC address-based VLAN involves more than entering the MAC addresses of the end nodes that are members of the VLAN. You must also designate the egress ports on the switch for the packets from the nodes.
Page 311: Table 90: Revised Example Of Mappings Of Mac Addresses To Egress Ports
VLAN on the port. This means that whatever device is connected to the port receives the flooded traffic of all three VLANs. Section VI: Virtual LANs AT-S63 Management Software Features Guide End Node Workstation 1 (Port 1) Workstation 2 (Port 2)
Page 312 Chapter 28: MAC Address-based VLANs If security is a major concern for your network, you might not want to assign a port as an egress port to more than one VLAN when planning your MAC address-based VLANs. When a packet whose source MAC address is part of a MAC address- based VLAN arrives on a port, the switch performs one of the following actions: If the packet’s destination MAC address is not in the MAC address...
Page 313: Vlans That Span Switches
Note that each VLAN contains the complete set of MAC addresses of all VLAN nodes along with the appropriate egress ports on the switches. Figure 39. Example of a MAC Address-based VLAN Spanning Switches Section VI: Virtual LANs AT-S63 Management Software Features Guide MAC Addresses: Address_1 Address_2...
Page 314: Table 91: Example Of A Mac Address-Based Vlan Spanning Switches
Chapter 28: MAC Address-based VLANs Table 91. Example of a MAC Address-based VLAN Spanning Switches Switch A VLAN Name: Sales MAC Address Address_1 Address_2 Address_3 Address_4 Address_5 Address_6 Switch B VLAN Name: Sales Egress Ports MAC Address 1,3,4,5 Address_1 Address_2 Address_3 Address_4 Address_5...
Page 315: Vlan Hierarchy
AT-S63 Management Software Features Guide VLAN Hierarchy The switch’s management software employs a VLAN hierarchy when handling untagged packets that arrive on a port that is an egress port of a MAC address-based VLAN as well as an untagged port of a port-based VLAN.
Page 316: Steps To Creating A Mac Address-Based Vlan
Chapter 28: MAC Address-based VLANs Steps to Creating a MAC Address-based VLAN Here are the three main steps to creating a MAC address-based VLAN: 1. Assign the VLAN a name and a VID. You must also set the VLAN type to MAC Based.
Page 317: Guidelines
AT-S63 Management Software Features Guide Guidelines Follow these guidelines when implementing a MAC address-based VLAN: MAC address-based VLANs are not supported on the AT-9408LC/SP, AT-9424T/GB and AT-9424T/SP Switches. The switch can support up to a total of 4094 port-based, tagged, protected ports, and MAC address-based VLANs.
Page 318 Chapter 28: MAC Address-based VLANs Egress ports cannot be part of a static or LACP trunk. Since this type of VLAN does not support tagged packets, it is not suitable in environments where a network device, such as a network server, needs to be shared between multiple VLANs.
Page 319: Section Vii: Routing
Section VII Routing This section has the following chapters: Chapter 29, “Internet Protocol Version 4 Packet Routing” on page 321 Chapter 30, “BOOTP Relay Agent” on page 355 Chapter 31, “Virtual Router Redundancy Protocol” on page 361 Section VII: Internet Protocol Routing...
Page 320 Section VII: Internet Protocol Routing...
Page 321: Chapter 29: Internet Protocol Version 4 Packet Routing
“Routing Interfaces and Management Features” on page 342 “Local Interface” on page 345 “AT-9408LC/SP AT-9424T/GB, and AT-9424T/SP Switches” on page 346 “Routing Command Example” on page 348 “Non-routing Command Example” on page 352 “Upgrading from AT-S63 Version 1.3.0 or Earlier” on page 354...
Page 322: Supported Platforms
Chapter 29: Internet Protocol Version 4 Packet Routing Supported Platforms Refer to Table 92 and Table 93 for the AT-9400 Switches and the management interfaces that support the IPv4 packet routing feature. Table 92. Support for IPv4 Packet Routing Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
Page 323 AT-S63 Management Software Features Guide Features” on page 342 and “AT-9408LC/SP AT-9424T/GB, and AT-9424T/SP Switches” on page 346. AT-9400Ts Stacks support static routes but not RIP. You can use the menus on a stand-alone switch to configure the routing interfaces, but not static routes or RIP. To configure all of the feature’s components, you must use the command line.
Page 324: Overview
Chapter 29: Internet Protocol Version 4 Packet Routing Overview This section contains an overview of the IPv4 routing feature on the AT-9400 Switch. It begins with an explanation of the following available routing methods: A routing interface is a logical connection to a local network or subnet for the purpose of routing IPv4 packets.
Page 325 AT-S63 Management Software Features Guide At the end of this overview are two examples that illustrate the sequence of commands to implementing the features described in this chapter. You can refer there to see how the commands are used in practice. The sections are “Routing Command Example”...
Page 326: Routing Interfaces
Chapter 29: Internet Protocol Version 4 Packet Routing Routing Interfaces The IPv4 packet routing feature on the switch is built on the foundation of the routing interface. An interface functions as a logical connection to a subnet that allows the egress and ingress of IPv4 packets to the subnet from other local and remote networks, subnets, and nodes.
Page 327: Vlan Id (Vid)
IP address from a DHCP or BOOTP server. The IP addresses of Section VII: Routing Note Routing interfaces can be configured from either the command line interface or the menus interface. VLAN ID (VID) Interface number IP address and subnet mask AT-S63 Management Software Features Guide...
Page 328 Chapter 29: Internet Protocol Version 4 Packet Routing the other interfaces in the same VLAN must be assigned manually. For example, if there are four interfaces and each of their respective subnets resided in a separate VLAN, then each interface can obtain its IP address and subnet mask from a DHCP or BOOTP server.
Page 329: Interface Names
AT-S63 Management Software Features Guide Interface Names Many of the IPv4 routing commands have a parameter for an interface name. An interface name consists of a VLAN and an interface number, separated by a dash. The VLAN is designated by “vlan” followed by the VLAN identification number (VID) or the VLAN name.
Page 330: Static Routes
Chapter 29: Internet Protocol Version 4 Packet Routing Static Routes In order for the switch to route an IPv4 packet to a remote network or subnet, there must be a route to the destination in the routing table of the switch.
Page 331 AT-S63 Management Software Features Guide The commands for managing static routes are ADD IP ROUTE, DELETE IP ROUTE, and SET IP ROUTE. Section VII: Routing...
Page 332: Routing Information Protocol (Rip)
Chapter 29: Internet Protocol Version 4 Packet Routing Routing Information Protocol (RIP) A switch can automatically learn routes to remote destinations by sharing the contents of its routing table with its neighboring routers in the network with the Routing Information Protocol (RIP) versions 1 and 2. RIP is a fairly simple distance vector routing protocol that defines networks based in how many hops they are from the switch, just as with static routes.
Page 333 The AT-9400 Switch supports the following RIP functions: Section VII: Routing Note A RIP version 2 password is sent in plaintext. The AT-S63 Management Software does not support encrypted RIP passwords. Dynamic RIP routes that fall under the split horizon rule.
Page 334: Default Routes
Chapter 29: Internet Protocol Version 4 Packet Routing Default Routes A default route is a “match all” destination entry in the routing table. The switch uses it to route packets whose remote destinations are not in the routing table. Rather than discard the packets, the switch sends them to the next hop specified in the default route.
Page 335: Equal-Cost Multi-Path (Ecmp) Routing
AT-S63 Management Software Features Guide Equal-cost Multi-path (ECMP) Routing When there are multiple routes in the routing table to the same remote destinations, ECMP enables the switch to use the different routes to forward traffic. This can improve network performance by increasing the available bandwidth for the traffic flows, and also provide for route redundancy.
Page 336 Chapter 29: Internet Protocol Version 4 Packet Routing ECMP also applies to default routes. This enables the switch to store up to 32 default routes with up to eight of the routes active at one time. The ECMP feature can be enabled and disabled on the switch. The operating status of ECMP does not affect the switch’s ability to store multiple routes to the same destination in its routing table.
Page 337: Routing Table
180 seconds, it is deleted from the table. The maximum storage capacity of the routing table in the AT-9400 Switch Section VII: Routing 512 interface routes 1024 static routes 1024 RIP routes AT-S63 Management Software Features Guide...
Page 338: Route Selection Process
Chapter 29: Internet Protocol Version 4 Packet Routing Route Selection Process Here is the route selection process the switch goes through when routing packets to a destination: If there is only one route to a destination, forward the packets using the route.
Page 339: Address Resolution Protocol (Arp) Table
ARP, SET IP ARP, SET IP ARP TIMEOUT, and SHOW IP ARP. The storage capacity of the ARP table in the AT-9400 Switch is: Section VII: Routing Note The switch does not support Proxy ARP. 1024 static entries 1024 dynamic entries AT-S63 Management Software Features Guide...
Page 340: Internet Control Message Protocol (Icmp)
Chapter 29: Internet Protocol Version 4 Packet Routing Internet Control Message Protocol (ICMP) ICMP allows routers to send error and control messages to other routers or hosts. It provides the communication between IP software on one system and IP software on another. The switch implements the ICMP functions listed in Table 94.
Page 341 AT-S63 Management Software Features Guide Table 94. ICMP Messages Implemented on the AT-9400 Switch ICMP Packet (Type) Switch Response Time to Live Exceeded (11) If the TTL field in a packet falls to zero the switch will send a “Time to live exceeded”...
Page 342: Routing Interfaces And Management Features
For instance, the switch can access an SNTP server through one interface and a RADIUS authentication server from another. This differs from some of the earlier versions of the AT-S63 Management Software where all the servers had to be members of what was referred to as the “management VLAN.”...
Page 343: Enhanced Stacking
(that is, switches that are not a part of an enhanced stack) and a Sessions master switch of an enhanced stack. This does not apply to a slave switches of an enhanced stack. For background information and guidelines on remote management, refer to the Starting an AT-S63 Management Session Guide. Section VII: Routing...
Page 344: Pinging A Remote Device
Device has a routing interface on the local subnet from where the device is reached. In previous versions of the AT-S63 Management Software the device to be pinged had to be reached through the management VLAN of the switch. This restriction no longer applies. A remote device can be pinged from any subnet of the switch that has an interface.
