Menus user’s guide for stand-alone at-9400 switches version 2.2.0 for at-9400 layer 2+ switches version 3.2.0 for at-9400 basic layer 3 switches (668 pages)
Management software for at-8012m, at-8012m-qs, at-8016f/xx (mt, sc and st), at-8024, at-8024gb, at-8024m, at-8026fc, at-8026t, and at-8088/xx (mt and sc) fast ethernet switches version 3.3.0 (343 pages)
At-s94 management software cli user's guide for at-8000s series switches (403 pages)
Summary of Contents for Allied Telesis AT-S63
Page 1
◆ Features Guide For Stand-alone AT-9400 Switches and AT-9400Ts Stacks AT-S63 Version 2.2.0 for AT-9400 Layer 2+ Switches AT-S63 Version 4.0.0 for AT-9400 Basic Layer 3 Switches 613-001022 Rev. B Software AT-S63...
Page 2
Allied Telesis, Inc. reserves the right to make changes in specifications and other information contained in this document without prior written notice. The information provided herein is subject to change without notice. In no event shall Allied Telesis, Inc. be liable for any incidental, special, indirect, or consequential damages whatsoever, including but not limited to lost profits, arising out of or related to this manual or the information contained herein, even if Allied Telesis, Inc.
Page 9
Adding a Static Route and Default Route ... 350 Adding RIP ... 351 Selecting the Local Interface... 351 Non-routing Command Example ... 352 Upgrading from AT-S63 Version 1.3.0 or Earlier... 354 Chapter 30: BOOTP Relay Agent ... 355 Supported Platforms... 356 Overview... 357 Guidelines...
Page 10
Contents RADIUS Accounting...397 General Steps ...398 Guidelines ...399 Section IX: Management Security ...403 Chapter 34: Web Server ...405 Supported Platforms ...406 Overview ...407 Supported Protocols ...407 Configuring the Web Server for HTTP ...408 Configuring the Web Server for HTTPS...409 General Steps for a Self-signed Certificate ...409 General Steps for a Public or Private CA Certificate ...409 Chapter 35: Encryption Keys ...411 Supported Platforms ...412...
Page 11
IP Address... 458 Mask... 458 Application... 458 Guidelines... 459 Examples... 460 Appendix A: AT-S63 Management Software Default Settings ... 463 Address Resolution Protocol Cache... 465 Boot Configuration File ... 466 BOOTP Relay Agent ... 467 Class of Service... 468 Denial of Service Defenses ... 469 802.1x Port-Based Network Access Control ...
Page 12
Contents Appendix B: SNMPv3 Configuration Examples ...499 SNMPv3 Configuration Examples...500 SNMPv3 Manager Configuration...500 SNMPv3 Operator Configuration...501 SNMPv3 Worksheet ...502 Appendix C: Features and Standards ...505 10/100/1000Base-T Twisted Pair Ports ...506 Denial of Service Defenses...506 Ethernet Protection Switching Ring Snooping ...506 Fiber Optic Ports (AT-9408LC/SP Switch) ...507 File System ...507 DHCP and BOOTP Clients ...507...
Page 13
Figures Figure 1: AT-StackXG Stacking Module ...63 Figure 2: Duplex-chain Topology...66 Figure 3: Duplex-ring Topology ...67 Figure 4: Static Port Trunk Example...99 Figure 5: User Priority and VLAN Fields within an Ethernet Frame...130 Figure 6: ToS field in an IP Header ...131 Figure 7: ACL Example 1 ...141 Figure 8: ACL Example 2 ...142 Figure 9: ACL Example 3 ...143...
Page 15
Table 19: Management Interfaces for Management Security ...42 Table 20: Twisted Pair Ports Matched with GBIC and SFP Slots ...49 Table 21: New Features in AT-S63 Version 3.0.0 ...53 Table 22: New Features in AT-S63 Version 2.1.0 ...54 Table 23: New Features in AT-S63 Version 2.0.0 ...55 Table 24: New Features in AT-S63 Version 1.3.0 ...55...
Page 16
Tables Table 50: Example of Weighted Round Robin Priority ... 153 Table 51: Example of a Weight of Zero for Priority Queue 7 ... 153 Table 52: Support for Quality of Service ... 156 Table 53: Management Interfaces for Quality of Service ... 156 Table 54: Support for the Denial of Service Defenses ...
Page 17
AT-S63 Management Software Features Guide Table 110: Support for the Secure Shell Protocol ...438 Table 111: Management Interfaces for the Secure Shell Protocol ...438 Table 112: Support for the TACACS+ and RADIUS Protocols ...448 Table 113: Management Interfaces for the TACACS+ and RADIUS Protocols ...448 Table 114: Support for the Management Access Control List ...456...
Preface This guide describes the features of the AT-9400 Layer 2+ and Basic Layer 3 Gigabit Ethernet Switches and the AT-S63 Management Software. This preface contains the following sections: “How This Guide is Organized” on page 20 “Product Documentation” on page 22 “Where to Go First”...
Preface How This Guide is Organized This guide has the following sections and chapters: Section I: Basic Operations Chapter 1, “Overview” on page 29 Chapter 2, “AT-9400Ts Stacks” on page 59 Chapter 3, “Enhanced Stacking” on page 77 Chapter 4, “SNMPv1 and SNMPv2c” on page 87 Chapter 5, “MAC Address Table”...
Page 21
Chapter 38, “TACACS+ and RADIUS Protocols” on page 447 Chapter 39, “Management Access Control List” on page 455 Appendices Appendix A, “AT-S63 Management Software Default Settings” on page Appendix B, “SNMPv3 Configuration Examples” on page 499 Appendix C, “Features and Standards” on page 505...
Switch, refer to: For instructions on how to install or manage an AT-9400Ts Stack, refer to: The installation and user guides for all the Allied Telesis products are available in portable document format (PDF) on our web site at www.alliedtelesis.com. You can view the documents online or download them onto a local workstation or server.
AT-S63 Management Software Features Guide Where to Go First Allied Telesis recommends that you read Chapter 1, “Overview” on page 29 in this guide before you begin to manage the switch for the first time. There you will find a variety of basic information about the unit and the management software, like the two levels of manager access levels and the different types of management sessions.
Preface Starting a Management Session For instructions on how to start a local or remote management session on the AT-9400 Switch, refer to the Starting an AT-S63 Management Session Guide.
AT-S63 Management Software Features Guide Document Conventions This document uses the following conventions: Note Notes provide additional information. Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data. Warning Warnings inform you that performing or omitting a specific action...
Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions. Email and For Technical Support via email or telephone, refer to the Allied Telesis web site at www.alliedtelesis.com. Select your country from the list on Telephone the web site and then select the appropriate tab.
Section I Basic Operations The chapters in this section contain background information on basic switch features. The chapters include: Chapter 1, “Overview” on page 29 Chapter 2, “AT-9400Ts Stacks” on page 59 Chapter 3, ”Enhanced Stacking” on page 77 Chapter 4, ”SNMPv1 and SNMPv2c” on page 87 Chapter 5, ”MAC Address Table”...
Overview This chapter has the following sections: “Layer 2+ and Basic Layer 3 Switches” on page 30 “AT-S63 Management Software” on page 36 “Management Interfaces” on page 37 “Management Access Methods” on page 43 “Manager Access Levels” on page 45 “Installation and Management Configurations”...
Chapter 1: Overview Layer 2+ and Basic Layer 3 Switches The switches in the AT-9400 Gigabit Ethernet Series are divided into two groups: Although the switches have many of the same features and capabilities, there are a number of significant differences. For instance, the Internet Protocol Version 4 packet routing feature is only supported on the Basic Layer 3 switches and is the reason for the group’s name.
Page 31
Access control lists Class of Service Quality of Service Table 1. Basic Operations Basic Layer 3 Switches 24Ts 24XP 48SP 48XP Table 2. Advanced Operations Basic Layer 3 Switches 24Ts 24XP 48SP 48XP AT-S63 Management Software Features Guide Stack Stack...
Page 32
Chapter 1: Overview Layer 2+ Switches 08LC 24GB 24SP Denial of service defenses Power over Ethernet 1. The only accessible file system in a stack is on the master switch. 2. The only active event logs in a stack are on the master switch. Layer 2+ Switches 08LC 24GB 24SP Internet Group...
Page 34
Chapter 1: Overview Layer 2+ Switches 08LC 24GB 24SP Static routes for Internet Protocol version 4 routing Routing Information Protocol (RIP) One routing interface Virtual Router Redundancy Protocol BOOTP and DHCP clients BOOTP relay agent 1. Used to assign the switch or stack an IP address configuration. Layer 2+ Switches 08LC 24GB 24SP MAC address-based...
Page 35
1. Stacks do not support the TACACS+ protocol. You can use the web browser interface to configure RADIUS accounting on a stack, but you cannot use the interface to enter the IP addresses of the RADIUS servers. Table 9. Management Security Basic Layer 3 Switches 24Ts 24XP 48SP 48XP AT-S63 Management Software Features Guide Stack...
Chapter 1: Overview AT-S63 Management Software The AT-9400 Switch is managed with the AT-S63 Management Software. The software comes preinstalled on the unit with default settings for all the operating parameters of the switch. If the default settings are adequate for your network, you can use the switch as an unmanaged unit.
Management Interfaces The AT-S63 Management Software has four management interfaces: Standard command line AlliedWare Plus command line Menus Web browser windows As shown in Table 10, the standard command line and the web browser windows are supported on all of the possible platforms: stand-alone AT-9400 Layer 2+ Switches, stand-alone AT-9400 Basic Layer 3 Switches, and AT-9400 Stacks.
Page 38
Chapter 1: Overview In other cases, a management interface might support only part of a function. For example, you can set a switch or stack’s name, contact or location with any of the management interfaces, except for the AlliedWare Plus commands, which only lets you set the name. The following tables list the features you can configure from the various management interfaces for stand-alone switches and AT-9400Ts Stacks.
Page 39
3. You can use the AlliedWare Plus command line to download new versions of the AT-S63 Management Software to stand-alone switches. You cannot use this interface to download new versions of the management software to stacks or to transfer files to the file system.
Page 40
Chapter 1: Overview 6. You cannot modify the event log full action from the web browser interface. Table 13. Management Interfaces for Snooping Protocols Internet Group Management Protocol (IGMP) snooping Multicast Listener Discovery (MLD) snooping Router Redundancy Protocol (RRP) snooping Ethernet Protection Switching Ring (EPSR) snooping SNMPv3...
Page 41
Address Resolution Protocol (ARP) table BOOTP and DHCP clients BOOTP relay agent Virtual Router Redundancy Protocol Table 18. Management Interfaces for Port Security MAC address-based port security AT-S63 Management Software Features Guide Stand-alone Switches Stand-alone Switches Stand-alone Switches Stacks Stacks Stacks...
Page 42
Chapter 1: Overview 802.1x port-based network access control Table 19. Management Interfaces for Management Security Web server Encryption keys Public Key Infrastructure (PKI) certificates and Secure Sockets Layer (SSL) protocol Secure Shell server TACACS+ and RADIUS authentication Management access control list 1.
Management Access Methods You can access the AT-S63 Management Software on a switch several ways: Local session Remote Telnet session Remote Secure Shell (SSH) session Remote web browser (HTTP or HTTPS) session Remote SNMP session Local To establish a local management session, you connect a terminal or a PC...
Chapter 1: Overview Remote Secure The AT-S63 Management Software also has a Secure Shell (SSH) server for remote management from SSH clients on your network. An SSH Shell (SSH) management session is similar to a Telnet management session except it Sessions uses encryption to protect the session from snooping.
AT-S63 Management Software Features Guide Manager Access Levels The AT-S63 Management Software has two manager access levels of manager and operator. The manager access level lets you view and configure the operating parameters, while the operator access level only lets you only view the parameters settings.
Chapter 1: Overview Installation and Management Configurations The AT-9400 Switches can be installed in three configurations. Stand-alone All the AT-9400 Switches can be installed as managed or unmanaged, stand-alone Gigabit Ethernet switches. Switches AT-9400Ts The AT-9424Ts, AT-9424Ts/XP and AT-9448Ts/XP Switches can be installed as a stack.
AT-S63 Management Software Features Guide IP Configuration Do you intend to remotely manage the switch with a Telnet or Secure Shell client, or a web browser? Or, will the management software be accessing application servers on your network, like a Simple Network Network Time...
Chapter 1: Overview Configuration Files Stand-alone switches and stacks store their parameter settings in configuration files in their file systems. The devices use these files to configure their parameter settings whenever they initialize their management software, such as when you power on or reset the units. The switches do not update the files automatically after you change a parameter setting.
Auto-Negotiation on a twisted pair port and set the speed and duplex mode manually, the speed reverts to Auto-Negotiation when a GBIC or SFP module establishes a link with an end node. AT-S63 Management Software Features Guide Ports and Slots 23R with GBIC slot 23...
Page 50
Chapter 1: Overview Note These guidelines do not apply to the SFP slots on the AT-9408LC/SP Switch and the XFP slots on the AT-9424Ts/XP and AT-9448Ts/XP Switches.
The management software has a new command line interface based on the commands in the AlliedWare Plus operating system found on other Allied Telesis products, such as the Layer 3 switches. If you are already familiar with the commands in the AlliedWare Plus operating system, you may find this new interface more convenient to use than the standard command line.
Page 52
Chapter 1: Overview AT-9400 Stacks Here are the new and enhanced features in AT-S63 Management Software for AT-9400 Stacks: BOOTP/DHCP Relay Agent Access Control Lists Quality of Service policies IPv4 static routes Encrypted remote web browser management sessions with the...
Software or to the AT-S63 Stack Command Line User’s Guide. Version 3.2.0 did not include any new features for stand-alone AT-9400 Switches. Version 3.0.0 Table 21 lists the new features in version 3.0.0 of the AT-S63 Management Software. Stacking with the AT-StackXG Stacking Module...
Version 2.1.0 Table 22 lists the new features in version 2.1.0. Internet Protocol version 4 packet routing Table 21. New Features in AT-S63 Version 3.0.0 (Continued) Feature Table 22. New Features in AT-S63 Version 2.1.0 Feature Change Added the following authentication...
Version 2.0.0 Table 23 lists the new feature in version 2.0.0 of the AT-S63 Management Software. Internet Protocol version 4 packet routing with: Routing interfaces Static routes Router Information Protocol (RIP) versions 1 and 2 Version 1.3.0 Table 24 lists the new features in version 1.3.0 of the AT-S63 Management Software.
Table 25 lists the new features in version 1.2.0. MAC Address Table Quality of Service MLD Snooping MAC Address-based VLANs Table 25. New Features in AT-S63 Version 1.2.0 Feature Added the following new parameters to the CLI commands for displaying and deleting specific...
Page 57
Table 25. New Features in AT-S63 Version 1.2.0 (Continued) Feature 802.1x Port-based Network Access Control AT-S63 Management Software Features Guide Change Added a new parameter to authenticator ports: Supplicant Mode for supporting multiple supplicant accounts on an authenticator port. For background information, see “Authenticator...
“Module ID Numbers” on page 70 “Stack Configuration Files” on page 71 “MAC Address Tables” on page 73 “File Systems” on page 73 “Compact Flash Memory Card Slots” on page 73 “Stack IP Address” on page 74 “Upgrading the AT-S63 Management Software” on page 75...
Chapter 2: AT-9400Ts Stacks Supported Platforms Table 26 and Table 27 list the AT-9400 Switches and the management interfaces that support AT-9400Ts Stacks. Table 26. Support for AT-9400Ts Stacks Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts AT-9424Ts/XP...
Chapter 2: AT-9400Ts Stacks AT-S63 Management Software Stacking requires Version 3.0.0 or later of the AT-S63 Management Software. Supported Models Stacking is only supported on the following AT-9400 Switches: Note Version 3.0.0 is only supported on the AT-9424T, AT-9424T/POE, AT-9424Ts, AT-9424Ts/XP, AT-9448T/SP, and AT-9448Ts/XP Basic Layer 3 Switches.
AT-S63 Management Software Features Guide AT-StackXG Stacking Module To be part of a stack, the AT-9400Ts Switch must have the AT-StackXG Stacking Module, shown in Figure 1. You install the module in the switch’s expansion slot on the back panel. The installation instructions are provided in the AT-9400Ts Stack Installation Guide.
A stack can have both models and either model can be the master switch of the stack. Allied Telesis does not recommend using the 48-port AT-9448Ts/XP Switch as the master switch of a stack. Consequently, a stack with one or more 48-port switches should have as the master switch the 24-port AT-9424Ts Switch or the AT-9424Ts/XP Switch.
The feature is enhanced stacking and what it allows you to do is manage the different Allied Telesis switches in your network from one management session by redirecting the management session from switch to switch.
Chapter 2: AT-9400Ts Stacks Stack Topology The switches of an AT-9400Ts Stack are cabled with the AT-StackXG Stacking Module and its two full-duplex, 12-Gbps stacking ports. There are two supported topologies. The first topology is the duplex-chain topology, where a port on one stacking module is connected to a port on the stacking module in the next switch, which is connected to the next switch, and so on.
This can protect a stack against the failure of a stacking port or cable. A disruption in the primary path automatically activates the secondary path. Section I: Basic Operations AT-S63 Management Software Features Guide AT-StackXG RPS INPUT STACK PORT 1...
AT-S63 Management Software Features Guide Master and Member Switches The activities of the devices of a stack are coordinated by a master switch. There can be only one master switch, but it can be any unit in a stack. The master switch is assigned module ID 1, as explained in “Module ID...
If the number is set to AUTO, meaning automatic, the switch assumes that it is a stand-alone switch and uses the BOOT.CFG file, or whatever stand-alone file you’ve designated. This is the default setting for the switches. AT-S63 Management Software Features Guide...
Page 72
Chapter 2: AT-9400Ts Stacks By having two standard configuration files, a switch can retain its prior configuration settings when converted from a stand-alone configuration to a stack member, or vice versa. This saves you the trouble of having to reconfigure the device. Since there are two different configuration files, the parameter settings from a stand-alone configuration file cannot be automatically transferred to a stack configuration file.
The file systems on the member switches are not accessible. Compact Flash Memory Card Slots The master switch of a stack has the only active compact flash memory slot. The slots in the member switches are inactive. Section I: Basic Operations AT-S63 Management Software Features Guide...
Chapter 2: AT-9400Ts Stacks Stack IP Address If you do not intend to use the packet routing feature, you must still assign one routing interface to the stack if it will be performing any of the following management functions: To assign an IP address to the stack you have to create an IPv4 routing interface.
Upgrading the AT-S63 Management Software The AT-9400 Switch must have Version 3.0.0 or later of the AT-S63 Management Software to be a member of a stack. To update the management software on an existing stack for versions after Version 3.0.0, you must disconnect the stacking cables and update the switches individually, either locally through the Terminal Port on the units or over the network using a TFTP server.
Chapter 3 Enhanced Stacking This chapter contains the following sections: “Supported Platforms” on page 78 “Overview” on page 79 “Master and Slave Switches” on page 80 “Common VLAN” on page 81 “Master Switch and the Local Interface” on page 82 “Slave Switches”...
Chapter 3: Enhanced Stacking Supported Platforms Table 29 and Table 30 list the AT-9400 Switches and the management interfaces that support enhanced stacking. Table 29. Support for Enhanced Stacking Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts AT-9424Ts/XP...
Allied Telesis recommends reviewing the information in this section before using this feature, even if you are familiar with it from earlier versions of the AT-S63 Management Software or from other Allied Telesis Ethernet switches that support this feature.
Chapter 3: Enhanced Stacking Master and Slave Switches An enhanced stack must have at least one master switch. This switch is your management access point to the switches of a stack. After you have started a local or remote management session on a master switch, you can redirect the session to any of the other switches.
VLAN from the slave switch to the master switch. The Default_VLAN can be used as the common VLAN. The common VLAN does not have to be dedicated solely to the enhanced stacking feature. AT-S63 Management Software Features Guide...
Chapter 3: Enhanced Stacking Master Switch and the Local Interface Before a switch can function as the master switch of an enhanced stack, it needs to know which subnet is acting as the common subnet among the switches in the stack. It uses that information to know which subnet to send out its broadcast packets and to monitor for the management packets from the other switches and from remote management workstations.
AT-S63 Management Software Features Guide Slave Switches The slave switches of an enhanced stack must be connected to the master switch through a common VLAN. A slave switch can be connected indirectly to the master switch so long as there is an uninterrupted path of the common VLAN from the slave switch to the master switch.
Chapter 3: Enhanced Stacking Enhanced Stacking Compatibility This version of enhanced stacking is compatible with earlier AT-S63 versions and the enhanced stacking feature in the AT-8400 Series and AT-8500 Series Switches. As such, an enhanced stack can consist of various switch models, though the following issues need to be considered...
An enhanced stack must have at least one master switch. You designate the master by changing its stacking status to Master. An enhanced stack can consist of other Allied Telesis switches that support this feature, including the AT-8400, AT-8500, and AT-9400 Switches.
5. On the master switch designate the interface assigned to the common 6. On the slave switches, add a routing interface to the common VLAN. can be any Allied Telesis switch that supports this feature. In a stack with different switch models, Allied Telesis recommends using an AT-9400 Switch as the master switch.
Chapter 4 SNMPv1 and SNMPv2c This chapter describes SNMPv1 and SNMPv2c community strings for SNMP management of the switch. Sections in the chapter include: “Supported Platforms” on page 88 “Overview” on page 89 “Community String Attributes” on page 90 “Default SNMP Community Strings” on page 92 Section I: Basic Operations...
Chapter 4: SNMPv1 and SNMPv2c Supported Platforms Refer to Table 31 and Table 32 for the AT-9400 Switches and the management interfaces that support SNMPv1 and SNMPv2c community strings. Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts AT-9424Ts/XP...
Activate SNMP management on the switch. The default setting for SNMP management is disabled. Load the Allied Telesis MIBs for the switch onto your management workstation containing the SNMP application program. The MIBs are available from the Allied Telesis web site at www.alliedtelesis.com.
Chapter 4: SNMPv1 and SNMPv2c Community String Attributes A community string has attributes for controlling who can use the string and what the string will allow a network management to do on the switch. The community string attributes are defined below: Community A community string must have a name of one to eight alphanumeric characters.
Page 91
AT-S63 Management Software Features Guide the community strings. Each community string can have up to eight trap IP addresses. It does not matter which community strings you assign your trap receivers. When the switch sends a trap, it looks at all the community strings and sends the trap to all trap receivers on all community strings.
Chapter 4: SNMPv1 and SNMPv2c Default SNMP Community Strings The AT-S63 Management Software provides two default community strings: public and private. The public string has an access mode of just Read and the private string has an access mode of Read/Write. If you...
Chapter 5 MAC Address Table This chapter contains background information about the MAC address table.This chapter contains the following section: “Overview” on page 94 Section I: Basic Operations...
Chapter 5: MAC Address Table Overview The AT-9400 Switch has a MAC address table with a storage capacity of 16,000 entries. The table stores the MAC addresses of the network nodes connected to its ports and the port numbers where the addresses were learned.
Page 95
AT-S63 Management Software Features Guide no longer active. The period of time a switch waits before purging inactive dynamic MAC addresses is called the aging time. This value is adjustable on the AT-9400 Switch. The default value is 300 seconds (5 minutes).
Chapter 6 Static Port Trunks This chapter describes static port trunks. Sections in the chapter include: “Supported Platforms” on page 98 “Overview” on page 99 “Load Distribution Methods” on page 100 “Guidelines” on page 102 Section I: Basic Operations...
Chapter 6: Static Port Trunks Supported Platforms Refer to Table 33 and Table 34 for the AT-9400 Switches and the management interfaces that support static port trunks. Table 33. Support for Static Port Trunks Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE...
For this reason, static trunks are typically employed only between devices from the same vendor. Section I: Basic Operations AT-S63 Management Software Features Guide CLASS 1 LASER PRODUCT CLASS 1 LASER PRODUCT Figure 4.
When you create a static or LACP port trunk, you have to select a load distribution method that controls how the switch is to distribute the traffic load across the ports in the trunk. The AT-S63 Management Software offers the following load distribution methods: The load distribution methods examine the last three bits of a packet’s...
Page 101
AT-S63 Management Software Features Guide A similar method is used for the two load distribution methods that employ both the source and destination addresses. Only here the last three bits of both addresses are combined by an XOR process to derive a single value which is then compared against the mappings of the bits to ports.
Chapter 6: Static Port Trunks Guidelines Here are the guidelines to static trunks: Allied Telesis recommends limiting static port trunks to Allied Telesis network devices to ensure compatibility. A static trunk can have up to eight ports. Stand-alone switches and AT-9400Ts Stacks can support up to six static and LACP trunks at a time (for example, four static trunks and two LACP trunks).
Chapter 7 LACP Port Trunks This chapter explains Link Aggregation Control Protocol (LACP) port trunks. Sections in the chapter include: “Supported Platforms” on page 104 “Overview” on page 105 “LACP System Priority” on page 106 “Adminkey Parameter” on page 107 “LACP Port Priority Value”...
Chapter 7: LACP Port Trunks Supported Platforms Refer to Table 35 and Table 36 for the AT-9400 Switches and the management interfaces that support LACP port trunks. Table 35. Support for LACP Port Trunks Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE...
IEEE 802.3ad standard, making it interoperable with equipment from other vendors that also comply with the standard. Therefore, you can create an LACP trunk between an Allied Telesis device and network devices from other manufacturers. Another advantage is that ports in an LACP trunk can function in a standby mode.
Chapter 7: LACP Port Trunks LACP System Priority It is possible for two devices interconnected by an aggregate trunk to encounter a conflict when they form the trunk. For example, the two devices might not support the same number of active ports in an aggregate trunk or might not agree on which ports are to be active and which are to be in standby.