Page 345: Local Interface
A switch can have only one local interface. For background information on remote management of the switch, refer to the Starting an AT-S63 Management Session Guide. For background information on enhanced stacking, refer to Chapter 3, “Enhanced Stacking” on page 77.
Page 346: At-9408Lc/Sp At-9424T/Gb, And At-9424T/Sp Switches
ARP Table These switches also have an ARP table with a maximum capacity of ten ARP entries. The table and entries are used by the AT-S63 Management Software when it performs a management function that requires it to communicate with another device on the network. An example would be if you instructed the switch to ping another network device or download a new AT-S63 image file or configuration file from a TFTP server.
Page 347: Default Gateway
The AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP Switches do not use the ARP table to move packets through the switching matrix. They refer to the table only when they perform a management function requiring them to communicate with another network node. AT-S63 Management Software Features Guide...
Page 348: Routing Command Example
Chapter 29: Internet Protocol Version 4 Packet Routing Routing Command Example This section contains an example of the IPv4 routing feature. It illustrates the sequence of commands to implementing the feature. To make the example easier to explain, some of the command options are not mentioned and the default values are used instead.
Page 349: Creating The Vlans
Each interface is given a different interface number, 0 and 1, to distinguish between them. At this point, the switch begins to route IPv4 packets among the local subnets. For further information on this command, refer to the ADD IP INTERFACE Section VII: Routing AT-S63 Management Software Features Guide...
Page 350: Adding A Static Route And Default Route
Chapter 29: Internet Protocol Version 4 Packet Routing command. Adding a Static Building on our example, assume you decided to manually enter a route to a remote subnet as a static route. The command for creating a static route Route and is ADD IP ROUTE.
Page 351: Adding Rip
AT-S63 Management Software Features Guide Adding RIP Rather than adding the static routes to remote destinations, or perhaps to augment them, you decide that the switch should learn routes by exchanging its route table with its routing neighbors using RIP. To implement RIP, you add it to the routing interfaces where routing neighbors are located.
Page 352: Non-Routing Command Example
Chapter 29: Internet Protocol Version 4 Packet Routing Non-routing Command Example This example illustrates how to assign an IP address to a switch by creating just one interface. This example is appropriate in cases where you want to implement the management functions described in “Routing Interfaces and Management Features”...
Page 353 AT-S63 Management Software Features Guide The following command creates a default route for the example and specifies the next hop as 149.44.55.6: add ip route=0.0.0.0 nexthop=149.44.55.6 Section VII: Routing...
Page 354: Upgrading From At-S63 Version 1.3.0 Or Earlier
Chapter 29: Internet Protocol Version 4 Packet Routing Upgrading from AT-S63 Version 1.3.0 or Earlier When the AT-9400 Switch running AT-S63 version 1.3.0 or earlier is upgraded to the latest version of the management software, the switch automatically creates a routing interface that preserves the previous IP configuration of the unit.
Page 355: Chapter 30: Bootp Relay Agent
Chapter 30 BOOTP Relay Agent This chapter has the following sections: “Supported Platforms” on page 356 “Overview” on page 357 “Guidelines” on page 359...
Page 356: Supported Platforms
Chapter 30: BOOTP Relay Agent Supported Platforms Refer to Table 96 and Table 97 for the AT-9400 Switches and the management interfaces that support the BOOTP relay agent. Table 96. Support for the BOOTP Relay Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T...
Page 357: Overview
AT-S63 Management Software Features Guide Overview The AT-S63 Management Software comes with a BOOTP relay agent for relaying BOOTP messages between clients and DHCP or BOOTP servers. When a client sends a BOOTP request to a DHCP or BOOTP server for an IP configuration, it transmits the request as a broadcast packet because it does not know the IP address of the server.
Page 358 Chapter 30: BOOTP Relay Agent A routing interface that receives a BOOTP reply from a server inspects the broadcast flag field in the packet to determine whether the client, in its original request to the server, set this flag to signal that the response must be sent as a broadcast datagram.
Page 359: Guidelines
AT-S63 Management Software Features Guide Guidelines These guidelines apply to the BOOTP relay agent: A routing interface functions as the BOOTP relay agent for the local clients in its subnet. You can specify up to eight DHCP or BOOTP servers.
Page 360 Chapter 30: BOOTP Relay Agent Section VII: Routing...
Page 361: Chapter 31: Virtual Router Redundancy Protocol
Chapter 31 Virtual Router Redundancy Protocol The chapter has the following sections: “Supported Platforms” on page 362 “Overview” on page 363 “Master Switch” on page 364 “Backup Switches” on page 365 “Interface Monitoring” on page 366 “Port Monitoring” on page 367 “VRRP on the Switch”...
Page 362: Supported Platforms
Chapter 31: Virtual Router Redundancy Protocol Supported Platforms Refer to Table 98 and Table 99 for the AT-9400 Switches and the management interfaces that support the Virtual Router Redundancy Protocol. Table 98. Support for the Virtual Router Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
Page 363: Overview
AT-S63 Management Software Features Guide Overview This chapter describes the Virtual Router Redundancy Protocol (VRRP) of the AT-9400 Basic Layer 3 Switches. One of the functions that switches provide to the hosts of a LAN is to act as gateways. The local hosts use the gateways to communicate with the hosts on the WAN.
Page 364: Master Switch
Chapter 31: Virtual Router Redundancy Protocol Master Switch The virtual router has a virtual MAC address known by all the switches that participate in the virtual router. The virtual MAC address is derived from the virtual router identifier, which is a user-defined value from 1 to 255.
Page 365: Backup Switches
The “master-down” time is approximately three times the advertisement interval. Assumes the role of master switch if it receives an advertisement packet from another switch with a lower priority than its own, if preempt mode is on. AT-S63 Management Software Features Guide...
Page 366: Interface Monitoring
Chapter 31: Virtual Router Redundancy Protocol Interface Monitoring The virtual router can monitor certain interfaces to change the priority of switches if the master switch loses its connection to the outside world. This is known as interface monitoring. Interface monitoring reduces the priority of the switch when an important interface connection is lost.
Page 367: Port Monitoring
VRRP is only monitoring the state of the interface and does not require that the interface have an IP address. A VLAN cannot be destroyed if it is a monitored interface of a VRRP. To destroy a VLAN, you must first destroy the monitored interface. AT-S63 Management Software Features Guide...
Page 368: Vrrp On The Switch
Chapter 31: Virtual Router Redundancy Protocol VRRP on the Switch VRRP is disabled by default. When a virtual router is created on the switch, it is enabled by default, but the VRRP module must be enabled before it is operational. The VRRP module or a specific virtual router can be enabled or disabled afterwards by using the ENABLE VRRP and DISABLE VRRP commands.
Page 369 Inconsistent configuration causes advertisement packets to be rejected and the virtual router cannot perform properly. Section VII: Routing VRRP virtual router identifier IP address advertisement interval preempt mode authentication type password AT-S63 Management Software Features Guide...
Page 370 Chapter 31: Virtual Router Redundancy Protocol Section VII: Routing...
Page 371: Section Viii: Port Security
Section VIII Port Security The chapters in this section contain overview information on the port security features of the AT-9400 Switch. The chapters include: Chapter 32, “MAC Address-based Port Security” on page 373 Chapter 33, “802.1x Port-based Network Access Control” on page 379 Section VIII: Port Security...
Page 372 Section VIII: Port Security...
Page 373: Chapter 32: Mac Address-Based Port Security
Chapter 32 MAC Address-based Port Security The sections in this chapter include: “Supported Platforms” on page 374 “Overview” on page 375 “Invalid Frames and Intrusion Actions” on page 377 “Guidelines” on page 378 Section VIII: Port Security...
Page 374: Supported Platforms
Chapter 32: MAC Address-based Port Security Supported Platforms Refer to Table 100 and Table 101 for the AT-9400 Switches and the management interfaces that support MAC address-based port security. Table 100. Support for MAC Address-based Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T...
Page 375: Overview
MAC addresses. A switch port can have up to a total of 255 dynamic and static MAC addresses. Section VIII: Port Security Automatic Limited Secured Locked AT-S63 Management Software Features Guide...
Page 376: Secured
Chapter 32: MAC Address-based Port Security Secured This security level uses only static MAC addresses assigned to a port to forward frames. Consequently, only those end nodes whose MAC addresses are entered as static addresses are able to forward frames through a port.
Page 377: Invalid Frames And Intrusion Actions
Discard the invalid frame. Discard the invalid frame and send an SNMP trap. (SNMP must be enabled on the switch for the trap to be sent.) Discard the invalid frame, send an SNMP trap, and disable the port. AT-S63 Management Software Features Guide...
Page 378: Guidelines
Chapter 32: MAC Address-based Port Security Guidelines The following guidelines apply to MAC address-based port security: The filtering of a packet occurs on the ingress port, not on the egress port. You cannot use MAC address port security and 802.1x port-based access control on the same port.
Page 379: Chapter 33: 802.1X Port-Based Network Access Control
Chapter 33 802.1x Port-based Network Access Control The sections in this chapter are: “Supported Platforms” on page 380 “Overview” on page 381 “Authentication Process” on page 383 “Port Roles” on page 384 “Authenticator Ports with Single and Multiple Supplicants” on page 387 “Supplicant and VLAN Associations”...
Page 380: Supported Platforms
Chapter 33: 802.1x Port-based Network Access Control Supported Platforms Refer to Table 102 and Table 103 for the AT-9400 Switches and the management interfaces that support 802.1x port-based network access control. Table 102. Support for 802.1x Port-based Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
Page 381: Overview
This port security method uses the RADIUS authentication protocol. The AT-S63 Management Software is shipped with RADIUS client software. If you have already read Chapter 38, “TACACS+ and RADIUS Protocols” on...