LACPDU packets. If a port that is part of an aggregator does not receive LACPDU packets, it functions as a normal Ethernet port and forwards network packets along with LACPDU packets. Section I: Basic Operations AT-S63 Management Software Features Guide...
Chapter 7: LACP Port Trunks Load Distribution Methods The load distribution method determines the manner in which the switch distributes the traffic across the active ports of an aggregate trunk. The method is assigned to an aggregator and applies to all aggregate trunks within it.
The other device must be 802.3ad-compliant. An aggregator can consist of any number of ports. The AT-S63 Management Software supports up to eight active ports in an aggregate trunk at a time. Stand-alone switches and AT-9400Ts Stacks can support up to six static and LACP aggregate trunks at a time (for example, four static trunks and two LACP trunks).
Page 110
For example, an aggregator of ports 12 to 16 is assigned the default name DEFAULT_AGG12. Prior to creating an aggregate trunk between an Allied Telesis device and another vendor’s device, refer to the vendor’s documentation to determine the maximum number of active ports the device can support in a trunk.
Chapter 8 Port Mirror This chapter explains the port mirror feature. Sections in the chapter include: “Supported Platforms” on page 112 “Overview” on page 113 “Guidelines” on page 113 Section I: Basic Operations...
Chapter 8: Port Mirror Supported Platforms Refer to Table 37 and Table 38 for the AT-9400 Switches and the management interfaces that support the port mirror. Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts AT-9424Ts/XP AT-9448T/SP AT-9448Ts/XP AT-9400Ts Stack...
You can mirror the ingress or egress traffic of the source ports, or both. To create a mirror port for the Denial of Service defenses, specify only the destination port for the mirrored traffic. The management software automatically determines the source ports. AT-S63 Management Software Features Guide...
Page 114
Chapter 8: Port Mirror Section I: Basic Operations...
Section II Advanced Operations This section contains the following chapters: Chapter 9, ”File System” on page 117 Chapter 10, ”Event Logs and the Syslog Client” on page 121 Chapter 11, ”Classifiers” on page 125 Chapter 12, ”Access Control Lists” on page 135 Chapter 13, “Class of Service”...
Chapter 9 File System The chapter explains the switch’s file system and contains the following sections: “Overview” on page 118 “File Naming Conventions” on page 119 “Using Wildcards to Specify Groups of Files” on page 120 Section II: Advanced Operations...
Event logs Note The certificate file, certificate enrollment request file, and key file are supported only on the version of AT-S63 Management Software that features SSL and PKI security. Note The file system may contain one or more ENC.UKF files. These are encryption key pairs.
(.). The extension is used by the switch to determine the file type. Table 39. File Extensions and File Types Extension .cfg Configuration file .cer Certificate file .csr Certificate enrollment request .key Public encryption key .log Event log AT-S63 Management Software Features Guide File Type...
Chapter 9: File System Using Wildcards to Specify Groups of Files You can use the asterisk character (*) as a wildcard character in some fields to identify groups of files. In addition, a wildcard can be combined with other characters. The following are examples of valid wildcard expressions: *.cfg *.key...
Chapter 10 Event Logs and the Syslog Client This chapter describes how to monitor the activity of a switch by viewing the event messages in the event logs and sending the messages to a syslog server. Sections in the chapter include: “Supported Platforms”...
Chapter 10: Event Logs and the Syslog Client Supported Platforms Refer to Table 40 and Table 41 for the AT-9400 Switches and the management interfaces that support the event logs and the syslog client. Table 40. Support for the Event Logs and Layer 2+ Models AT-9408LC/SP AT-9424T/GB...
Section II: Advanced Operations The time and date of the event The severity of the event The management module that generated the event An event description AT-S63 Management Software Features Guide...
Observe the following guidelines when using this feature: Note The event logs, even when disabled, log all the AT-S63 initialization events that occur when the switch is reset or power cycled. Any switch events that occur after the AT-S63 initialization are entered into the logs only if you enable the event log feature.
Chapter 11 Classifiers This chapter explains classifiers for access control lists and Quality of Service policies. The sections in this chapter include: “Supported Platforms” on page 126 “Overview” on page 127 “Classifier Criteria” on page 129 “Guidelines” on page 134 Section II: Advanced Operations...
As a result, you will never use a classifier by itself. There are two AT-S63 features that use classifiers. They are: As explained in Chapter 12, “Access Control Lists” on page 135, an ACL filters ingress packets on a port by controlling which packets a port will accept and reject.
Page 128
Chapter 11: Classifiers is dictated by the QoS policy, as explained in Chapter 14, “Quality of Service” on page 155. In summary, a classifier is a list of variables that define a traffic flow. You apply a classifier to an ACL or a QoS policy to define the traffic flow you want the ACL or QoS policy to affect or control.
7 the highest. Figure 5 illustrates the location of the user priority field within an Ethernet frame. Section II: Advanced Operations Ethernet II tagged packets Ethernet II untagged packets Ethernet 802.2 tagged packets Ethernet 802.2 untagged packets AT-S63 Management Software Features Guide...
Chapter 11: Classifiers Preamble 64 bits Tag Protocol Identifier You can identify a traffic flow of tagged packets using the user priority value. A classifier for such a traffic flow would instruct a port to watch for tagged packets containing the specified user priority level. The priority level criteria can contain only one value, and the value must be from 0 (zero) to 7.
Figure 6. ToS field in an IP Header The Protocol variable must be left blank or set to IP. You cannot specify both an IP ToS value and an IP DSCP value in the same classifier. AT-S63 Management Software Features Guide . . .
Page 132
Chapter 11: Classifiers Observe these guidelines when using this criterion: IP Protocol (Layer 3) You can define a traffic flow by the following Layer 3 protocols: If you choose to specify the protocol by its number, you can enter the value in decimal or hexadecimal format.
Page 133
The Protocol variable must be left blank or set to IP. The IP Protocol variable must be left blank or set to TCP. A classifier cannot contain both a TCP flag and a UDP source and/or destination port. AT-S63 Management Software Features Guide...
Chapter 11: Classifiers Guidelines Follow these guidelines when creating a classifier: Each classifier represents a separate traffic flow. The variables within a classifier are linked by AND. The more variables you define within a classifier, the more specific it becomes in terms of the flow it defines.
Chapter 12 Access Control Lists This chapter describes access control lists (ACL) and how they can improve network security and performance. This chapter contains the following sections: “Supported Platforms” on page 136 “Overview” on page 137 “Parts of an ACL” on page 139 “Guidelines”...
Chapter 12: Access Control Lists Supported Platforms Refer to Table 44 and Table 45 for the AT-9400 Switches and the management interfaces that support the access control lists. Table 44. Support for the Access Control Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T...
ACL assigned to the same port, because a permit ACL always overrides a deny ACL. on the port, then the packet is discarded. AT-S63 Management Software Features Guide...
Page 138
Chapter 12: Access Control Lists 4. Finally, if a packet does not meet the criteria of any ACLs on a port, it is accepted by the port. Section II: Advanced Operations...
AT-S63 Management Software Features Guide Parts of an ACL An ACL must have the following information: Name - An ACL must have a name. The name of an ACL should indicate the type of traffic flow being filtered and, perhaps, also the action.
Chapter 12: Access Control Lists Guidelines Here are the rules to creating ACLs: A port can have multiple permit and deny ACLs. An ACL must have at least one classifier. An ACL can be assigned to more than one switch port. An ACL filters ingress traffic, but not egress traffic.
Chapter 12: Access Control Lists To deny traffic from several subnets on the same port, you can create multiple classifiers and apply them to the same ACL, as illustrated in the next example. Three subnets are denied access to port 4. The three classifiers defining the subnets are applied to the same ACL.
Chapter 12: Access Control Lists In this example, the traffic on ports 14 and 15 is restricted to packets from the source subnet 149.44.44.0. All other IP traffic is denied. Classifier ID 11, which specifies the traffic flow to be permitted by the ports, is assigned to an ACL with an action of permit.
Chapter 13 Class of Service This chapter describes the Class of Service (CoS) feature. Sections in the chapter include: “Supported Platforms” on page 148 “Overview” on page 149 “Scheduling” on page 152 Section II: Advanced Operations...
Chapter 13: Class of Service Supported Platforms Refer to Table 46 and Table 47 for the AT-9400 Switches and the management interfaces that support the Class of Service feature. Table 46. Support for the Class of Service Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
AT-S63 Management Software Features Guide Overview When a port on an Ethernet switch becomes oversubscribed—its egress queues contain more packets than the port can handle in a timely manner—the port may be forced to delay the transmission of some packets, resulting in the delay of packets reaching their destinations. A port may be forced to delay transmission of packets while it handles other traffic.
Page 150
Chapter 13: Class of Service Table 48. Default Mappings of IEEE 802.1p Priority Levels to Priority For example, when a tagged packet with a priority level of 3 enters a port on the switch, the packet is stored in Q3 queue on the egress port. Note that priority 0 is mapped to CoS queue 1 instead of CoS queue 0 because tagged traffic that has never been prioritized has a VLAN tag User Priority of 0.
Page 151
The packet leaves the switch with the same priority it had when it entered. This is true even if you change the default priority-to- egress queue mappings. Section II: Advanced Operations Queues (Continued) IEEE 802.1p Priority Level Q7 (highest) AT-S63 Management Software Features Guide Port Priority Queue...
Table 50. Example of Weighted Round Robin Priority Port Egress Queue Q0 (lowest) Table 51. Example of a Weight of Zero for Priority Queue 7 Port Egress Queue Q0 (lowest) AT-S63 Management Software Features Guide Maximum Number of Packets Maximum Number of Packets...
Chapter 13: Class of Service Table 51. Example of a Weight of Zero for Priority Queue 7 (Continued) Port Egress Queue Maximum Number of Packets Section II: Advanced Operations...
Chapter 14 Quality of Service This chapter describes Quality of Service (QoS). Sections in the chapter include: “Supported Platforms” on page 156 “Overview” on page 157 “Classifiers” on page 159 “Flow Groups” on page 160 “Traffic Classes” on page 161 “Policies”...
Chapter 14: Quality of Service Supported Platforms Refer to Table 52 and Table 53 for the AT-9400 Switches and the management interfaces that support Quality of Service. Table 52. Support for Quality of Service Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE...
Note QoS is only performed on packets that are switched at wire speed. This includes IP, IP multicast, IPX, and Layer 2 traffic within VLANs. AT-S63 Management Software Features Guide...
Page 158
Chapter 14: Quality of Service The QoS functionality described in this chapter sorts packets into various flows, according to the QoS policy that applies to the port the traffic is received on. The switch then allocates resources to direct this traffic according to bandwidth or priority settings in the policy.
AT-S63 Management Software Features Guide Classifiers Classifiers identify a particular traffic flow, and range from general to specific. (See Chapter 11, “Classifiers” on page 125 for more information.) Note that a single classifier should not be used in different flows that will end up, through traffic classes, assigned to the same policy.
Chapter 14: Quality of Service Flow Groups Flow groups group similar traffic flows together, and allow more specific QoS controls to be used, in preference to those specified by the traffic class. Flow groups consist of a small set of QoS parameters and a group of classifiers.
AT-S63 Management Software Features Guide Traffic Classes Traffic classes are the central component of the QoS solution. They provide most of the QoS controls that allow a QoS solution to be deployed. A traffic class can be assigned to only one policy. Traffic classes consist of a set of QoS parameters and a group of QoS flow groups.
Chapter 14: Quality of Service Policies QoS policies consist of a collection of user defined traffic classes. A policy can be assigned to more than one port, but a port may only have one policy. Note that the switch can only perform error checking of parameters and parameter values for the policy and its traffic classes and flow groups when the policy is set on a port.
AT-S63 Management Software Features Guide QoS Policy Guidelines Following is a list of QoS policy guidelines: A classifier may be assigned to many flow groups. However, assigning a classifier more than once within the same policy may lead to undesirable results. A classifier may be used successfully in many different policies.
Chapter 14: Quality of Service Packet Processing You can use the switch’s QoS tools to perform any combination of the following functions on a packet flow: Bandwidth Allocation Bandwidth limiting is configured at the level of traffic classes, and encompasses the flow groups contained in the traffic class. Traffic classes can be assigned maximum bandwidths, specified in kbps, Mbps, or Gbps.
Page 165
AT-S63 Management Software Features Guide Both the VLAN tag User Priority and the traffic class / flow group priority setting allow eight different priority values (0-7). These eight priorities are mapped to the switch’s eight CoS queues. The switch’s default mapping is shown in Table 48 on page 150.
Chapter 14: Quality of Service Replacing Priorities The traffic class or flow group priority (if set) determines the egress queue a packet is sent to when it egresses the switch, but by default has no effect on how the rest of the network processes the packet. To permanently change the packet’s priority, you need to replace one of two priority fields in the packet header: VLAN Tag User Priorities...
AT-S63 Management Software Features Guide DiffServ Domains Differentiated Services (DiffServ) is a method of dividing IP traffic into classes of service, without requiring that every router in a network remember detailed information about traffic flows. DiffServ operates within a DiffServ domain, a network or subnet that is managed as a single QoS unit.
Page 168
Chapter 14: Quality of Service To use the QoS tool set to configure a DiffServ domain: 1. As packets come into the domain at edge switches, replace their 2. On switches and routers within the DiffServ domain, classify packets 3. As packets leave the DiffServ domain, classify them according to the DSCP value, if required.
1. Policy 11 is for traffic arriving on port 8 going to the application. The components of the policies are shown in Figure 14. Section II: Advanced Operations “Voice Applications,” next “Video Applications” on page 171 “Critical Database” on page 173 AT-S63 Management Software Features Guide...
Policy 6 is applied to port 1 because this is where the application is located. Policy 11 is applied to port 8 because this is where traffic going to the application will be received. AT-S63 Management Software Features Guide...
Policy - Specifies the traffic class and the port where the policy is to be assigned. Figure 16. QoS Critical Database Example AT-S63 Management Software Features Guide Policy 17 Create Classifier 01 - Classifier ID: ... 10 02 - Description ... Database 14 - Dst IP Addr ...
Chapter 14: Quality of Service Policy The purpose of this example is to illustrate the hierarchy of the components of a QoS policy and how that hierarchy needs to be taken into Component account when assigning new priority and DSCP values. A new priority can Hierarchy be set at the flow group and traffic class levels, while a new DSCP value can be set at all three levels—flow group, traffic class and policy.
Chapter 15 Denial of Service Defenses This chapter explains the defense mechanisms in the management software that can protect your network against denial of service (DoS) attacks. Sections in the chapter include: “Supported Platforms” on page 178 “Overview” on page 179 “SYN Flood Attack”...
Chapter 15: Denial of Service Defenses Supported Platforms Refer to Table 54 and Table 55 for the AT-9400 Switches and the management interfaces that support the denial of service defenses. Table 54. Support for the Denial of Service Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
Overview The AT-S63 Management Software can help protect your network against the following types of denial of service attacks. The following sections describe each type of attack and the mechanism employed by the AT-S63 Management Software to protect your network.
Chapter 15: Denial of Service Defenses SYN Flood Attack In this type of attack, an attacker sends a large number of TCP connection requests (TCP SYN packets) with bogus source addresses to the victim. The victim responds with acknowledgements (SYN ACK packets), but because the original source addresses are bogus, the victim node does not receive any replies.
AT-S63 Management Software Features Guide Smurf Attack This DoS attack is instigated by an attacker sending a ICMP Echo (Ping) request that has the network’s IP broadcast address as the destination address and the address of the victim as the source of the ICMP Echo (Ping) request.
The most direct approach for defending against this form of attack is for the AT-S63 Management Software to check the source and destination IP addresses in the IP packets, searching for and discarding those with identical source and destination addresses.
Page 183
4. If you choose to use it, Allied Telesis recommends activating it on all ports on the switch, including the uplink port. You can specify only one uplink port.
This defense is extremely CPU intensive; use with caution. Unrestricted use can cause a switch to halt operations if the CPU becomes overwhelmed with IP traffic. To prevent this, Allied Telesis recommends activating this defense on only the uplink port and one other switch port at a time.
CPU events, such as the processing of IGMP packets and spanning tree BPDUs. For this reason, Allied Telesis recommends limiting the use of this defense, activating it only on those ports where an attack is most likely to originate.
In the basic scenario of an IP attack, an attacker sends packets containing bad IP options. There are several types of IP option attacks and the AT-S63 Management Software does not distinguish between them. Rather, the defense mechanism counts the number of ingress IP packets containing IP options received on a port.
Implementing this feature requires configuring the port mirroring feature as follows: Section II: Advanced Operations Activate port mirroring. Specify a destination port. Do not specify any source ports. The source ports are defined by the Denial of Service defense mechanism. AT-S63 Management Software Features Guide...
Chapter 15: Denial of Service Defenses Denial of Service Defense Guidelines Below are guidelines to observe when using this feature: A switch port can support more than one DoS defense at a time. The Teardrop and the Ping of Death defenses are CPU intensive. Use these defenses with caution.
Chapter 16 Power Over Ethernet This chapter contains background information on Power over Ethernet (PoE) for the AT-9424T/POE Switch. Sections in the chapter include: Section II: Advanced Operations “Supported Platforms” on page 190 “Overview” on page 191 “Power Budgeting” on page 192 “Port Prioritization”...
Chapter 16: Power Over Ethernet Supported Platforms Refer to Table 56 and Table 57 for the AT-9400 Switch and the management interfaces that support the Power over Ethernet feature. Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts AT-9424Ts/XP...
AT-S63 Management Software Menus User’s Guide Overview Power over Ethernet (PoE) is a mechanism for supplying power to network devices over the same twisted pair cables that carry the network traffic. This feature, defined in the IEEE 802.3af standard, can make the installation and maintenance of a network easier.
Chapter 16: Power Over Ethernet Power Budgeting The AT-9424T/POE Switch has a maximum power budget of 380 watts. The maximum possible load on the switch from the powered devices is 360W. The latter number assumes that all of the twenty four ports are connected to powered devices that are drawing the maximum of 15.4 W per port.
Power allocation is dynamic. Ports supplying power to powered devices may cease power transmission if the switch’s power budget has reached maximum usage and new powered devices, connected to ports with a higher priority, become active. Section II: Advanced Operations Critical High AT-S63 Management Software Menus User’s Guide...
Chapter 16: Power Over Ethernet PoE Device Classes The IEEE 802.3af standard specifies four levels of classes for powered devices that are defined by power usage. The classes are: (The standard actually specifies five levels; the fifth is reserved for future use.) The class of a powered device is set by the manufacturer and it cannot be changed.
Section III Snooping Protocols The chapters in this section contain overview information on the snooping protocols. The chapters include: Chapter 17, ”Internet Group Management Protocol Snooping” on page Chapter 18, “Multicast Listener Discovery Snooping” on page 201 Chapter 19, ”Router Redundancy Protocol Snooping” on page 205 Chapter 20, “Ethernet Protection Switching Ring Snooping”...
Chapter 17 Internet Group Management Protocol Snooping This chapter explains the Internet Group Management Protocol (IGMP) snooping feature in the following sections: “Supported Platforms” on page 198 “Overview” on page 199 Section III: Snooping Protocols...
Chapter 17: Internet Group Management Protocol Snooping Supported Platforms Refer to Table 58 and Table 59 for the AT-9400 Switches and the management interfaces that support the Internet Group Management Protocol (IGMP) snooping feature. Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE...
AT-S63 Management Software Features Guide Overview IPv4 routers use IGMP to create lists of nodes that are members of multicast groups. (A multicast group is a group of end nodes that want to receive multicast packets from a multicast application.) The router creates a multicast membership list by periodically sending out queries to the local area networks connected to its ports.
Page 200
Chapter 17: Internet Group Management Protocol Snooping Without IGMP snooping a switch would have to flood multicast packets out all of its ports, except the port on which it received the packet. Such flooding of packets can negatively impact network performance. The AT-9400 Switch maintains its list of multicast groups through an adjustable timeout value, which controls how frequently it expects to see reports from end nodes that want to remain members of multicast groups,...
Chapter 18: Multicast Listener Discovery Snooping Supported Platforms Refer to Table 60 and Table 61 for the AT-9400 Switches and the management interfaces that support Multicast Listener Discovery snooping. Table 60. Support for Multicast Listener Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T...
There are two versions of MLD. MLDv1 is equivalent to IGMPv2 and MLDv2 is equivalent to IGMPv3. The AT-9400 Switch supports snooping of both MLDv1 and MLDv2. Section III: Snooping Protocols Note The default setting for MLD snooping on the switch is disabled. AT-S63 Management Software Features Guide...
Chapter 19: Router Redundancy Protocol Snooping Supported Platforms Refer to Table 62 and Table 63 for the AT-9400 Switches and the management interfaces that support Router Redundancy Protocol Snooping. Table 62. Support for Router Redundancy Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T...
RRP snooping monitors ingress RRP packets, determined by their source MAC address. Source MAC addresses considered by the AT-S63 Management Software as RRP packets are: A port receiving an RRP packet is deemed by the switch as the master RRP port.
Chapter 19: Router Redundancy Protocol Snooping Guidelines The following guidelines apply to the RRP snooping feature: The default setting for this feature is disabled. Activating the feature flushes all dynamic MAC addresses from the MAC address table. RRP snooping is supported on ports operating in the MAC address- based port security level of automatic.
Chapter 20 Ethernet Protection Switching Ring Snooping This chapter has the following sections: “Supported Platforms” on page 210 “Overview” on page 211 “Restrictions” on page 213 “Guidelines” on page 215 Section III: Snooping Protocols...
Chapter 20: Ethernet Protection Switching Ring Snooping Supported Platforms Refer to Table 64 and Table 65 for the AT-9400 Switches and the management interfaces that support Ethernet Protection Switching Ring Snooping. Table 64. Support for Ethernet Protection Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
VLAN groups. For information on VLANs, refer to Chapter 24, “Port-based and Tagged VLANs” on page 269. Section III: Snooping Protocols Note For background information and configuration examples of EPSR, refer to the AlliedWare OS Software Reference Guide. AT-S63 Management Software Features Guide...
Page 212
Chapter 20: Ethernet Protection Switching Ring Snooping After creating the VLANs, you activate EPSR snooping by specifying the control VLAN with the ENABLE EPSRSNOOPING command. The switch immediately begins to monitor the VLAN for control messages from the master switch and reacts accordingly should it receive EPSR messages on one of the two ports of the VLAN.
The AT-9400 Switch cannot fulfill the role of master node of a ring because EPSR snooping does not generate EPSR control messages. That function must be assigned to another Allied Telesis switch that supports EPSR, such as the AT-x900 Advanced Layer 3 Switches. (For a list of Allied Telesis products that support EPSR, refer to the company’s web site or...
Chapter 20: Ethernet Protection Switching Ring Snooping AT-8948 Switch Master Node Transit Node AT-9400 Switch Transit Node Figure 18. Double Fault Condition in EPSR Snooping Now assume the link is reestablished between the switch and transit node. At that point, the port on the transit node enters a preforwarding state in which it forwards EPSR packets over the control VLAN to the AT-9400 Switch.
AT-S63 Management Software Features Guide Guidelines The guidelines to EPSR snooping are: The AT-9400 Switch can support up to sixteen control VLANs and so up to sixteen EPSR instances. The AT-9400 Switch cannot be the master node of a ring.
Section IV SNMPv3 The chapter in this section contains overview information on SNMPv3. The chapter is: Section IV: SNMPv3 Chapter 21, ”SNMPv3” on page 219...
Chapter 21 SNMPv3 This chapter provides a description of the AT-S63 implementation of the SNMPv3 protocol. The following sections are provided: Section IV: SNMPv3 “Supported Platforms” on page 220 “Overview” on page 221 “SNMPv3 Authentication Protocols” on page 222 “SNMPv3 Privacy Protocol” on page 223 “SNMPv3 MIB Views”...
This section further describes the features of the SNMPv3 protocol. The following subsections are included: Section IV: SNMPv3 Note For the SNMP RFCs supported by this release of the AT-S63 software, see “Remote SNMP Management” on page 44. “SNMPv3 Authentication Protocols” on page 222 “SNMPv3 Privacy Protocol” on page 223 “SNMPv3 MIB Views”...
Chapter 21: SNMPv3 SNMPv3 Authentication Protocols The SNMPv3 protocol supports two authentication protocols—HMAC- MD5-96 (MD5) and HMAC-SHA-96 (SHA). Both MD5 and SHA use an algorithm to generate a message digest. Each authentication protocol authenticates a user by checking the message digest. In addition, both protocols use keys to perform authentication.
After you have configured an authentication protocol, you have the option of assigning a privacy protocol if you have the encrypted version of the AT-S63 software. In SNMPv3 protocol terminology, privacy is equivalent to encryption. Currently, the DES protocol is the only encryption protocol supported.
(2) ip (4) The AT-S63 software supports the MIB tree, starting with the Internet MIBs, as defined by 1.3.6.1. There are two ways to specify a MIB view. You can enter the OID number of the MIB view or its equivalent text name.
Page 225
AT-S63 Management Software Features Guide After you specify a MIB subtree view you have the option of further restricting a view by defining a subtree mask. The relationship between a MIB subtree view and a subtree mask is analogous to the relationship between an IP address and a subnet mask.
Chapter 21: SNMPv3 SNMPv3 Storage Types Each SNMPv3 table entry has its own storage type. You can choose between nonvolatile storage which allows you to save the table entry or volatile storage which does not allow you to save an entry. If you select the volatile storage type, when you power off the switch your SNMPv3 configuration is lost and cannot be recovered.
Level, Privacy Protocol and Group—with the type of message and the host IP address. Section IV: SNMPv3 The type of message The destination of the message SNMP security information User View of the MIB Tree Security Level Security Model Authentication Level Privacy Protocol Group AT-S63 Management Software Features Guide...