Page 382 Chapter 33: 802.1x Port-based Network Access Control The AT-9400 Switch does not authenticate any of the supplicants connected to its ports. It’s function is to act as an intermediary between a supplicant and the authentication server during the authentication process. Authentication server - The authentication server is the network device that has the RADIUS server software.
Page 383: Authentication Process
When the supplicant sends an EAPOL-Logoff message, the switch removes the supplicant’s MAC address from the MAC address table, preventing the supplicant from sending or receiving any further traffic from the port. AT-S63 Management Software Features Guide...
Page 384: Port Roles
Chapter 33: 802.1x Port-based Network Access Control Port Roles Part of the task of implementing this feature is specifying the roles of the ports on the switch. A port can have one of three roles: None Role A switch port in the None role does not participate in port-based access control.
Page 385 This is the default setting for an authenticator port. Force-authorized - Disables IEEE 802.1X port-based authentication and automatically places the port in the authorized state without any authentication exchange required. The port transmits and receives normal traffic without authenticating the client. AT-S63 Management Software Features Guide...
Page 386: Supplicant Role
Chapter 33: 802.1x Port-based Network Access Control As mentioned earlier, the switch itself does not authenticate the user names and passwords from the clients. That function is performed by the authentication server and the RADIUS server software. The switch acts as an intermediary for the authentication server by denying access to the network by the client until the client has been validated by the authentication server.
Page 387: Authenticator Ports With Single And Multiple Supplicants
The authenticator port’s operating mode is set to Single and the piggy-back feature is disabled so that only one client can use the port at any one time. Section VIII: Port Security Single Multiple AT-S63 Management Software Features Guide...
Page 388: Figure 41: Authenticator Port In Single Operating Mode With A Single Client
Chapter 33: 802.1x Port-based Network Access Control AT-9400 Switch Port 6 Role: Authenticator Operating Mode: Single Piggy-back Mode: Disabled Figure 41. Authenticator Port in Single Operating Mode with a Single The example in Figure 42 on page 389 illustrates a configuration that uses the piggy-back mode.
Page 389: Figure 42: Single Operating Mode With Multiple Clients Using The Piggy-Back Feature - Example 1
Section VIII: Port Security Ethernet Hub or Non-802.1x-compliant Switch Unauthenticated Authenticated Clients Client back Feature - Example 1 AT-S63 Management Software Features Guide AT-9424T/SP Gigabit Ethernet Switch PORT ACTIVITY 1000 LINK / 10/100 LINK / CLASS 1 LASER PRODUCT HDX /...
Page 390: Figure 43: Single Operating Mode With Multiple Clients Using The Piggy-Back Feature - Example 2
Chapter 33: 802.1x Port-based Network Access Control If the clients are connected to an 802.1x-compliant device, such as another AT-9400 Switch, you can automate the initial log on and reauthentications by configuring one of the switch ports as a supplicant. In this manner, the log on and reauthentications are performed automatically.
Page 391: Multiple Operating Mode
Selecting the Multiple mode for an authenticator port disables the piggy- back mode, because this operating mode does not permit piggy-backing. Section VIII: Port Security AT-S63 Management Software Features Guide CLASS 1 LASER PRODUCT RADIUS Authentication...
Page 392: Figure 45: Authenticator Port In Multiple Operating Mode - Example 1
Chapter 33: 802.1x Port-based Network Access Control An example of this authenticator operating mode is illustrated in Figure 45. The clients are connected to a hub or non-802.1x-compliant switch which is connected to an authenticator port on the AT-9400 Switch. If the authenticator port is set to the 802.1x authentication method, the clients must provide their username and password combinations before they can forward traffic through the AT-9400 Switch.
Page 393: Figure 46: Authenticator Port In Multiple Operating Mode - Example 2
Username: switch24 Password: waveform AT-9400 Switch (B) Client Ports: Role: None Figure 46. Authenticator Port in Multiple Operating Mode - Example 2 Section VIII: Port Security AT-S63 Management Software Features Guide CLASS 1 LASER PRODUCT CLASS 1 LASER PRODUCT Authenticated Clients...
Page 394: Supplicant And Vlan Associations
Chapter 33: 802.1x Port-based Network Access Control Supplicant and VLAN Associations One of the challenges to managing a network is accommodating end users that roam. These are individuals whose work requires that they access the network resources from different points at different times. The difficulty arises in providing them with access to the same network resources and, conversely, restricting them from unauthorized areas, regardless of the workstation from where they access the network.
Page 395: Single Operating Mode
The transport medium to be used for the tunnel specified by Tunnel- Private-Group-Id. The only supported value is 802 (6). Tunnel-Private-Group-ID The ID of the tunnel the authenticated user should use. This must be the name of VID of the VLAN of the switch. AT-S63 Management Software Features Guide...
Page 396: Guest Vlan
Chapter 33: 802.1x Port-based Network Access Control Guest VLAN An authenticator port in the unauthorized state typically accepts and transmits only 802.1x packets while waiting to authenticate a supplicant. However, you can configure an authenticator port to be a member of a Guest VLAN when no supplicant is logged on.
Page 397: Radius Accounting
(This information is sent only when a client logs off.) The AT-S63 Management Software supports the Network level of accounting, but not the System or Exec. This feature is only available for ports operating in the Authenticator role.
Page 398: General Steps
5. If you want to use RADIUS accounting to monitor the clients servers or management stations. Authentication protocol server software is not available from Allied Telesis. Funk Software Steel- Belted Radius and Free Radius have been verified as fully compatible with the AT-S63 Management Software.
Page 399: Guidelines
The MAC address-based port security setting for an authenticator port must be Automatic. This restriction does not apply to a supplicant port. For further information, refer to Chapter 32, “MAC Address-based Port Security” on page 373. AT-S63 Management Software Features Guide...
Page 400 For background information, refer to “Routing Interfaces and Management Features” on page 342. Note Prior to version 2.0.0 of the AT-S63 Management Software, the RADIUS server had to be a member of the switch’s management VLAN. This restriction no longer applies. The server can be located on any local subnet on the switch that has a routing interface.
Page 401 The VLAN must already exist on the switch. A client can have only one VLAN associated with it on the RADIUS server. When a supplicant logs on, the switch port is moved as an untagged port to the designated VLAN. AT-S63 Management Software Features Guide...
Page 402 Chapter 33: 802.1x Port-based Network Access Control Section VIII: Port Security...
Page 403: Section Ix: Management Security
Section IX Management Security The chapters in this section describe the management security features of the AT-9400 Switch. The chapters include: Chapter 34, “Web Server” on page 405 Chapter 35, “Encryption Keys” on page 411 Chapter 36, “PKI Certificates and SSL” on page 421 Chapter 37, “Secure Shell (SSH)”...
Page 404 Section IX: Management Security...
Page 405: Chapter 34: Web Server
Chapter 34 Web Server The sections in this chapter are: “Supported Platforms” on page 406 “Overview” on page 407 “Configuring the Web Server for HTTP” on page 408 “Configuring the Web Server for HTTPS” on page 409 Section IX: Management Security...
Page 406: Supported Platforms
Chapter 34: Web Server Supported Platforms Refer to Table 104 and Table 105 for the AT-9400 Switches and the management interfaces that support the web server. Table 104. Support for the Web Server Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts...
Page 407: Overview
Overview The AT-S63 Management Software has a web server and a special web browser interface that allow you to remotely manage the switch from a management workstation on your network using a web browser. (For instructions on the switch’s web browser interface, refer to the AT-S63 Management Software Web Browser Interface User’s Guide.)
Page 408: Configuring The Web Server For Http
Chapter 34: Web Server Configuring the Web Server for HTTP The following steps configure the web server for non-secure HTTP operation. The steps reference only the command line commands, but the web server can be configured from the menus interface, too. 1.
Page 409: Configuring The Web Server For Https
6. Activate HTTPS in the web server with the SET HTTP SERVER 7. Enable the web server with the ENABLE HTTP SERVER command. For an example of this command sequence, refer to the SET HTTP SERVER command in the AT-S63 Management Software Command Line Interface User’s Guide. General Steps for These steps configure the web server with a public or private CA certificate.
Page 410 10. Enable the web server with the ENABLE HTTP SERVER command. For an example of this command sequence, refer to the SET HTTP SERVER command in the AT-S63 Management Software Command Line Interface User’s Guide. switch’s file system using the LOAD METHOD=TFTP or LOAD METHOD=XMODEM command.
Page 411: Chapter 35: Encryption Keys
Chapter 35 Encryption Keys The sections in this chapter are: “Supported Platforms” on page 412 “Overview” on page 413 “Encryption Key Length” on page 414 “Encryption Key Guidelines” on page 415 “Technical Overview” on page 416 For an overview of the procedures to configuring the switch’s web server for encryption, refer to “Configuring the Web Server for HTTPS”...
Page 412: Supported Platforms
Chapter 35: Encryption Keys Supported Platforms Refer to Table 106 and Table 107 for the AT-9400 Switches and the management interfaces that support encryption keys. Table 106. Support for Encryption Keys Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts...
Page 413: Overview
Together they create a key pair. The AT-S63 Management Software supports encryption for remote web browser management sessions using the Secure Sockets Layer (SSL) protocol. Adding encryption to your web browser management sessions involves creating one key pair and adding the public key of the key pair to a certificate, a digital document stored on the switch.
Page 414: Encryption Key Length
Chapter 35: Encryption Keys Encryption Key Length When you create a key pair, you have to specify its length in bits. The range is 512, the default, to 1,536 bits, in increments of 256 bits. The longer the key, the more difficult it is for someone to decipher. If you are particularly concerned about the safety of your management sessions, you might want to use a longer key length than the default, though the default is likely to be sufficient in most situations.