Chapter 21: SNMPv3 SNMPv3 Tables The SNMPv3 configuration is neatly divided into configuring SNMPv3 user information and configuring the message notification. You must configure all seven tables to successfully configure the SNMPv3 protocol. You use the following tables for user configuration: First, you create a user in the Configure SNMPv3 User Table.
“SNMPv3 View Table” on page 230 “SNMPv3 SecurityToGroup Table” on page 230 “SNMPv3 Notify Table” on page 231 “SNMPv3 Target Address Table” on page 231 AT-S63 Management Software Features Guide Linked by Notify Tag Linked by Target Parameter Name Linked by User Name...
Chapter 21: SNMPv3 SNMPv3 User The Configure SNMPv3 User Table menu allows you to create an SNMPv3 user and provides the options of configuring authentication and Table privacy protocols. With the SNMPv3 protocol, users are authenticated when they send and receive messages. In addition, you can configure a privacy protocol and password so messages a user sends and receives are encrypted.
The Configure SNMPv3 Community Table menu allows you to configure SNMPv1 and SNMPv2c communities. If you are going to use the SNMPv3 Community Tables to configure SNMPv1 and SNMPv2c communities, start with the Table SNMPv3 Community Table. Section IV: SNMPv3 AT-S63 Management Software Features Guide...
Chapter 21: SNMPv3 SNMPv3 Configuration Example You may want to have two classes of SNMPv3 users—Managers and Operators. In this scenario, you would configure one group, called Managers, with full access privileges. Then you would configure a second group, called Operators, with monitoring privileges only. For a detailed example of this configuration, see Appendix B, “SNMPv3 Configuration Examples”...
Section V Spanning Tree Protocols The section has the following chapters: Chapter 22, “Spanning Tree and Rapid Spanning Tree Protocols” on page 235 Chapter 23, “Multiple Spanning Tree Protocol” on page 247 Section V: Spanning Tree Protocols...
Chapter 22 Spanning Tree and Rapid Spanning Tree Protocols This chapter provides background information on the Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). The sections in this chapter include: “Supported Platforms” on page 236 “Overview” on page 237 “Bridge Priority and the Root Bridge”...
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols Supported Platforms Refer to Table 68 and Table 69 for the AT-9400 Switches and the management interfaces that support the Spanning Tree and Rapid Spanning Tree Protocols. Table 68. Support for the Spanning Tree and Layer 2+ Models AT-9408LC/SP AT-9424T/GB...
Only one spanning tree can be active on the switch at a time. The default is RSTP. The STP implementation on the AT-S63 Management Software complies with the IEEE 802.1d standard. The RSTP implementation complies with the IEEE 802.1w standard. The following subsections provide a basic overview on how STP and RSTP operate and define the different parameters that you can adjust.
MAC address is designated as the root bridge. You can change the bridge priority number in the AT-S63 Management Software. You can designate which switch on your network you want as the root bridge by giving it the lowest bridge priority number. You might...
The port cost of a port on the AT-9400 Switch is adjustable through the AT-S63 Management Software. For STP, the range is 0 to 65,535. For RSTP, the range is 0 to 20,000,000. Port cost also has an Auto-Detect feature. This feature allows spanning tree to automatically set the port cost according to the speed of the port, assigning a lower value for higher speeds.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols Table 72 lists the STP port costs with Auto-Detect when a port is part of a port trunk. Table 73 lists the RSTP port costs with Auto-Detect. Table 74 lists the RSTP port costs with Auto-Detect when the port is part of a port trunk.
The forwarding delay value is adjustable in the AT-S63 Management Software. The appropriate value for this parameter depends on a number of variables; the size of your network is a primary factor. For large...
RSTP devices connected to it. Section V: Spanning Tree Protocols Note This section applies only to RSTP. Point-to-point port Edge port Figure 22. Point-to-Point Ports AT-S63 Management Software Features Guide AT-9424T/SP PORT ACTIVITY CLASS 1 1000 LINK / 10/100 LINK / LASER PRODUCT...
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols A port can be both a point-to-point and an edge port at the same time. It operates in full-duplex and has no STP or RSTP devices connected to it. Figure 24 illustrates a port functioning as both a point-to-point and edge port.
AT-S63 Management Software Features Guide Mixed STP and RSTP Networks RSTP IEEE 802.1w is fully compliant with STP IEEE 802.1d. Your network can consist of bridges running both protocols. STP and RSTP in the same network can operate together to create a single spanning tree domain.
Chapter 22: Spanning Tree and Rapid Spanning Tree Protocols Spanning Tree and VLANs The spanning tree implementation in the AT-S63 Management Software is a single-instance spanning tree. The switch supports just one spanning tree. You cannot define multiple spanning trees.
Chapter 23 Multiple Spanning Tree Protocol This chapter provides background information on the Multiple Spanning Tree Protocol (MSTP). The sections in this chapter include: “Supported Platforms” on page 248 “Overview” on page 249 “Multiple Spanning Tree Instance (MSTI)” on page 250 “MSTI Guidelines”...
Chapter 23: Multiple Spanning Tree Protocol Supported Platforms Refer to Table 76 and Table 77 for the AT-9400 Switches and the management interfaces that support the Multiple Spanning Tree Protocol. Table 76. Support for the Multiple Spanning Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
Note The AT-S63 MSTP implementation complies fully with the new IEEE 802.1s standard and should be interoperable with any other vendor’s fully compliant 802.1s implementation. AT-S63 Management Software Features Guide...
Chapter 23: Multiple Spanning Tree Protocol Multiple Spanning Tree Instance (MSTI) The individual spanning trees in MSTP are referred to as Multiple Spanning Tree Instances (MSTIs). A MSTI can span any number of AT-9400 Switches. The switch can support up to 16 MSTIs at a time. To create a MSTI, you first assign it a number, referred to as the MSTI ID.
Ports Section V: Spanning Tree Protocols Sales Production VLAN VLAN GBIC Figure 26. VLAN Fragmentation with STP or RSTP AT-S63 Management Software Features Guide AT-9424T/SP Gigabit Ethernet Switch PORT ACTIVITY CLASS 1 1000 LINK / 10/100 LINK / LASER PRODUCT...
Chapter 23: Multiple Spanning Tree Protocol Figure 27 illustrates the same two AT-9400 Switches and the same two virtual LANs. But in this example, the two switches are running MSTP and the two VLANs have been assigned different spanning tree instances. Now that they reside in different MSTIs, both links remain active, enabling the VLANs to forward traffic over their respective direct link.
Chapter 23: Multiple Spanning Tree Protocol MSTI Guidelines The following are several guidelines to keep in mind about MSTIs: The AT-9400 Switch can support up to 16 spanning tree instances, including the CIST. A MSTI can contain any number of VLANs. A VLAN can belong to only one MSTI at a time.
AT-S63 Management Software Features Guide VLAN and MSTI Associations Part of the task to configuring MSTP involves assigning VLANs to spanning tree instances. The mapping of VLANs to MSTIs is called associations. A VLAN, either port-based or tagged, can belong to only one instance at a time, but an instance can contain any number of VLANs.
Chapter 23: Multiple Spanning Tree Protocol Ports in Multiple MSTIs A port can be a member of more than one MSTI at a time if it is a tagged member of one or more VLANs assigned to different MSTI’s. In this circumstance, a port might be have to operate in different spanning tree states simultaneously, depending on the requirements of the MSTIs.
If any of the above information is different on two bridges, MSTP does consider the bridges as residing in different regions. Section V: Spanning Tree Protocols Configuration name Revision number VLANs VLAN to MSTI ID associations AT-S63 Management Software Features Guide...
Chapter 23: Multiple Spanning Tree Protocol Figure 29 illustrates the concept of regions. It shows one MSTP region consisting of two AT-9400 Switches. Each switch in the region has the same configuration name and revision level. The switches also have the same five VLANs and the VLANs are associated with the same MSTIs.
MSTIs can share the same regional root or have different roots. A regional root is determined by the MSTI priority value and a bridge’s MAC address. The regional root of a MSTI must be in the same region as the MSTI. AT-S63 Management Software Features Guide...
Chapter 23: Multiple Spanning Tree Protocol Common and MSTP has a default spanning tree instance called the Common and Internal Spanning Tree (CIST). This instance has an MSTI ID of 0. Internal Spanning Tree This instance has unique features and functions that make it different from (CIST) the MSTIs that you create yourself.
A port transmits CIST information even when it is associated with another MSTI ID. However, in determining network loops, MSTI takes precedence over CIST. (This is explained more in “Associating VLANs to MSTIs” on page 263. AT-S63 Management Software Features Guide...
Page 262
Chapter 23: Multiple Spanning Tree Protocol Note The AT-S63 MSTP implementation complies fully with the new IEEE 802.1s standard. Any other vendor’s fully compliant 802.1s implementation is interoperable with the AT-S63 implementation. Section V: Spanning Tree Protocols...
Associating VLANs to MSTIs Allied Telesis recommends that you assign all VLANs on a switch to an MSTI. You should not leave a VLAN assigned to just the CIST, including the Default_VLAN. This is to prevent the blocking of a port that should be in the forwarding state.
Chapter 23: Multiple Spanning Tree Protocol Port 1 Switch A Port 8 When port 4 on switch B receives a BPDU, the switch notes the port sending the packet belongs only to CIST. Therefore, switch B uses CIST in determining whether a loop exists. The result would be that the switch detects a loop because the other port is also receiving BPDU packets from CIST 0.
FAULT GBIC 1000 LINK / MASTER POWER 22 24R Switch A Figure 32. Spanning Regions - Example 1 AT-S63 Management Software Features Guide Region 2 AT-9424T/SP Gigabit Ethernet Switch PORT ACTIVITY CLASS 1 1000 LINK / 10/100 LINK / LASER PRODUCT...
Page 266
Chapter 23: Multiple Spanning Tree Protocol Another approach is to group those VLANs that need to span regions into the same MSTI. Those VLANs that do not span regions can be assigned to other MSTIs. Here is an example. Assume that you have two regions that contain the following VLANS: Region 1 VLANs Sales...
Section VI Virtual LANs The chapters in this section discuss the various types of virtual LANs supported by the AT-9400 Switch. The chapters include: Section VI: Virtual LANs Chapter 24, “Port-based and Tagged VLANs” on page 269 Chapter 25, “GARP VLAN Registration Protocol” on page 283 Chapter 26, “Multiple VLAN Modes”...
Chapter 24 Port-based and Tagged VLANs This chapter contains overview information about port-based and tagged virtual LANs (VLANs). This chapter contains the following sections: Section VI: Virtual LANs “Supported Platforms” on page 270 “Overview” on page 271 “Port-based VLAN Overview” on page 273 “Tagged VLAN Overview”...
Chapter 24: Port-based and Tagged VLANs Supported Platforms Refer to Table 78 and Table 79 for the AT-9400 Switches and the management interfaces that support the port-based and tagged VLANs. Table 78. Support for the Port-based and Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
VLAN remains within the VLAN. With VLANs, you can segment your network through the switch’s AT-S63 Management Software and so be able to group nodes with related functions into their own separate, logical LAN segments. These VLAN groupings can be based on similar data needs or security requirements.
Page 272
Chapter 24: Port-based and Tagged VLANs The AT-9400 Switch supports the following types of VLANs you can create yourself: These VLANs are described in the following sections. Management Software. You can change the VLAN memberships through the management software without moving the workstations physically, or changing group memberships by moving cables from one switch port to another.
Section VI: Virtual LANs Note The AT-9400 Switch is preconfigured with one port-based VLAN. All ports on the switch are members of this VLAN, called the Default_VLAN. VLAN name VLAN Identifier Untagged ports Port VLAN Identifier AT-S63 Management Software Features Guide...
AT-9400 Switches, you would assign the Marketing VLAN on each switch the same VID. You can assign this number manually or allow the AT-S63 Management Software to do it automatically. If you allow the management software to do it automatically, it selects the next available VID. This is acceptable when you are creating a new, unique VLAN.
VLAN that spans three switches would require one port on each switch to interconnect the various sections of the VLAN. In network configurations where there are many individual VLANs that span switches, many ports could end up being used ineffectively just to interconnect the various VLANs. AT-S63 Management Software Features Guide...
The ports have been assigned PVID values. A port’s PVID is assigned automatically by the AT-S63 Management Software when you create the VLAN. The PVID of a port is the same as the VID to which the port is an untagged member.
Page 278
Chapter 24: Port-based and Tagged VLANs The table below lists the port assignments for the Sales, Engineering, and Production VLANs on the switches: Sales VLAN AT-9424T/SP Ports 1 - 6 Switch (top) (PVID 2) AT-9424T/GB Ports 2 - 4, 6, 8 Switch (bottom) (PVID 2) Engineering VLAN...
Tagged VLAN Overview The second type of VLAN supported by the AT-S63 Management Software is the tagged VLAN. VLAN membership in a tagged VLAN is determined by information within the frames that are received on a port. This differs from a port-based VLAN, where the PVIDs assigned to the ports determine VLAN membership.
Chapter 24: Port-based and Tagged VLANs Tagged and You need to specify which ports will be members of the VLAN. In the case of a tagged VLAN, it is usually a combination of both untagged ports and Untagged Ports tagged ports. You specify which ports are tagged and which untagged when you create the VLAN.
18 20 22 24 11 13 21 23 8 10 12 14 18 20 22 24 Figure 35. Example of a Tagged VLAN AT-S63 Management Software Features Guide Production VLAN (VID 4) Legacy Server AT-9424T/SP Gigabit Ethernet Switch Router AT-9424T/GB Gigabit Ethernet Switch...
Page 282
Chapter 24: Port-based and Tagged VLANs The port assignments for the VLANs are as follows: Sales VLAN (VID 2) Untagged Ports AT-9424T/ 1, 3 to 5 SP Switch (PVID 2) (top) AT-9424T/ 2, 4, 6, 8 GB Switch (PVID 2) (bottom) This example is nearly identical to the “Port-based Example 2”...
Chapter 25 GARP VLAN Registration Protocol This chapter describes the GARP VLAN Registration Protocol (GVRP) and contains the following sections: Section VI: Virtual LANs “Supported Platforms” on page 284 “Overview” on page 285 “Guidelines” on page 288 “GVRP and Network Security” on page 289 “GVRP-inactive Intermediate Switches”...
Chapter 25: GARP VLAN Registration Protocol Supported Platforms Refer to Table 80 and Table 81 for the AT-9400 Switches and the management interfaces that support the GARP VLAN Registration Protocol. Table 80. Support for the GARP VLAN Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
Generic Attribute Registration Protocol (GARP), does this for you automatically. The AT-S63 Management Software uses GVRP protocol data units (PDUs) to share VLAN information among GVRP-active devices. The PDUs contain the VID numbers of the VLANs on the switch. A PDU contains the VIDs of all the VLANs on the switch, not just the VID of which the transmitting port is a member.
Chapter 25: GARP VLAN Registration Protocol Figure 36 provides an example of how GVRP works. Port 1 PORT ACTIVITY CLASS 1 1000 LINK / 10/100 LINK / LASER PRODUCT HDX / 21 23R GBIC GBIC 22 24R Switch #1 Static VLAN Sales VID=11 Switches #1 and #3 contain the Sales VLAN, but switch #2 does not.
Page 287
VLAN as tagged dynamic GVRP ports. Section VI: Virtual LANs as an tagged dynamic GVRP port. If the port is already a member of the VLAN, then no change is made. tagged dynamic GVRP port to the dynamic GVRP_VLAN_11 VLAN. AT-S63 Management Software Features Guide...
VLANs and static port assignments. The default port settings on the switch for GVRP is active, meaning that the ports participate in GVRP. Allied Telesis recommends disabling GVRP on those ports that are connected to GVRP-inactive devices, meaning devices that do not feature GVRP.
GVRP-inactive devices. Converting all dynamic GVRP VLANs and dynamic GVRP ports to static assignments, and then turning off GVRP on all switches. This preserves the new VLAN assignments while protecting against network intrusion. AT-S63 Management Software Features Guide...
Chapter 25: GARP VLAN Registration Protocol GVRP-inactive Intermediate Switches If two GVRP-active devices are separated by a GVRP-inactive switch, the GVRP-active devices may not be able to share VLAN information. There are two issues involved. The first is whether the intermediate switch forwards the GVRP PDUs that it receives from the GVRP-active switches.
AT-S63 Management Software Features Guide Generic Attribute Registration Protocol (GARP) Overview The following is a technical overview of GARP. An understanding of GARP may prove helpful when you use GVRP. The purpose of the Generic Attribute Registration Protocol (GARP) is to...
Chapter 25: GARP VLAN Registration Protocol GARP architecture is shown in Figure 37. GARP Participant GARP Application MAC Layer: Port 1 The GARP application component of the GARP participant is responsible for defining the semantics associated with the parameter values and operators received in GARP PDUs, and for generating GARP PDUs for transmission.
Figure 38. GID Architecture To ensure that this participant’s declarations are registered by other participants’ registrars To ensure that other participants have a chance to redeclare (rejoin) after anyone withdraws a declaration (leaves). AT-S63 Management Software Features Guide Attribute ... state: Registrar State...
Page 294
Chapter 25: GARP VLAN Registration Protocol To control the applicant state machine, an applicant administrative control parameter is provided. This parameter determines whether or not the applicant state machine participates in GARP protocol exchanges. The default value has the applicant participating in the exchanges. To control the registrar state machine, a registrar administrative control parameter is provided.
Chapter 26: Multiple VLAN Modes Supported Platforms Refer to Table 82 and Table 83 for the AT-9400 Switches and the management interfaces that support the multiple VLAN modes. Table 82. Support for the Multiple VLAN Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T...
Chapter 26: Multiple VLAN Modes 802.1Q- Compliant Multiple VLAN Mode In this mode, each port is placed into a separate VLAN as an untagged port. The VLAN names and VID numbers are based on the port numbers. For example, the VLAN for port 4 is named Client_VLAN_4 and is given the VID of 4, the VLAN for port 5 is named Client_VLAN_5 and has a VID of 5, and so on.
Page 299
Section VI: Virtual LANs Table 84. 802.1Q-Compliant Multiple VLAN Example (Continued) VLAN Name Note The uplink VLAN is the management VLAN. Any remote management of the switch must be made through the uplink VLAN. AT-S63 Management Software Features Guide Untagged Port Tagged Port...
Chapter 26: Multiple VLAN Modes Non-802.1Q Compliant Multiple VLAN Mode Unlike the 802.1Q-compliant VLAN mode, which isolates port traffic by placing each port in a separate VLAN, this mode forms one VLAN with a VID of 1 that encompasses all ports. To establish traffic isolation, it uses port mapping.
Chapter 27 Protected Ports VLANs This chapter explains protected ports VLANs. It contains the following sections: Section VI: Virtual LANs “Supported Platforms” on page 302 “Overview” on page 303 “Guidelines” on page 305...
Chapter 27: Protected Ports VLANs Supported Platforms Refer to Table 85 and Table 86 for the AT-9400 Switches and the management interfaces that support the protected ports VLANs. Table 85. Support for the Protected Ports Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T...
802.1Q compliant. Section VI: Virtual LANs Note For explanations of VIDs and tagged and untagged ports, refer to Chapter 24, “Port-based and Tagged VLANs” on page 269. AT-S63 Management Software Features Guide...
Page 304
VLAN Uplink Port(s) Group Number Allied Telesis recommends that you create tables similar to these before you create your own protected ports VLAN. Having the tables handy will make your job easier when the switch prompts you for this information.
AT-S63 Management Software Features Guide Guidelines Following are the guidelines for implementing protected ports VLANS: A protected ports VLAN should contain a minimum of two groups. A protected ports VLAN of only one group can be replaced with a port- based or tagged VLAN instead.
Chapter 28 MAC Address-based VLANs This chapter contains overview information about MAC address-based VLANs. Sections in the chapter include: Section VI: Virtual LANs “Supported Platforms” on page 308 “Overview” on page 309 “Egress Ports” on page 310 “VLANs That Span Switches” on page 313 “VLAN Hierarchy”...
Chapter 28: MAC Address-based VLANs Supported Platforms Refer to Table 87 and Table 88 for the AT-9400 Switches and the management interfaces that support MAC address-based VLANs. Table 87. Support for the MAC Address- Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE...
LAN segments within a network and are typically employed to improve network performance and security. The AT-S63 Management Software offers several different types of VLANs, including port-based, tagged, and protected ports. Membership in these VLANs is determined either by the port VLAN identifier (PVID) assigned to a port on a switch or, in the case of tagged traffic, by the VLAN identifier within the packets themselves.
Chapter 28: MAC Address-based VLANs Egress Ports Implementing a MAC address-based VLAN involves more than entering the MAC addresses of the end nodes that are members of the VLAN. You must also designate the egress ports on the switch for the packets from the nodes.
VLAN on the port. This means that whatever device is connected to the port receives the flooded traffic of all three VLANs. Section VI: Virtual LANs AT-S63 Management Software Features Guide End Node Workstation 1 (Port 1) Workstation 2 (Port 2)
Page 312
Chapter 28: MAC Address-based VLANs If security is a major concern for your network, you might not want to assign a port as an egress port to more than one VLAN when planning your MAC address-based VLANs. When a packet whose source MAC address is part of a MAC address- based VLAN arrives on a port, the switch performs one of the following actions: If the packet’s destination MAC address is not in the MAC address...
Note that each VLAN contains the complete set of MAC addresses of all VLAN nodes along with the appropriate egress ports on the switches. Figure 39. Example of a MAC Address-based VLAN Spanning Switches Section VI: Virtual LANs AT-S63 Management Software Features Guide MAC Addresses: Address_1 Address_2...
Chapter 28: MAC Address-based VLANs Table 91. Example of a MAC Address-based VLAN Spanning Switches Switch A VLAN Name: Sales MAC Address Address_1 Address_2 Address_3 Address_4 Address_5 Address_6 Switch B VLAN Name: Sales Egress Ports MAC Address 1,3,4,5 Address_1 Address_2 Address_3 Address_4 Address_5...
AT-S63 Management Software Features Guide VLAN Hierarchy The switch’s management software employs a VLAN hierarchy when handling untagged packets that arrive on a port that is an egress port of a MAC address-based VLAN as well as an untagged port of a port-based VLAN.
Chapter 28: MAC Address-based VLANs Steps to Creating a MAC Address-based VLAN Here are the three main steps to creating a MAC address-based VLAN: 1. Assign the VLAN a name and a VID. You must also set the VLAN type to MAC Based.
AT-S63 Management Software Features Guide Guidelines Follow these guidelines when implementing a MAC address-based VLAN: MAC address-based VLANs are not supported on the AT-9408LC/SP, AT-9424T/GB and AT-9424T/SP Switches. The switch can support up to a total of 4094 port-based, tagged, protected ports, and MAC address-based VLANs.
Page 318
Chapter 28: MAC Address-based VLANs Egress ports cannot be part of a static or LACP trunk. Since this type of VLAN does not support tagged packets, it is not suitable in environments where a network device, such as a network server, needs to be shared between multiple VLANs.
Section VII Routing This section has the following chapters: Chapter 29, “Internet Protocol Version 4 Packet Routing” on page 321 Chapter 30, “BOOTP Relay Agent” on page 355 Chapter 31, “Virtual Router Redundancy Protocol” on page 361 Section VII: Internet Protocol Routing...
Page 320
Section VII: Internet Protocol Routing...
“Routing Interfaces and Management Features” on page 342 “Local Interface” on page 345 “AT-9408LC/SP AT-9424T/GB, and AT-9424T/SP Switches” on page 346 “Routing Command Example” on page 348 “Non-routing Command Example” on page 352 “Upgrading from AT-S63 Version 1.3.0 or Earlier” on page 354...
Chapter 29: Internet Protocol Version 4 Packet Routing Supported Platforms Refer to Table 92 and Table 93 for the AT-9400 Switches and the management interfaces that support the IPv4 packet routing feature. Table 92. Support for IPv4 Packet Routing Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
Page 323
AT-S63 Management Software Features Guide Features” on page 342 and “AT-9408LC/SP AT-9424T/GB, and AT-9424T/SP Switches” on page 346. AT-9400Ts Stacks support static routes but not RIP. You can use the menus on a stand-alone switch to configure the routing interfaces, but not static routes or RIP. To configure all of the feature’s components, you must use the command line.
Chapter 29: Internet Protocol Version 4 Packet Routing Overview This section contains an overview of the IPv4 routing feature on the AT-9400 Switch. It begins with an explanation of the following available routing methods: A routing interface is a logical connection to a local network or subnet for the purpose of routing IPv4 packets.
Page 325
AT-S63 Management Software Features Guide At the end of this overview are two examples that illustrate the sequence of commands to implementing the features described in this chapter. You can refer there to see how the commands are used in practice. The sections are “Routing Command Example”...
Chapter 29: Internet Protocol Version 4 Packet Routing Routing Interfaces The IPv4 packet routing feature on the switch is built on the foundation of the routing interface. An interface functions as a logical connection to a subnet that allows the egress and ingress of IPv4 packets to the subnet from other local and remote networks, subnets, and nodes.
IP address from a DHCP or BOOTP server. The IP addresses of Section VII: Routing Note Routing interfaces can be configured from either the command line interface or the menus interface. VLAN ID (VID) Interface number IP address and subnet mask AT-S63 Management Software Features Guide...
Page 328
Chapter 29: Internet Protocol Version 4 Packet Routing the other interfaces in the same VLAN must be assigned manually. For example, if there are four interfaces and each of their respective subnets resided in a separate VLAN, then each interface can obtain its IP address and subnet mask from a DHCP or BOOTP server.