Page 415: Encryption Key Guidelines
The switch cannot use a key created on another system and imported onto the switch. The AT-S63 Management Software does not allow you to copy or export a private key from a switch. However, you can export a public key.
Page 416: Technical Overview
Chapter 35: Encryption Keys Technical Overview The encryption feature provides the following data security services: Data Encryption Data encryption for switches is driven by the need for organizations to keep sensitive data private and secure. Data encryption operates by applying an encryption algorithm and key to the original data (the plaintext) to convert it into an encrypted form (the ciphertext).
Page 417 Inner CBC mode encrypts the entire packet in CBC mode three times and requires three different initial is at ion vectors (IV’s). Outer CBC mode triple encrypts each 8-byte block of a packet in CBC mode three times and requires one IV. AT-S63 Management Software Features Guide...
Page 418: Data Authentication
Because key lengths of 512 bits or greater are used in public key encryption systems, decrypting RSA encrypted messages is almost impossible using current technology. The AT-S63 Management Software uses the RSA algorithm. Asymmetrical encryption algorithms require enormous computational resources, making them very slow when compared to symmetrical algorithms.
Page 419: Key Exchange Algorithms
The Diffie-Hellman algorithm, which is used by the AT-S63 Management Software, is one of the more commonly used key exchange algorithms. It is not an encryption algorithm because messages cannot be encrypted using Diffie-Hellman.
Page 420 Chapter 35: Encryption Keys A Diffie-Hellman algorithm requires more processing overhead than RSA- based key exchange schemes, but it does not need the initial exchange of public keys. Instead, it uses published and well tested public key values. The security of the Diffie-Hellman algorithm depends on these values. Public key values less than 768 bits in length are considered to be insecure.
Page 421: Chapter 36: Pki Certificates And Ssl
Chapter 36 PKI Certificates and SSL The sections in this chapter are: “Supported Platforms” on page 422 “Overview” on page 423 “Types of Certificates” on page 423 “Distinguished Names” on page 425 “SSL and Enhanced Stacking” on page 427 “Guidelines” on page 428 “Technical Overview”...
Page 422: Supported Platforms
Chapter 36: PKI Certificates and SSL Supported Platforms Refer to Table 108 and Table 109 for the AT-9400 Switches and the management interfaces that support the PKI certificates and SSL. Table 108. Support for PKI Certificates and Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
Page 423: Overview
Overview This chapter describes the second part of the encryption feature of the AT-S63 Management Software—PKI certificates. The first part is explained in Chapter 35, “Encryption Keys” on page 411. Encryption keys and certificates allow you to encrypt the communications between your...
Page 424 Chapter 36: PKI Certificates and SSL network equipment. With private CAs, companies can keep track of the certificates and control access to various network devices. If your company is large enough, it might have a private CA and you might want the group to issue the certificate for the AT-9400 Switch so that you are in compliance with company policy.
Page 425: Distinguished Names
This is the name of a department, such as Network Support or IT. o - organization This is the name of the company. st - state This is the state. c - country This is the country AT-S63 Management Software Features Guide...
Page 426 Chapter 36: PKI Certificates and SSL If your network has a Domain Name System and you mapped a name to the IP address of a switch, you can specify the switch’s name instead of the IP address as the distinguished name. For those switches that do not have an IP address, such as slave switches of an enhanced stack, you could assign their certificates a distinguished name using the IP address of the master switch of the enhanced stack.
Page 427: Ssl And Enhanced Stacking
AT-S63 Management Software Features Guide SSL and Enhanced Stacking Secure Sockets Layer (SSL) is supported in an enhanced stack, but only when all switches in the stack are using the feature. When a switch’s web server is operating in HTTP, management packets are transmitted in plaintext.
Page 428: Guidelines
Chapter 36: PKI Certificates and SSL Guidelines The guidelines for creating certificates are: A certificate can have only one key. A switch can use only those certificates that contain a key that was generated on the switch. You can create multiple certificates on a switch, but the device uses the certificate whose key pair has been designated as the active key pair for the switch’s web server.
Page 429: Technical Overview
MAC. Section IX: Management Security The site’s URL changes from HTTP to HTTPS. The browser indicates that it is a secured connection by displaying an icon, such as a padlock icon. AT-S63 Management Software Features Guide...
Page 430: User Verification
Chapter 36: PKI Certificates and SSL SSL uses asymmetrical (Public Key) encryption to establish a connection between client and server, and symmetrical (Secret Key) encryption for the data transfer phase. User Verification An SSL connection has two phases: handshake and data transfer. The handshake initiates the SSL session, during which data is securely transmitted between a client and server.
Page 431: Public Key Infrastructure
AT-S63 Management Software Features Guide To verify the authenticity of a server, the server has a public and private key. The public key is given to the user. SSL uses certificates for authentication. A certificate binds a public key to a server name.
Page 432: Certificates
Chapter 36: PKI Certificates and SSL this, and other attacks, PKI provides a means for secure transfer of public keys by linking an identity and that identity’s public key in a secure certificate. Certificates A certificate is an electronic identity document. To create a certificate for a subject, a trusted third party (known as the Certification Authority) verifies the subject’s identity, binds a public key to that identity, and digitally signs the certificate.
Page 433: Elements Of A Public Key Infrastructure
At least one certification authority (CA), which issues and revokes certificates. At least one publicly accessible repository, which stores certificates and Certificate Revocation Lists. At least one end entity (EE), which retrieves certificates from the repository, validates them and uses them. AT-S63 Management Software Features Guide...
Page 434: Certificate Validation
Chapter 36: PKI Certificates and SSL Certificate To validate a certificate, the end entity verifies the signature in the certificate, using the public key of the CA who issued the certificate. Validation CA Hierarchies and Certificate Chains It may not be practical for every individual certificate in an organization to be signed by one certification authority.
Page 435: Pki Implementation
— PKIX Roadmap RFC 1779 — A String Representation of Distinguished Names RFC 2459 — PKIX Certificate and CRL Profile RFC 2511 — PKIX Certificate Request Message Format PKCS #10 v1.7 — Certification Request Syntax Standard AT-S63 Management Software Features Guide...
Page 436 Chapter 36: PKI Certificates and SSL Section IX: Management Security...
Page 437: Chapter 37: Secure Shell (Ssh)
Chapter 37 Secure Shell (SSH) The sections in this chapter are: “Supported Platforms” on page 438 “Overview” on page 439 “Support for SSH” on page 440 “SSH Server” on page 441 “SSH Clients” on page 442 “SSH and Enhanced Stacking” on page 443 “SSH Configuration Guidelines”...
Page 438: Supported Platforms
Chapter 37: Secure Shell (SSH) Supported Platforms Refer to Table 110 and Table 111 for the AT-9400 Switches and the management interfaces that support the Secure Shell protocol. Table 110. Support for the Secure Shell Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T...
Page 439: Overview
Secure Shell server and a machine with a Secure Shell client. The AT-S63 Management Software features Secure Shell server software so that network managers can securely manage the switch over an insecure network. It offers the benefit of cryptographic authentication and encryption.
Page 440: Support For Ssh
Chapter 37: Secure Shell (SSH) Support for SSH The AT-S63 implementation of the SSH protocol is compliant with the SSH protocol versions 1.3, 1.5, and 2.0. In addition, the following SSH options and features are supported: The following SSH options and features are not supported: Inbound SSH connections (server mode) is supported.
Page 441: Ssh Server
When the SSH server is enabled, connections from SSH clients are accepted. When the SSH server is disabled, connections from SSH clients are rejected by the switch. Within the switch, the AT-S63 Management Software uses well-known port 22 as the SSH default port.
Page 442: Ssh Clients
The SSH protocol provides a secure connection between the switch and SSH clients. After you have configured the SSH server, you need to install SSH client software on your management workstations. The AT-S63 Management Software supports both SSH1 and SSH2 clients.
Page 443: Ssh And Enhanced Stacking
SSH and Enhanced Stacking The AT-S63 Management Software allows for encrypted SSH management sessions between a management station and a master switch of an enhanced stack, but not with slave switches, as explained in this section. When you remotely manage a slave switch, all management communications are conducted through the master switch using the enhanced stacking feature.
Page 444 Chapter 37: Secure Shell (SSH) Because enhanced stacking does not allow for SSH encrypted management sessions between a management station and a slave switch, you configure SSH only on the master switch of a stack. Activating SSH on a slave switch has no affect. Section IX: Management Security...
Page 445: Ssh Configuration Guidelines
768 bits. The recommended size for the host key is 1024 bits. You activate and configure SSH on the master switch of an enhanced stack, not on slave switches. The AT-S63 software uses well-known port 22 as the SSH default port. Section IX: Management Security...
Page 446: General Steps To Configuring Ssh
Chapter 37: Secure Shell (SSH) General Steps to Configuring SSH Configuring the SSH server involves the following procedures: 1. Create two encryption key pairs on the switch. One pair will function as 2. Configure and activate the Secure Shell server on the switch by 3.
Page 447: Chapter 38: Tacacs+ And Radius Protocols
Chapter 38 TACACS+ and RADIUS Protocols This chapter describes the two authentication protocols TACACS+ and RADIUS. Sections in the chapter include: “Supported Platforms” on page 448 “Overview” on page 449 “Guidelines” on page 451 Section IX: Management Security...
Page 448: Supported Platforms
Chapter 38: TACACS+ and RADIUS Protocols Supported Platforms Refer to Table 112 and Table 113 for the AT-9400 Switches and the management interfaces that support the TACACS+ and RADIUS protocols. Table 112. Support for the TACACS+ and Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