AT-S63 Management Software Features Guide Interface Names Many of the IPv4 routing commands have a parameter for an interface name. An interface name consists of a VLAN and an interface number, separated by a dash. The VLAN is designated by “vlan” followed by the VLAN identification number (VID) or the VLAN name.
Chapter 29: Internet Protocol Version 4 Packet Routing Static Routes In order for the switch to route an IPv4 packet to a remote network or subnet, there must be a route to the destination in the routing table of the switch.
Page 331
AT-S63 Management Software Features Guide The commands for managing static routes are ADD IP ROUTE, DELETE IP ROUTE, and SET IP ROUTE. Section VII: Routing...
Chapter 29: Internet Protocol Version 4 Packet Routing Routing Information Protocol (RIP) A switch can automatically learn routes to remote destinations by sharing the contents of its routing table with its neighboring routers in the network with the Routing Information Protocol (RIP) versions 1 and 2. RIP is a fairly simple distance vector routing protocol that defines networks based in how many hops they are from the switch, just as with static routes.
Page 333
The AT-9400 Switch supports the following RIP functions: Section VII: Routing Note A RIP version 2 password is sent in plaintext. The AT-S63 Management Software does not support encrypted RIP passwords. Dynamic RIP routes that fall under the split horizon rule.
Chapter 29: Internet Protocol Version 4 Packet Routing Default Routes A default route is a “match all” destination entry in the routing table. The switch uses it to route packets whose remote destinations are not in the routing table. Rather than discard the packets, the switch sends them to the next hop specified in the default route.
AT-S63 Management Software Features Guide Equal-cost Multi-path (ECMP) Routing When there are multiple routes in the routing table to the same remote destinations, ECMP enables the switch to use the different routes to forward traffic. This can improve network performance by increasing the available bandwidth for the traffic flows, and also provide for route redundancy.
Page 336
Chapter 29: Internet Protocol Version 4 Packet Routing ECMP also applies to default routes. This enables the switch to store up to 32 default routes with up to eight of the routes active at one time. The ECMP feature can be enabled and disabled on the switch. The operating status of ECMP does not affect the switch’s ability to store multiple routes to the same destination in its routing table.
180 seconds, it is deleted from the table. The maximum storage capacity of the routing table in the AT-9400 Switch Section VII: Routing 512 interface routes 1024 static routes 1024 RIP routes AT-S63 Management Software Features Guide...
Chapter 29: Internet Protocol Version 4 Packet Routing Route Selection Process Here is the route selection process the switch goes through when routing packets to a destination: If there is only one route to a destination, forward the packets using the route.
ARP, SET IP ARP, SET IP ARP TIMEOUT, and SHOW IP ARP. The storage capacity of the ARP table in the AT-9400 Switch is: Section VII: Routing Note The switch does not support Proxy ARP. 1024 static entries 1024 dynamic entries AT-S63 Management Software Features Guide...
Chapter 29: Internet Protocol Version 4 Packet Routing Internet Control Message Protocol (ICMP) ICMP allows routers to send error and control messages to other routers or hosts. It provides the communication between IP software on one system and IP software on another. The switch implements the ICMP functions listed in Table 94.
Page 341
AT-S63 Management Software Features Guide Table 94. ICMP Messages Implemented on the AT-9400 Switch ICMP Packet (Type) Switch Response Time to Live Exceeded (11) If the TTL field in a packet falls to zero the switch will send a “Time to live exceeded”...
For instance, the switch can access an SNTP server through one interface and a RADIUS authentication server from another. This differs from some of the earlier versions of the AT-S63 Management Software where all the servers had to be members of what was referred to as the “management VLAN.”...
(that is, switches that are not a part of an enhanced stack) and a Sessions master switch of an enhanced stack. This does not apply to a slave switches of an enhanced stack. For background information and guidelines on remote management, refer to the Starting an AT-S63 Management Session Guide. Section VII: Routing...
Device has a routing interface on the local subnet from where the device is reached. In previous versions of the AT-S63 Management Software the device to be pinged had to be reached through the management VLAN of the switch. This restriction no longer applies. A remote device can be pinged from any subnet of the switch that has an interface.
A switch can have only one local interface. For background information on remote management of the switch, refer to the Starting an AT-S63 Management Session Guide. For background information on enhanced stacking, refer to Chapter 3, “Enhanced Stacking” on page 77.
ARP Table These switches also have an ARP table with a maximum capacity of ten ARP entries. The table and entries are used by the AT-S63 Management Software when it performs a management function that requires it to communicate with another device on the network. An example would be if you instructed the switch to ping another network device or download a new AT-S63 image file or configuration file from a TFTP server.
The AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP Switches do not use the ARP table to move packets through the switching matrix. They refer to the table only when they perform a management function requiring them to communicate with another network node. AT-S63 Management Software Features Guide...
Chapter 29: Internet Protocol Version 4 Packet Routing Routing Command Example This section contains an example of the IPv4 routing feature. It illustrates the sequence of commands to implementing the feature. To make the example easier to explain, some of the command options are not mentioned and the default values are used instead.
Each interface is given a different interface number, 0 and 1, to distinguish between them. At this point, the switch begins to route IPv4 packets among the local subnets. For further information on this command, refer to the ADD IP INTERFACE Section VII: Routing AT-S63 Management Software Features Guide...
Chapter 29: Internet Protocol Version 4 Packet Routing command. Adding a Static Building on our example, assume you decided to manually enter a route to a remote subnet as a static route. The command for creating a static route Route and is ADD IP ROUTE.
AT-S63 Management Software Features Guide Adding RIP Rather than adding the static routes to remote destinations, or perhaps to augment them, you decide that the switch should learn routes by exchanging its route table with its routing neighbors using RIP. To implement RIP, you add it to the routing interfaces where routing neighbors are located.
Chapter 29: Internet Protocol Version 4 Packet Routing Non-routing Command Example This example illustrates how to assign an IP address to a switch by creating just one interface. This example is appropriate in cases where you want to implement the management functions described in “Routing Interfaces and Management Features”...
Page 353
AT-S63 Management Software Features Guide The following command creates a default route for the example and specifies the next hop as 149.44.55.6: add ip route=0.0.0.0 nexthop=149.44.55.6 Section VII: Routing...
Chapter 29: Internet Protocol Version 4 Packet Routing Upgrading from AT-S63 Version 1.3.0 or Earlier When the AT-9400 Switch running AT-S63 version 1.3.0 or earlier is upgraded to the latest version of the management software, the switch automatically creates a routing interface that preserves the previous IP configuration of the unit.
Chapter 30 BOOTP Relay Agent This chapter has the following sections: “Supported Platforms” on page 356 “Overview” on page 357 “Guidelines” on page 359...
Chapter 30: BOOTP Relay Agent Supported Platforms Refer to Table 96 and Table 97 for the AT-9400 Switches and the management interfaces that support the BOOTP relay agent. Table 96. Support for the BOOTP Relay Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T...
AT-S63 Management Software Features Guide Overview The AT-S63 Management Software comes with a BOOTP relay agent for relaying BOOTP messages between clients and DHCP or BOOTP servers. When a client sends a BOOTP request to a DHCP or BOOTP server for an IP configuration, it transmits the request as a broadcast packet because it does not know the IP address of the server.
Page 358
Chapter 30: BOOTP Relay Agent A routing interface that receives a BOOTP reply from a server inspects the broadcast flag field in the packet to determine whether the client, in its original request to the server, set this flag to signal that the response must be sent as a broadcast datagram.
AT-S63 Management Software Features Guide Guidelines These guidelines apply to the BOOTP relay agent: A routing interface functions as the BOOTP relay agent for the local clients in its subnet. You can specify up to eight DHCP or BOOTP servers.
Chapter 31 Virtual Router Redundancy Protocol The chapter has the following sections: “Supported Platforms” on page 362 “Overview” on page 363 “Master Switch” on page 364 “Backup Switches” on page 365 “Interface Monitoring” on page 366 “Port Monitoring” on page 367 “VRRP on the Switch”...
Chapter 31: Virtual Router Redundancy Protocol Supported Platforms Refer to Table 98 and Table 99 for the AT-9400 Switches and the management interfaces that support the Virtual Router Redundancy Protocol. Table 98. Support for the Virtual Router Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
AT-S63 Management Software Features Guide Overview This chapter describes the Virtual Router Redundancy Protocol (VRRP) of the AT-9400 Basic Layer 3 Switches. One of the functions that switches provide to the hosts of a LAN is to act as gateways. The local hosts use the gateways to communicate with the hosts on the WAN.
Chapter 31: Virtual Router Redundancy Protocol Master Switch The virtual router has a virtual MAC address known by all the switches that participate in the virtual router. The virtual MAC address is derived from the virtual router identifier, which is a user-defined value from 1 to 255.
The “master-down” time is approximately three times the advertisement interval. Assumes the role of master switch if it receives an advertisement packet from another switch with a lower priority than its own, if preempt mode is on. AT-S63 Management Software Features Guide...
Chapter 31: Virtual Router Redundancy Protocol Interface Monitoring The virtual router can monitor certain interfaces to change the priority of switches if the master switch loses its connection to the outside world. This is known as interface monitoring. Interface monitoring reduces the priority of the switch when an important interface connection is lost.
VRRP is only monitoring the state of the interface and does not require that the interface have an IP address. A VLAN cannot be destroyed if it is a monitored interface of a VRRP. To destroy a VLAN, you must first destroy the monitored interface. AT-S63 Management Software Features Guide...
Chapter 31: Virtual Router Redundancy Protocol VRRP on the Switch VRRP is disabled by default. When a virtual router is created on the switch, it is enabled by default, but the VRRP module must be enabled before it is operational. The VRRP module or a specific virtual router can be enabled or disabled afterwards by using the ENABLE VRRP and DISABLE VRRP commands.
Page 369
Inconsistent configuration causes advertisement packets to be rejected and the virtual router cannot perform properly. Section VII: Routing VRRP virtual router identifier IP address advertisement interval preempt mode authentication type password AT-S63 Management Software Features Guide...
Section VIII Port Security The chapters in this section contain overview information on the port security features of the AT-9400 Switch. The chapters include: Chapter 32, “MAC Address-based Port Security” on page 373 Chapter 33, “802.1x Port-based Network Access Control” on page 379 Section VIII: Port Security...
Chapter 32 MAC Address-based Port Security The sections in this chapter include: “Supported Platforms” on page 374 “Overview” on page 375 “Invalid Frames and Intrusion Actions” on page 377 “Guidelines” on page 378 Section VIII: Port Security...
Chapter 32: MAC Address-based Port Security Supported Platforms Refer to Table 100 and Table 101 for the AT-9400 Switches and the management interfaces that support MAC address-based port security. Table 100. Support for MAC Address-based Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T...
MAC addresses. A switch port can have up to a total of 255 dynamic and static MAC addresses. Section VIII: Port Security Automatic Limited Secured Locked AT-S63 Management Software Features Guide...
Chapter 32: MAC Address-based Port Security Secured This security level uses only static MAC addresses assigned to a port to forward frames. Consequently, only those end nodes whose MAC addresses are entered as static addresses are able to forward frames through a port.
Discard the invalid frame. Discard the invalid frame and send an SNMP trap. (SNMP must be enabled on the switch for the trap to be sent.) Discard the invalid frame, send an SNMP trap, and disable the port. AT-S63 Management Software Features Guide...
Chapter 32: MAC Address-based Port Security Guidelines The following guidelines apply to MAC address-based port security: The filtering of a packet occurs on the ingress port, not on the egress port. You cannot use MAC address port security and 802.1x port-based access control on the same port.
Chapter 33 802.1x Port-based Network Access Control The sections in this chapter are: “Supported Platforms” on page 380 “Overview” on page 381 “Authentication Process” on page 383 “Port Roles” on page 384 “Authenticator Ports with Single and Multiple Supplicants” on page 387 “Supplicant and VLAN Associations”...
Chapter 33: 802.1x Port-based Network Access Control Supported Platforms Refer to Table 102 and Table 103 for the AT-9400 Switches and the management interfaces that support 802.1x port-based network access control. Table 102. Support for 802.1x Port-based Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
This port security method uses the RADIUS authentication protocol. The AT-S63 Management Software is shipped with RADIUS client software. If you have already read Chapter 38, “TACACS+ and RADIUS Protocols” on...
Page 382
Chapter 33: 802.1x Port-based Network Access Control The AT-9400 Switch does not authenticate any of the supplicants connected to its ports. It’s function is to act as an intermediary between a supplicant and the authentication server during the authentication process. Authentication server - The authentication server is the network device that has the RADIUS server software.
When the supplicant sends an EAPOL-Logoff message, the switch removes the supplicant’s MAC address from the MAC address table, preventing the supplicant from sending or receiving any further traffic from the port. AT-S63 Management Software Features Guide...
Chapter 33: 802.1x Port-based Network Access Control Port Roles Part of the task of implementing this feature is specifying the roles of the ports on the switch. A port can have one of three roles: None Role A switch port in the None role does not participate in port-based access control.