Page 449: Overview
The AT-S63 software comes with TACACS+ and RADIUS client software. You can use the client software to add two security features to the switch.
Page 450 The final function of an authentication protocol is keeping track of user activity on network devices, referred to as accounting. The AT-S63 Management Software does not support RADIUS or TACACS+ accounting as part of manager accounts. However, it does support RADIUS accounting with the 802.1x Port-based Network Access Control...
Page 451: Guidelines
For RADIUS, management level is controlled by the Service Type attribute. This attribute has 11 different values; only two apply to the AT-S63 Management Software. A value of Administrative for this attribute gives the username and password combination Manager access. A value of NAS Prompt assigns the combination Operator status.
Page 452 For background information on routing interfaces, refer to Chapter 29, “Internet Protocol Version 4 Packet Routing” on page 321. By default, authentication protocol is disabled in the AT-S63 Management Software. Before activating it, you need the following information: You can specify up to three RADIUS or TACACS+ servers. Specifying multiple servers adds redundancy to your network.
Page 453 AT-S63 Management Software Features Guide Note If no authentication server responds or if no servers have been defined, the AT-S63 Management Software defaults to the standard manager and operator accounts. Note For more information on TACACS+, refer to the RFC 1492 standard.
Page 454 Chapter 38: TACACS+ and RADIUS Protocols Section IX: Management Security...
Page 455: Chapter 39: Management Access Control List
Chapter 39 Management Access Control List This chapter explains how to restrict Telnet and web browser management access to the switch with the management access control list (ACL). Sections in this chapter include: “Supported Platforms” on page 456 “Overview” on page 457 “Parts of a Management ACE”...
Page 456: Supported Platforms
Chapter 39: Management Access Control List Supported Platforms Refer to Table 114 and Table 115 for the AT-9400 Switches and the management interfaces that support the management access control list. Table 114. Support for the Management Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models...
Page 457: Overview
AT-S63 Management Software Features Guide Overview This chapter explains how to restrict remote management access of a switch by creating a management access control list (management ACL). This feature controls which management stations can remotely manage the device using the Telnet application protocol or a web browser.
Page 458: Parts Of A Management Ace
Chapter 39: Management Access Control List Parts of a Management ACE An ACE has the following three parts: IP Address You can specify the IP address of a specific management station or a subnet. Mask The mask indicates the parts of the IP address the switch should filter on. A binary “1”...
Page 459: Guidelines
AT-S63 Management Software Features Guide Guidelines Below are guidelines for the management ACL: The default setting for this feature is disabled. A switch can have only one management ACL. A management ACL can have up to 256 ACEs. An ACE must have an IP address and mask.
Page 460: Examples
Chapter 39: Management Access Control List Examples Following are several examples of ACEs. This ACE allows the management station with the IP address 149.11.11.11 to remotely manage the switch using either the Telnet application protocol or a web browser, and to ping the device: If the management ACL had only this ACE, remote management of the switch would be restricted to just that management station.
Page 461 IP address 149.11.11.4: IP Address: Mask: Application Type: Section IX: Management Security ACE #1 IP Address: 149.11.11.11 Mask: 255.255.255.255 Application Type: ACE #2 IP Address: 149.22.22.0 Mask: 255.255.255.0 Application Type: 149.11.11.4 255.255.255.255 Ping AT-S63 Management Software Features Guide...
Page 462 Chapter 39: Management Access Control List Section IX: Management Security...
Page 463: Appendix A: At-S63 Management Software Default Settings
Appendix A AT-S63 Management Software Default Settings This appendix lists the factory default settings for the AT-S63 Management Software. The features are listed in alphabetical order: “Address Resolution Protocol Cache” on page 465 “Boot Configuration File” on page 466 “BOOTP Relay Agent” on page 467 “Class of Service”...
Page 464 Appendix A: AT-S63 Management Software Default Settings “Telnet Server” on page 495 “Virtual Router Redundancy Protocol” on page 496 “VLANs” on page 497 “Web Server” on page 498...
Page 465: Address Resolution Protocol Cache
AT-S63 Management Software Features Guide Address Resolution Protocol Cache The following table lists the ARP cache default setting. ARP Cache Setting Default ARP Cache Timeout 150 seconds...
Page 466: Boot Configuration File
Appendix A: AT-S63 Management Software Default Settings Boot Configuration File The following table lists the names of the default configuration files. Stand-alone Switch Stack of AT-9400 Basic Layer 3 Switches and the AT-StackXG Stacking Module Boot Configuration File Default boot.cfg...
Page 467: Bootp Relay Agent
BOOTP Relay Agent The following table lists the default setting for the BOOTP relay agent. Status Hop Count 1. Hop count is not adjustable. BOOTP Relay Agent Setting AT-S63 Management Software Features Guide Default Disabled...
Page 468: Class Of Service
Appendix A: AT-S63 Management Software Default Settings Class of Service The following table lists the default mappings of IEEE 802.1p priority levels to egress port priority queues. IEEE 802.1p Priority Level Port Priority Queue Q0 (lowest) Q7 (highest)
Page 469: Denial Of Service Defenses
Denial of Service Prevention Setting IP Address Subnet Mask Uplink Port SYN Flood Defense Smurf Defense Land Defense Teardrop Defense Ping of Death Defense IP Options Defense AT-S63 Management Software Features Guide Default 0.0.0.0 0.0.0.0 Highest numbered existing port Disabled Disabled Disabled Disabled...
Page 470: 802.1X Port-Based Network Access Control
Appendix A: AT-S63 Management Software Default Settings 802.1x Port-Based Network Access Control The following table describes the 802.1x Port-based Network Access Control default settings. Port Access Control Authentication Method Port Role The following table lists the default settings for RADIUS accounting.
Page 471 The following table lists the default settings for a supplicant port. Supplicant Port Setting Auth Period Held Period Max Start Start Period User Name User Password AT-S63 Management Software Features Guide Default Enabled Both Disabled None Default 30 seconds 60 seconds...
Page 472: Enhanced Stacking
Appendix A: AT-S63 Management Software Default Settings Enhanced Stacking The following table lists the enhanced stacking default setting. Enhanced Stacking Setting Default Switch State Slave...
Page 473: Ethernet Protection Switching Ring (Epsr) Snooping
AT-S63 Management Software Features Guide Ethernet Protection Switching Ring (EPSR) Snooping The following table lists the EPSR default setting. EPSR Setting Default EPSR State Disabled...
Page 474: Event Logs
Appendix A: AT-S63 Management Software Default Settings Event Logs The following table lists the default settings for both the permanent and temporary event logs. Status Full Log Action Event Log Setting Default Enabled Wrap...
Page 475: Gvrp
GVRP This section provides the default settings for GVRP. Status GIP Status Join Timer Leave Timer Leave All Timer Port Mode AT-S63 Management Software Features Guide GVRP Setting Default Disabled Enabled 20 centiseconds 60 centiseconds 1000 centiseconds Normal...
Page 476: Igmp Snooping
Appendix A: AT-S63 Management Software Default Settings IGMP Snooping The following table lists the IGMP Snooping default settings. IGMP Snooping Status Multicast Host Topology Host/Router Timeout Interval Maximum IGMP Multicast Groups Multicast Router Ports Mode IGMP Snooping Setting Default Disabled...
Page 477: Internet Protocol Version 4 Packet Routing
Split Horizon with Poison Reverse Autosummarization of Routes Packet Routing Setting Note The update and invalid timers are not adjustable. The switch does not support the IPv4 routing holddown and flush timers. AT-S63 Management Software Features Guide Default Enabled None 30 seconds 180 seconds...
Page 478: Mac Address-Based Port Security
Appendix A: AT-S63 Management Software Default Settings MAC Address-based Port Security The following table lists the MAC address-based port security default settings. Security Mode Intrusion Action Participating MAC Limit MAC Address-based Port Security Setting Default Automatic (no security) Discard No Limit...
Page 479: Mac Address Table
AT-S63 Management Software Features Guide MAC Address Table The following table lists the default setting for the MAC address table. MAC Address Table Setting Default MAC Address Aging Time 300 seconds...
Page 480: Management Access Control List
Appendix A: AT-S63 Management Software Default Settings Management Access Control List The following table lists the default setting for the management access control list. Management ACL Setting Default Status Disabled...
Page 481: Manager And Operator Account
Manager Login Name Manager Password Operator Login Name Operator Password Console Disconnect Timer Interval Console Startup Mode Manager Account Setting Note Login names and passwords are case sensitive. AT-S63 Management Software Features Guide Default manager friend operator operator 10 minutes...
Page 482: Multicast Listener Discovery Snooping
Appendix A: AT-S63 Management Software Default Settings Multicast Listener Discovery Snooping The following table lists the MLD Snooping default settings. MLD Snooping Status Multicast Host Topology Host/Router Timeout Interval Maximum MLD Multicast Groups Multicast Router Ports Mode MLD Snooping Setting...
Page 483: Public Key Infrastructure
Public Key Infrastructure The following table lists the PKI default settings, including the generate enrollment request settings. Switch Distinguished Name Maximum Number of Certificates Request Name Key Pair ID Format Type AT-S63 Management Software Features Guide PKI Setting Default None None PKCS10...
Page 484: Port Settings
Appendix A: AT-S63 Management Software Default Settings Port Settings The following table lists the port configuration default settings. Status 10/100/1000Base-T Speed Duplex Mode MDI/MDI-X Packet Filtering Packet Rate Limiting Override Priority Head of Line Blocking Threshold Back Pressure Back Pressure Threshold...
Page 485: Rj-45 Serial Terminal Port
The following table lists the RJ-45 serial terminal port default settings. Data Bits Stop Bits Parity Flow Control Baud Rate The baud rate is the only adjustable parameter on the port. RJ-45 Serial Terminal Port Setting AT-S63 Management Software Features Guide Default None None 9600 bps...
Page 486: Router Redundancy Protocol Snooping
Appendix A: AT-S63 Management Software Default Settings Router Redundancy Protocol Snooping The following table lists the RRP Snooping default setting. RRP Snooping Setting Default RRP Snooping Status Disabled...
Page 487: Server-Based Authentication (Radius And Tacacs+)
The following table lists the TACACS+ client configuration default settings. TACACS+ Client Configuration Setting TAC Server 1 TAC Server 2 TAC Server 3 TAC Global Secret TAC Timeout RADIUS Configuration Setting AT-S63 Management Software Features Guide Default Disabled TACACS+ Default 30 seconds 0.0.0.0 0.0.0.0 0.0.0.0...
Page 488: Simple Network Management Protocol
Appendix A: AT-S63 Management Software Default Settings Simple Network Management Protocol The following table describes the SNMP default settings. SNMP Status Authentication Failure Trap Status Community Name Community Name Status (public) Status (private) Open Status (public) Open Status (private) SNMP Communities Setting...
Page 489: Simple Network Time Protocol
Simple Network Time Protocol The following table lists the SNTP default settings. System Time SNTP Status SNTP Server UTC Offset Daylight Savings Time (DST) Poll Interval AT-S63 Management Software Features Guide SNTP Setting Default 00:00:00 on January 1, 1980 Disabled 0.0.0.0 Enabled...
Page 490: Spanning Tree Protocols (Stp, Rstp, And Mstp)
Appendix A: AT-S63 Management Software Default Settings Spanning Tree Protocols (STP, RSTP, and MSTP) This section provides the spanning tree, STP RSTP, and MSTP, default settings. Spanning Tree The following table describes the Spanning Tree Protocol default settings for the switch.
Page 491: Multiple Spanning Tree Protocol
Maximum Hops Configuration Name Revision Level CIST Priority Port Priority Port Internal Path Cost Port External Path Cost Point-to-Point Edge Port AT-S63 Management Software Features Guide MSTP Setting Default Disabled MSTP null Increment 8 (32768) Increment 8 (128) Auto Update...
Page 492: Secure Shell Server
Appendix A: AT-S63 Management Software Default Settings Secure Shell Server The following table lists the SSH default settings. Status Host Key ID Server Key ID Server Key Expiry Time Login Timeout SSH Port Number The SSH port number is not adjustable.
Page 493: Secure Sockets Layer
Secure Sockets Layer The following table lists the SSL default settings. Maximum Number of Sessions Session Cache Timeout AT-S63 Management Software Features Guide SSL Setting Default 300 seconds...
Page 494: System Name, Administrator, And Comments Settings
Appendix A: AT-S63 Management Software Default Settings System Name, Administrator, and Comments Settings The following table describes the IP default settings. System Name Administrator Comments IP Setting None None None Default...
Page 495: Telnet Server
Telnet Server The following table lists the Telnet server default settings. Telnet Server Telnet Port Number NULL Character The Telnet port number is not adjustable. Telnet Server Setting AT-S63 Management Software Features Guide Default Enabled...
Page 496: Virtual Router Redundancy Protocol
Appendix A: AT-S63 Management Software Default Settings Virtual Router Redundancy Protocol The following table lists the VRRP default setting. VRRP Setting Default Status Disabled...
Page 497: Vlans
VLANs This section provides the VLAN default settings. Default VLAN Name Management VLAN ID VLAN Mode Uplink Port Ingress Filtering AT-S63 Management Software Features Guide VLAN Setting Default Default_VLAN (all ports) 1 (Default_VLAN) User Configured None Disabled...
Page 498: Web Server
Appendix A: AT-S63 Management Software Default Settings Web Server The following table lists the web server default settings. Status Operating Mode HTTP Port Number HTTPS Port Number Web Server Configuration Setting Default Enabled HTTP...
Page 499: Appendix B: Snmpv3 Configuration Examples
Appendix B SNMPv3 Configuration Examples This appendix provides two examples of SNMPv3 configuration using the SNMPv3 Table menus and a worksheet to use as an aid when configuring the SNMPv3 protocol. It includes the following sections: “SNMPv3 Manager Configuration” on page 500 “SNMPv3 Operator Configuration”...
Page 500: Snmpv3 Configuration Examples
Appendix B: SNMPv3 Configuration Examples SNMPv3 Configuration Examples In addition an SNMPv3 Configuration Table is provided to record your SNMPv3 configuration. For more information about the SNMPv3 protocol, see Chapter 21, “SNMPv3” on page 219. SNMPv3 This section provides a sample configuration for a Manager with a User Name of systemadmin24.
Page 501: Snmpv3 Operator Configuration
Operator and not an SNMP host, you do not need to configure message notification Configuration for this user. Configure SNMPv3 User Table Menu User Name: nikoeng73 Authentication Protocol: MD5 Privacy Protocol: None Storage Type: NonVolatile AT-S63 Management Software Features Guide...
Page 502: Snmpv3 Worksheet
Appendix B: SNMPv3 Configuration Examples Configure SNMPv3 View Table Menu Configure SNMPv3 Access Table SNMPv3 This section supplies a table that you can use a worksheet when configuring SNMPv3. Each SNMPv3 Table is listed with its associated Worksheet parameters. SNMPv3 User Table User Name Authentication Protocol Authentication Password...
Page 503 AT-S63 Management Software Features Guide SNMPv3 Parameters (Continued) Security Model Security Level Read View Name Write View Name Notify View Name Storage Type SNMPv3 SecurityToGroup Table User Name Security Model Group Name Storage Type SNMPv3 Notify Table Notify Name Notify Tag...
Page 504 Appendix B: SNMPv3 Configuration Examples SNMPv3 Parameters (Continued) Security Model Security Level Storage Type...
Page 505: Appendix C: Features And Standards
Appendix C Features and Standards This appendix lists the features and standards of the AT-9400 Switch. Section include: ”10/100/1000Base-T Twisted Pair Ports” on page 506 ”Denial of Service Defenses” on page 506 ”Fiber Optic Ports (AT-9408LC/SP Switch)” on page 507 ”File System”...
Page 506: 10/100/1000Base-T Twisted Pair Ports
Appendix C: Features and Standards 10/100/1000Base-T Twisted Pair Ports IEEE 802.1d IEEE 802.3 IEEE 802.3u IEEE 802.3ab IEEE 802.3u IEEE 802.3x IEEE 802.3z — — — — Denial of Service Defenses Smurf SYN Flood Teardrop Land IP Option Ping of Death Ethernet Protection Switching Ring Snooping —...
Page 507: Fiber Optic Ports (At-9408Lc/Sp Switch)
RFC 2710 RFC 3810 RFC 3768 Internet Protocol Version 4 Routing — — RFC 1058 RFC 1723 AT-S63 Management Software Features Guide Bridging 1000Base-SX Head of Line Blocking Eight Egress Queues Per Port 8 megabyte storage capacity DHCP client BOOTP client IGMP Snooping (Ver.
Page 508: Mac Address Table
Appendix C: Features and Standards RFC 826 — — — RFC 1542 MAC Address Table — Management Access and Security RFC 1157 RFC 1901 RFC 3411 RFC 1492 RFC 2865 RFC 2068 RFC 2616 RFC 1866 RFC 854 — RFC 4325 (X.509) —...
Page 509: Management Access Methods
RFC 1213 RFC 1215 RFC 1493 RFC 2863 RFC 2933 RFC 1643 RFC 2674 RFC 1757 — AT-S63 Management Software Features Guide MIB-II TRAP MIB Bridge MIB Interface Group MIB IGMP Ethernet-like MIB IEEE 802.1Q MIB RMON 4 groups Allied Telesis Private MIBs...
Page 510: Port Security
Appendix C: Features and Standards Port Security IEEE 802.1x RFC 2865 RFC 2866 — Port Trunking and Mirroring IEEE 802.3ad — — Spanning Tree Protocols IEEE 802.1D IEEE 802.1w IEEE 802.1s System Monitoring RFC 3195 — — — Port-based Network Access Control: Supports multiple supplicants per port and the following authentication methods: EAP-MD5...
Page 511: Traffic Control
— — Virtual LANs IEEE 802.1Q — — — AT-S63 Management Software Features Guide RMON Groups 1, 2, 3, and 9 Quality of Service featuring: — Layer 2, 3, and 4 criteria — Flow Groups, Traffic Classes, and Policies —...
Page 512: Virtual Router Redundancy Protocol
Appendix C: Features and Standards — IEEE 802.3ac IEEE 802.1P Virtual Router Redundancy Protocol RFC 3768 MAC Address-based VLANs (Not supported on the AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP switches.) VLAN Tag Frame Extension GARP VLAN Registration Protocol Virtual Router Redundancy Protocol...
Page 513: Appendix D: Mib Objects
Switch. Sections in the appendix include: The Allied Telesis MIB files for the AT-9400 Switch are: The MIB files are available from the Allied Telesis web site. Objects in the private MIBs have the prefix “1.3.6.1.4.1.207.” ”Access Control Lists” on page 514 ”Class of Service”...
Page 514: Access Control Lists
Appendix D: MIB Objects Access Control Lists Table 31. Access Control Lists (AtiStackSwitch MIB) Object Name atiStkSwACLConfigTable atiStkSwACLConfigEntry atiStkSwACLModuleId atiStkSwACLId atiStkSwACLDescription atiStkSwACLAction atiStkSwACLClassifierList atiStkSwACLPortList atiStkSwACLRowStatus 1.3.6.1.4.1.207.8.17.9.1 1.3.6.1.4.1.207.8.17.9.1.1 1.3.6.1.4.1.207.8.17.9.1.1.1 1.3.6.1.4.1.207.8.17.9.1.1.2 1.3.6.1.4.1.207.8.17.9.1.1.3 1.3.6.1.4.1.207.8.17.9.1.1.4 1.3.6.1.4.1.207.8.17.9.1.1.5 1.3.6.1.4.1.207.8.17.9.1.1.6 1.3.6.1.4.1.207.8.17.9.1.1.7...
Page 515: Class Of Service
Object Name atiStkSwQoSGroupQueueToWeightTable AtiStkSwQoSGroupQueueToWeightEntry atiStkSwQoSGroupQueue atiStkSwQoSGroupQueueWeight Table 35. CoS Port Settings (AtiStackSwitch MIB) Object Name atiStkSwQoSGroupPortCoSPriorityTable atiStkSwQoSGroupPortCoSPriorityEntry atiStkSwQoSGroupPortCoSPriorityModuleId atiStkSwQoSGroupPortCoSPriorityPortId atiStkSwQoSGroupPortCoSPriorityPriority atiStkSwQoSGroupPortCoSPriorityOverridePriority 1.3.6.1.4.1.207.8.17.7.8.1.4 AT-S63 Management Software Features Guide 1.3.6.1.4.1.207.8.17.7 1.3.6.1.4.1.207.8.17.7.1 1.3.6.1.4.1.207.8.17.7.2 1.3.6.1.4.1.207.8.17.7.3 1.3.6.1.4.1.207.8.17.7.3.1 1.3.6.1.4.1.207.8.17.7.3.1.1 1.3.6.1.4.1.207.8.17.7.3.1.2 1.3.6.1.4.1.207.8.17.7.4 1.3.6.1.4.1.207.8.17.7.4.1 1.3.6.1.4.1.207.8.17.7.4.1.1 1.3.6.1.4.1.207.8.17.7.4.1.2 1.3.6.1.4.1.207.8.17.7.8 1.3.6.1.4.1.207.8.17.7.8.1 1.3.6.1.4.1.207.8.17.7.8.1.1...
Page 516: Date, Time, And Sntp Client
Appendix D: MIB Objects Date, Time, and SNTP Client Table 36. Date, Time, and SNTP Client (AtiStackSwitch MIB) Object Name atiStkSysSystemTimeConfig atiStkSwSysCurrentTime atiStkSwSysCurrentDate atiStkSwSysSNTPStatus atiStkSwSysSNTPServerIPAddress atiStkSwSysSNTPUTCOffset atiStkSwSysSNTPDSTStatus atiStkSwSysSNTPPollingInterval atiStkSwSysSNTPLastDelta 1.3.6.1.4.1.207.8.17.1.5 1.3.6.1.4.1.207.8.17.1.5.1 1.3.6.1.4.1.207.8.17.1.5.2 1.3.6.1.4.1.207.8.17.1.5.3 1.3.6.1.4.1.207.8.17.1.5.4 1.3.6.1.4.1.207.8.17.1.5.5 1.3.6.1.4.1.207.8.17.1.5.6 1.3.6.1.4.1.207.8.17.1.5.7 1.3.6.1.4.1.207.8.17.1.5.8...
Page 517: Denial Of Service Defenses
Table 37. LAN Address and Subnet Mask (AtiStackSwitch MIB) Object Name atiStkDOSConfig atiStkDOSConfigLANIpAddress atiStkDOSConfigLANSubnetMask Table 38. Denial of Service Defenses (AtiStackSwitch MIB) Object Name atiStkPortDOSAttackConfigTable atiStkPortDOSAttackConfigEntry atiStkPortDOSAttackType atiStkPortDOSAttackActionStatus atiStkPortDOSAttackMirrorPort atiStkPortDOSAttackMirrorPortStatus AT-S63 Management Software Features Guide 1.3.6.1.4.1.207.8.17.2.6 1.3.6.1.4.1.207.8.17.2.6.1 1.3.6.1.4.1.207.8.17.2.6.2 1.3.6.1.4.1.207.8.17.2.6.3 1.3.6.1.4.1.207.8.17.2.6.3.1 1.3.6.1.4.1.207.8.17.2.6.3.1.1 1.3.6.1.4.1.207.8.17.2.6.3.1.2 1.3.6.1.4.1.207.8.17.2.6.3.1.3 1.3.6.1.4.1.207.8.17.2.6.3.1.4...
Page 518: Enhanced Stacking
Appendix D: MIB Objects Enhanced Stacking Table 39. Switch Mode and Discovery (AtiStackInfo MIB) Object Name atiswitchEnhancedStackingInfo atiswitchEnhStackMode atiswitchEnhStackDiscover atiswitchEnhStackRemoteNumber Table 40. Switches of an Enhanced Stack (AtiStackInfo MIB) Object Name atiswitchEnhStackTable atiswitchEnhStackEntry atiswitchEnhStackSwId atiswitchEnhStackSwMacAddr atiswitchEnhStackSwName atiswitchEnhStackSwMode atiswitchEnhStackSwSoftwareVersion atiswitchEnhStackSwModel atiswitchEnhStackConnect 1.3.6.1.4.1.207.8.16.1 1.3.6.1.4.1.207.8.16.1.1 1.3.6.1.4.1.207.8.16.1.2...
Page 519: Gvrp
Table 43. GVRP Counters (AtiStackSwitch MIB) Object Name atiStkSwGVRPCountersTable atiStkSwGVRPCountersEntry atiStkSwGVRPCountersModuleId atiStkSwGVRPCountersGARPRxPkt atiStkSwGVRPCountersInvalidGARPRxPkt atiStkSwGVRPCountersGARPTxPkt atiStkSwGVRPCountersGARPTxDisabled atiStkSwGVRPCountersPortNotSending atiStkSwGVRPCountersGARPDisabled AT-S63 Management Software Features Guide 1.3.6.1.4.1.207.8.17.3.6 1.3.6.1.4.1.207.8.17.3.6.1 1.3.6.1.4.1.207.8.17.3.6.2 1.3.6.1.4.1.207.8.17.3.6.3 1.3.6.1.4.1.207.8.17.3.6.4 1.3.6.1.4.1.207.8.17.3.6.5 1.3.6.1.4.1.207.8.17.3.7 1.3.6.1.4.1.207.8.17.3.7.1 1.3.6.1.4.1.207.8.17.3.7.1.1 1.3.6.1.4.1.207.8.17.3.7.1.2 1.3.6.1.4.1.207.8.17.3.7.1.3 1.3.6.1.4.1.207.8.17.3.8 1.3.6.1.4.1.207.8.17.3.8.1 1.3.6.1.4.1.207.8.17.3.8.1.1 1.3.6.1.4.1.207.8.17.3.8.1.2...
Page 520 Appendix D: MIB Objects Table 43. GVRP Counters (AtiStackSwitch MIB) Object Name atiStkSwGVRPCountersPortNotListening atiStkSwGVRPCountersInvalidPort atiStkSwGVRPCountersInvalidProtocol atiStkSwGVRPCountersInvalidFormat atiStkSwGVRPCountersDatabaseFull atiStkSwGVRPCountersRxMsgLeaveAll atiStkSwGVRPCountersRxMsgJoinEmpty atiStkSwGVRPCountersRxMsgJoinIn atiStkSwGVRPCountersRxMsgLeaveEmpty atiStkSwGVRPCountersRxMsgLeaveIn atiStkSwGVRPCountersRxMsgEmpty atiStkSwGVRPCountersRxMsgBadMsg atiStkSwGVRPCountersRxMsgBadAttribute atiStkSwGVRPCountersTxMsgLeaveAll atiStkSwGVRPCountersTxMsgJoinEmpty atiStkSwGVRPCountersTxMsgJoinIn atiStkSwGVRPCountersTxMsgLeaveEmpty atiStkSwGVRPCountersTxMsgLeaveIn atiStkSwGVRPCountersTxMsgEmpty 1.3.6.1.4.1.207.8.17.3.8.1.8 1.3.6.1.4.1.207.8.17.3.8.1.9 1.3.6.1.4.1.207.8.17.3.8.1.10 1.3.6.1.4.1.207.8.17.3.8.1.11 1.3.6.1.4.1.207.8.17.3.8.1.12 1.3.6.1.4.1.207.8.17.3.8.1.13 1.3.6.1.4.1.207.8.17.3.8.1.14 1.3.6.1.4.1.207.8.17.3.8.1.15 1.3.6.1.4.1.207.8.17.3.8.1.16 1.3.6.1.4.1.207.8.17.3.8.1.17 1.3.6.1.4.1.207.8.17.3.8.1.18 1.3.6.1.4.1.207.8.17.3.8.1.19...
Page 521: Mac Address Table
Table 45. Static MAC Address Table (AtiStackSwitch MIB) Object Name atiStkSwMacAddrGroup atiStkSwStaticMacAddrEntry atiStkSwStaticMacAddress atiStkSwStaticMacAddrVlanId atiStkSwStaticMacAddrModuleId atiStkSwStaticMacAddrPortId atiStkSwStaticMacAddrPortList atiStkSwStaticMacAddrEntryStatus AT-S63 Management Software Features Guide 1.3.6.1.4.1.207.8.17.3.3 1.3.6.1.4.1.207.8.17.3.3.1 1.3.6.1.4.1.207.8.17.3.3.1.1 1.3.6.1.4.1.207.8.17.3.3.1.2 1.3.6.1.4.1.207.8.17.3.3.1.3 1.3.6.1.4.1.207.8.17.3.3.1.4 1.3.6.1.4.1.207.8.17.3.3.1.5 1.3.6.1.4.1.207.8.17.3.3.1.6 1.3.6.1.4.1.207.8.17.4 1.3.6.1.4.1.207.8.17.4.1.1 1.3.6.1.4.1.207.8.17.4.1.1.1 1.3.6.1.4.1.207.8.17.4.1.1.2 1.3.6.1.4.1.207.8.17.4.1.1.3 1.3.6.1.4.1.207.8.17.4.1.1.4...
Page 522: Management Access Control List
Appendix D: MIB Objects Management Access Control List Table 46. Management Access Control List Status (AtiStackSwitch MIB) Object Name atiStkSwSysMgmtACLGroup atiStkSwSysMgmtACLStatus Table 47. Management Access Control List Entries (AtiStackSwitch MIB) Object Name atiStkSwSysMgmtACLConfigTable atiStkSwSysMgmtACLConfigEntry atiStkSwSysMgmtACLConfigModuleId atiStkSwSysMgmtACLConfigId atiStkSwSysMgmtACLConfigIpAddr atiStkSwSysMgmtACLConfigMask atiStkSwSysMgmtACLConfigApplication atiStkSwSysMgmtACLConfigRowStatus 1.3.6.1.4.1.207.8.17.1.7 1.3.6.1.4.1.207.8.17.1.7.1 1.3.6.1.4.1.207.8.17.1.7.2...
Page 523: Miscellaneous
Object Name atiStkSwSysGroup atiStkSwSysConfig atiStkSwSysIpAddress atiStkSwSysSubnetMask atiStkSwSysGateway atiStkSwSysIpAddressStatus Table 50. Saving the Configuration and Returning to Default Settings (AtiStackSwitch MIB) Object Name atiStkSwSysGroup atiStkSwSysConfig atiStkSwSysAction AT-S63 Management Software Features Guide 1.3.6.1.4.1.207.8.17.1 1.3.6.1.4.1.207.8.17.1.1 1.3.6.1.4.1.207.8.17.1.1.1 1.3.6.1.4.1.207.8.17.1 1.3.6.1.4.1.207.8.17.1.1 1.3.6.1.4.1.207.8.17.1.1.2 1.3.6.1.4.1.207.8.17.1.1.3 1.3.6.1.4.1.207.8.17.1.1.4 1.3.6.1.4.1.207.8.17.1.1.5 1.3.6.1.4.1.207.8.17.1 1.3.6.1.4.1.207.8.17.1.1...
Page 524: Port Mirroring
Appendix D: MIB Objects Port Mirroring Table 51. Port Mirroring (AtiStackSwitch MIB) Object Name atiStkSwPortMirroringConfig atiStkSwPortMirroringState atiStkSwPortMirroringDestinationModuleId atiStkSwPortMirroringDestinationPortId atiStkSwPortMirroringSourceRxList atiStkSwPortMirroringSourceTxList 1.3.6.1.4.1.207.8.17.2.2 1.3.6.1.4.1.207.8.17.2.2.1 1.3.6.1.4.1.207.8.17.2.2.4 1.3.6.1.4.1.207.8.17.2.2.5 1.3.6.1.4.1.207.8.17.2.2.6 1.3.6.1.4.1.207.8.17.2.2.7...
Page 525: Quality Of Service
Table 53. Traffic Classes (AtiStackSwitch MIB) Object Name atiStkSwQosTrafficClassTable atiStkSwQosTrafficClassEntry atiStkSwQosTrafficClassModuleId atiStkSwQosTrafficClassId atiStkSwQosTrafficClassDescription atiStkSwQosTrafficClassExceedAction atiStkSwQosTrafficClassExceedRemarkValue atiStkSwQosTrafficClassDSCPValue atiStkSwQosTrafficClassMaxBandwidth atiStkSwQosTrafficClassBurstSize AT-S63 Management Software Features Guide 1.3.6.1.4.1.207.8.17.7.5 1.3.6.1.4.1.207.8.17.7.5.1 1.3.6.1.4.1.207.8.17.7.5.1.1 1.3.6.1.4.1.207.8.17.7.5.1.2 1.3.6.1.4.1.207.8.17.7.5.1.3 1.3.6.1.4.1.207.8.17.7.5.1.4 1.3.6.1.4.1.207.8.17.7.5.1.5 1.3.6.1.4.1.207.8.17.7.5.1.6 1.3.6.1.4.1.207.8.17.7.5.1.7 1.3.6.1.4.1.207.8.17.7.5.1.8 1.3.6.1.4.1.207.8.17.7.5.1.9 1.3.6.1.4.1.207.8.17.7.5.1.10 1.3.6.1.4.1.207.8.17.7.5.1.11 1.3.6.1.4.1.207.8.17.7.6 1.3.6.1.4.1.207.8.17.7.6.1...
Page 526: Table 139: Policies (Atistackswitch Mib)
Appendix D: MIB Objects Table 53. Traffic Classes (AtiStackSwitch MIB) Object Name atiStkSwQosTrafficClassClassPriority atiStkSwQosTrafficClassRemarkPriority atiStkSwQosTrafficClassToS atiStkSwQosTrafficClassMoveToSToPriority atiStkSwQosTrafficClassMovePriorityToToS atiStkSwQosTrafficClassFlowGroupList atiStkSwQosTrafficClassStatus Object Name atiStkSwQosPolicyTable atiStkSwQosPolicyEntry atiStkSwQosPolicyModuleId atiStkSwQosPolicyId atiStkSwQosPolicyDescription atiStkSwQosPolicyRemarkDSCP atiStkSwQosPolicyDSCPValue atiStkSwQosPolicyDSCPValue atiStkSwQosPolicyMoveToSToPriority atiStkSwQosPolicyMovePriorityToToS atiStkSwQosPolicySendToMirrorPort atiStkSwQosPolicyClassList atiStkSwQosPolicyRedirectPort atiStkSwQosPolicyIngressPortList atiStkSwQosPolicyEgressPortList atiStkSwQosPolicyRowStatus Table 54. Policies (AtiStackSwitch MIB) 1.3.6.1.4.1.207.8.17.7.6.1.9 1.3.6.1.4.1.207.8.17.7.6.1.10 1.3.6.1.4.1.207.8.17.7.6.1.11...
Page 527: Port Configuration And Status
AT-S63 Management Software Features Guide 1.3.6.1.4.1.207.8.17.2.1 1.3.6.1.4.1.207.8.17.2.1.1 1.3.6.1.4.1.207.8.17.2.1.1.1 1.3.6.1.4.1.207.8.17.2.1.1.2 1.3.6.1.4.1.207.8.17.2.1.1.3 1.3.6.1.4.1.207.8.17.2.1.1.4 1.3.6.1.4.1.207.8.17.2.1.1.5 1.3.6.1.4.1.207.8.17.2.1.1.6 1.3.6.1.4.1.207.8.17.2.1.1.7 1.3.6.1.4.1.207.8.17.2.1.1.8 1.3.6.1.4.1.207.8.17.2.1.1.9 1.3.6.1.4.1.207.8.17.2.1.1.10 1.3.6.1.4.1.207.8.17.2.1.1.11 1.3.6.1.4.1.207.8.17.2.1.1.12 1.3.6.1.4.1.207.8.17.2.1.1.13 1.3.6.1.4.1.207.8.17.2.1.1.14 1.3.6.1.4.1.207.8.17.2.1.1.15...
Page 528: Spanning Tree
Appendix D: MIB Objects Spanning Tree Table 56. Spanning Tree (AtiStackSwitch MIB) Object Name atiStkSwSysConfig 1.3.6.1.4.1.207.8.17.1.1 atiStkSwSysSpanningTreeStatus 1.3.6.1.4.1.207.8.17.1.1.9 atiStkSwSysSpanningTreeVersion 1.3.6.1.4.1.207.8.17.1.1.10...
Page 529: Static Port Trunk
Static Port Trunk Table 57. Static Port Trunks (AtiStackSwitch MIB) Object Name atiStkSwStaticTrunkTable atiStkSwStaticTrunkEntry atiStkSwStaticTrunkModuleId atiStkSwStaticTrunkIndex atiStkSwStaticTrunkId atiStkSwStaticTrunkName atiStkSwStaticTrunkMethod atiStkSwStaticTrunkPortList atiStkSwStaticTrunkStatus atiStkSwStaticTrunkRowStatus AT-S63 Management Software Features Guide 1.3.6.1.4.1.207.8.17.8.1 1.3.6.1.4.1.207.8.17.8.1.1 1.3.6.1.4.1.207.8.17.8.1.1.1 1.3.6.1.4.1.207.8.17.8.1.1.2 1.3.6.1.4.1.207.8.17.8.1.1.3 1.3.6.1.4.1.207.8.17.8.1.1.4 1.3.6.1.4.1.207.8.17.8.1.1.5 1.3.6.1.4.1.207.8.17.8.1.1.6 1.3.6.1.4.1.207.8.17.8.1.1.7 1.3.6.1.4.1.207.8.17.8.1.1.8...
Page 530: Vlans
Appendix D: MIB Objects VLANs The objects in Table 58 display the specifications of the Default_VLAN. Table 58. VLAN Table (AtiStackSwitch MIB) Object Name atiStkSwVlanConfigTable atiStkSwVlanConfigEntry atiStkSwVlanId atiStkSwVlanName atiStkSwVlanTaggedPortListModule1 atiStkSwVlanUntaggedPortListModule1 atiStkSwVlanConfigEntryStatus atiStkSwVlanActualUntaggedPortListModule1 The objects in Table 59 display the names and VIDs of all the VLANs on a switch, but not the VLAN ports.
Page 531: Table 146: Pvid Table (Atistackswitch Mib)
Table 61. PVID Table (AtiStackSwitch MIB) Object Name atiStkSwPort2VlanTable atiStkSwPort2VlanEntry atiStkSwPortVlanId atiStkSwPortVlanName AT-S63 Management Software Features Guide 1.3.6.1.4.1.207.8.17.3.2 1.3.6.1.4.1.207.8.17.3.2.1 1.3.6.1.4.1.207.8.17.3.2.1.1 1.3.6.1.4.1.207.8.17.3.2.1.2...
Page 532 Appendix D: MIB Objects...
Page 533: Index
465 adminkey parameter in aggregate trunks 107 aggregate trunk 105 aggregator 105 aging time, MAC address table 95, 479 associations 255 AT-S63 Management Software default settings 463 described 36 AT-StackXG Stacking Module 63 authentication protocols 449 See also RADIUS, TACACS+...
Page 534 CoS. See Class of Service (CoS) CRL. See certificate revocation list (CRL) default route described 334 examples 350, 353 default settings, AT-S63 Management Software 463 denial of service defenses default settings 469 described 179 guidelines 188 IP options attack 186...
Page 535 82, 345 local management session 43 locked port security mode 376 MAC address table 94 MAC address-based port security default settings 478 AT-S63 Management Software Features Guide described 375 guidelines 378 intrusion actions 377 levels 375 MAC address-based VLANs...
Page 536 Index regions 257 revision number 257 with STP and RSTP 260 multiple VLAN modes 297 non-802.1Q compliant VLAN mode 300 none port role 384 nonvolatile storage, described 226 operator accounts, default settings 481 password, default 45 path cost 239 permit access control lists 137 ping of death attack 185 PKI.
Page 537 SNMPv3 Community Table, described 231 SNMPv3 Engine ID, defined 222 SNMPv3 entities 221 SNMPv3 Notify Table, described 231 SNMPv3 protocol authentication protocols 222 AT-S63 Management Software Features Guide Configure SNMPv3 Community Table 231 Engine ID 222 message notification 227 MIB views 224 overview 221...
Page 538 Index supported platforms 448 tagged ports 280 tagged VLANs default settings 497 described 279 example 281 guidelines 280 supported platforms 270 TCP destination ports in classifiers 133 TCP flags in classifiers 133 TCP source ports in classifiers 133 teardrop attack 184 Telnet management sessions 43 Telnet server 43 default settings 495...

Allied Telesis AT-S63 Features Manual

Table of Contents

Table of Contents

Chapter 1: Overview

Chapter 2: AT-9400Ts Stacks

Chapter 3: Enhanced Stacking

Chapter 4: Snmpv1 and Snmpv2C

Chapter 5: MAC Address Table

Chapter 6: Static Port Trunks

Chapter 7: LACP Port Trunks

Chapter 8: Port Mirror

Chapter 9: File System

Chapter 10: Event Logs and the Syslog Client

Chapter 11: Classifiers

Chapter 12: Access Control Lists

Chapter 13: Class of Service

Chapter 14: Quality of Service

Chapter 15: Denial of Service Defenses

Chapter 16: Power over Ethernet

Chapter 17: Internet Group Management Protocol Snooping

Chapter 18: Multicast Listener Discovery Snooping

Chapter 19: Router Redundancy Protocol Snooping

Chapter 20: Ethernet Protection Switching Ring Snooping

Chapter 21: Snmpv3

Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols

Chapter 23: Multiple Spanning Tree Protocol

Chapter 24: Port-Based and Tagged Vlans

Chapter 25: GARP VLAN Registration Protocol

Chapter 26: Multiple VLAN Modes

Chapter 27: Protected Ports Vlans

Chapter 28: MAC Address-Based Vlans

Chapter 29: Internet Protocol Version 4 Packet Routing

Chapter 30: BOOTP Relay Agent

Chapter 31: Virtual Router Redundancy Protocol

Chapter 32: MAC Address-Based Port Security

Chapter 33: 802.1X Port-Based Network Access Control

Chapter 34: Web Server

Chapter 35: Encryption Keys

Chapter 36: PKI Certificates and SSL

Chapter 37: Secure Shell (SSH)

Chapter 38: TACACS+ and RADIUS Protocols

Chapter 39: Management Access Control List

Appendix A: AT-S63 Management Software Default Settings

Appendix B: Snmpv3 Configuration Examples

Appendix C: Features and Standards

Appendix D: MIB Objects

Quick Links

Chapters

Related Manuals for Allied Telesis AT-S63

Summary of Contents for Allied Telesis AT-S63