Page 385
This is the default setting for an authenticator port. Force-authorized - Disables IEEE 802.1X port-based authentication and automatically places the port in the authorized state without any authentication exchange required. The port transmits and receives normal traffic without authenticating the client. AT-S63 Management Software Features Guide...
Chapter 33: 802.1x Port-based Network Access Control As mentioned earlier, the switch itself does not authenticate the user names and passwords from the clients. That function is performed by the authentication server and the RADIUS server software. The switch acts as an intermediary for the authentication server by denying access to the network by the client until the client has been validated by the authentication server.
The authenticator port’s operating mode is set to Single and the piggy-back feature is disabled so that only one client can use the port at any one time. Section VIII: Port Security Single Multiple AT-S63 Management Software Features Guide...
Chapter 33: 802.1x Port-based Network Access Control AT-9400 Switch Port 6 Role: Authenticator Operating Mode: Single Piggy-back Mode: Disabled Figure 41. Authenticator Port in Single Operating Mode with a Single The example in Figure 42 on page 389 illustrates a configuration that uses the piggy-back mode.
Section VIII: Port Security Ethernet Hub or Non-802.1x-compliant Switch Unauthenticated Authenticated Clients Client back Feature - Example 1 AT-S63 Management Software Features Guide AT-9424T/SP Gigabit Ethernet Switch PORT ACTIVITY 1000 LINK / 10/100 LINK / CLASS 1 LASER PRODUCT HDX /...
Chapter 33: 802.1x Port-based Network Access Control If the clients are connected to an 802.1x-compliant device, such as another AT-9400 Switch, you can automate the initial log on and reauthentications by configuring one of the switch ports as a supplicant. In this manner, the log on and reauthentications are performed automatically.
Selecting the Multiple mode for an authenticator port disables the piggy- back mode, because this operating mode does not permit piggy-backing. Section VIII: Port Security AT-S63 Management Software Features Guide CLASS 1 LASER PRODUCT RADIUS Authentication...
Chapter 33: 802.1x Port-based Network Access Control An example of this authenticator operating mode is illustrated in Figure 45. The clients are connected to a hub or non-802.1x-compliant switch which is connected to an authenticator port on the AT-9400 Switch. If the authenticator port is set to the 802.1x authentication method, the clients must provide their username and password combinations before they can forward traffic through the AT-9400 Switch.
Chapter 33: 802.1x Port-based Network Access Control Supplicant and VLAN Associations One of the challenges to managing a network is accommodating end users that roam. These are individuals whose work requires that they access the network resources from different points at different times. The difficulty arises in providing them with access to the same network resources and, conversely, restricting them from unauthorized areas, regardless of the workstation from where they access the network.
The transport medium to be used for the tunnel specified by Tunnel- Private-Group-Id. The only supported value is 802 (6). Tunnel-Private-Group-ID The ID of the tunnel the authenticated user should use. This must be the name of VID of the VLAN of the switch. AT-S63 Management Software Features Guide...
Chapter 33: 802.1x Port-based Network Access Control Guest VLAN An authenticator port in the unauthorized state typically accepts and transmits only 802.1x packets while waiting to authenticate a supplicant. However, you can configure an authenticator port to be a member of a Guest VLAN when no supplicant is logged on.
(This information is sent only when a client logs off.) The AT-S63 Management Software supports the Network level of accounting, but not the System or Exec. This feature is only available for ports operating in the Authenticator role.
5. If you want to use RADIUS accounting to monitor the clients servers or management stations. Authentication protocol server software is not available from Allied Telesis. Funk Software Steel- Belted Radius and Free Radius have been verified as fully compatible with the AT-S63 Management Software.
The MAC address-based port security setting for an authenticator port must be Automatic. This restriction does not apply to a supplicant port. For further information, refer to Chapter 32, “MAC Address-based Port Security” on page 373. AT-S63 Management Software Features Guide...
Page 400
For background information, refer to “Routing Interfaces and Management Features” on page 342. Note Prior to version 2.0.0 of the AT-S63 Management Software, the RADIUS server had to be a member of the switch’s management VLAN. This restriction no longer applies. The server can be located on any local subnet on the switch that has a routing interface.
Page 401
The VLAN must already exist on the switch. A client can have only one VLAN associated with it on the RADIUS server. When a supplicant logs on, the switch port is moved as an untagged port to the designated VLAN. AT-S63 Management Software Features Guide...
Page 402
Chapter 33: 802.1x Port-based Network Access Control Section VIII: Port Security...
Section IX Management Security The chapters in this section describe the management security features of the AT-9400 Switch. The chapters include: Chapter 34, “Web Server” on page 405 Chapter 35, “Encryption Keys” on page 411 Chapter 36, “PKI Certificates and SSL” on page 421 Chapter 37, “Secure Shell (SSH)”...
Chapter 34 Web Server The sections in this chapter are: “Supported Platforms” on page 406 “Overview” on page 407 “Configuring the Web Server for HTTP” on page 408 “Configuring the Web Server for HTTPS” on page 409 Section IX: Management Security...
Chapter 34: Web Server Supported Platforms Refer to Table 104 and Table 105 for the AT-9400 Switches and the management interfaces that support the web server. Table 104. Support for the Web Server Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts...
Overview The AT-S63 Management Software has a web server and a special web browser interface that allow you to remotely manage the switch from a management workstation on your network using a web browser. (For instructions on the switch’s web browser interface, refer to the AT-S63 Management Software Web Browser Interface User’s Guide.)
Chapter 34: Web Server Configuring the Web Server for HTTP The following steps configure the web server for non-secure HTTP operation. The steps reference only the command line commands, but the web server can be configured from the menus interface, too. 1.
6. Activate HTTPS in the web server with the SET HTTP SERVER 7. Enable the web server with the ENABLE HTTP SERVER command. For an example of this command sequence, refer to the SET HTTP SERVER command in the AT-S63 Management Software Command Line Interface User’s Guide. General Steps for These steps configure the web server with a public or private CA certificate.
Page 410
10. Enable the web server with the ENABLE HTTP SERVER command. For an example of this command sequence, refer to the SET HTTP SERVER command in the AT-S63 Management Software Command Line Interface User’s Guide. switch’s file system using the LOAD METHOD=TFTP or LOAD METHOD=XMODEM command.
Chapter 35 Encryption Keys The sections in this chapter are: “Supported Platforms” on page 412 “Overview” on page 413 “Encryption Key Length” on page 414 “Encryption Key Guidelines” on page 415 “Technical Overview” on page 416 For an overview of the procedures to configuring the switch’s web server for encryption, refer to “Configuring the Web Server for HTTPS”...
Chapter 35: Encryption Keys Supported Platforms Refer to Table 106 and Table 107 for the AT-9400 Switches and the management interfaces that support encryption keys. Table 106. Support for Encryption Keys Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T AT-9424T/POE AT-9424Ts...
Together they create a key pair. The AT-S63 Management Software supports encryption for remote web browser management sessions using the Secure Sockets Layer (SSL) protocol. Adding encryption to your web browser management sessions involves creating one key pair and adding the public key of the key pair to a certificate, a digital document stored on the switch.
Chapter 35: Encryption Keys Encryption Key Length When you create a key pair, you have to specify its length in bits. The range is 512, the default, to 1,536 bits, in increments of 256 bits. The longer the key, the more difficult it is for someone to decipher. If you are particularly concerned about the safety of your management sessions, you might want to use a longer key length than the default, though the default is likely to be sufficient in most situations.
The switch cannot use a key created on another system and imported onto the switch. The AT-S63 Management Software does not allow you to copy or export a private key from a switch. However, you can export a public key.
Chapter 35: Encryption Keys Technical Overview The encryption feature provides the following data security services: Data Encryption Data encryption for switches is driven by the need for organizations to keep sensitive data private and secure. Data encryption operates by applying an encryption algorithm and key to the original data (the plaintext) to convert it into an encrypted form (the ciphertext).
Page 417
Inner CBC mode encrypts the entire packet in CBC mode three times and requires three different initial is at ion vectors (IV’s). Outer CBC mode triple encrypts each 8-byte block of a packet in CBC mode three times and requires one IV. AT-S63 Management Software Features Guide...
Because key lengths of 512 bits or greater are used in public key encryption systems, decrypting RSA encrypted messages is almost impossible using current technology. The AT-S63 Management Software uses the RSA algorithm. Asymmetrical encryption algorithms require enormous computational resources, making them very slow when compared to symmetrical algorithms.
The Diffie-Hellman algorithm, which is used by the AT-S63 Management Software, is one of the more commonly used key exchange algorithms. It is not an encryption algorithm because messages cannot be encrypted using Diffie-Hellman.
Page 420
Chapter 35: Encryption Keys A Diffie-Hellman algorithm requires more processing overhead than RSA- based key exchange schemes, but it does not need the initial exchange of public keys. Instead, it uses published and well tested public key values. The security of the Diffie-Hellman algorithm depends on these values. Public key values less than 768 bits in length are considered to be insecure.
Chapter 36 PKI Certificates and SSL The sections in this chapter are: “Supported Platforms” on page 422 “Overview” on page 423 “Types of Certificates” on page 423 “Distinguished Names” on page 425 “SSL and Enhanced Stacking” on page 427 “Guidelines” on page 428 “Technical Overview”...
Chapter 36: PKI Certificates and SSL Supported Platforms Refer to Table 108 and Table 109 for the AT-9400 Switches and the management interfaces that support the PKI certificates and SSL. Table 108. Support for PKI Certificates and Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
Overview This chapter describes the second part of the encryption feature of the AT-S63 Management Software—PKI certificates. The first part is explained in Chapter 35, “Encryption Keys” on page 411. Encryption keys and certificates allow you to encrypt the communications between your...
Page 424
Chapter 36: PKI Certificates and SSL network equipment. With private CAs, companies can keep track of the certificates and control access to various network devices. If your company is large enough, it might have a private CA and you might want the group to issue the certificate for the AT-9400 Switch so that you are in compliance with company policy.
This is the name of a department, such as Network Support or IT. o - organization This is the name of the company. st - state This is the state. c - country This is the country AT-S63 Management Software Features Guide...
Page 426
Chapter 36: PKI Certificates and SSL If your network has a Domain Name System and you mapped a name to the IP address of a switch, you can specify the switch’s name instead of the IP address as the distinguished name. For those switches that do not have an IP address, such as slave switches of an enhanced stack, you could assign their certificates a distinguished name using the IP address of the master switch of the enhanced stack.
AT-S63 Management Software Features Guide SSL and Enhanced Stacking Secure Sockets Layer (SSL) is supported in an enhanced stack, but only when all switches in the stack are using the feature. When a switch’s web server is operating in HTTP, management packets are transmitted in plaintext.
Chapter 36: PKI Certificates and SSL Guidelines The guidelines for creating certificates are: A certificate can have only one key. A switch can use only those certificates that contain a key that was generated on the switch. You can create multiple certificates on a switch, but the device uses the certificate whose key pair has been designated as the active key pair for the switch’s web server.
MAC. Section IX: Management Security The site’s URL changes from HTTP to HTTPS. The browser indicates that it is a secured connection by displaying an icon, such as a padlock icon. AT-S63 Management Software Features Guide...
Chapter 36: PKI Certificates and SSL SSL uses asymmetrical (Public Key) encryption to establish a connection between client and server, and symmetrical (Secret Key) encryption for the data transfer phase. User Verification An SSL connection has two phases: handshake and data transfer. The handshake initiates the SSL session, during which data is securely transmitted between a client and server.
AT-S63 Management Software Features Guide To verify the authenticity of a server, the server has a public and private key. The public key is given to the user. SSL uses certificates for authentication. A certificate binds a public key to a server name.
Chapter 36: PKI Certificates and SSL this, and other attacks, PKI provides a means for secure transfer of public keys by linking an identity and that identity’s public key in a secure certificate. Certificates A certificate is an electronic identity document. To create a certificate for a subject, a trusted third party (known as the Certification Authority) verifies the subject’s identity, binds a public key to that identity, and digitally signs the certificate.
At least one certification authority (CA), which issues and revokes certificates. At least one publicly accessible repository, which stores certificates and Certificate Revocation Lists. At least one end entity (EE), which retrieves certificates from the repository, validates them and uses them. AT-S63 Management Software Features Guide...
Chapter 36: PKI Certificates and SSL Certificate To validate a certificate, the end entity verifies the signature in the certificate, using the public key of the CA who issued the certificate. Validation CA Hierarchies and Certificate Chains It may not be practical for every individual certificate in an organization to be signed by one certification authority.
Chapter 37 Secure Shell (SSH) The sections in this chapter are: “Supported Platforms” on page 438 “Overview” on page 439 “Support for SSH” on page 440 “SSH Server” on page 441 “SSH Clients” on page 442 “SSH and Enhanced Stacking” on page 443 “SSH Configuration Guidelines”...
Chapter 37: Secure Shell (SSH) Supported Platforms Refer to Table 110 and Table 111 for the AT-9400 Switches and the management interfaces that support the Secure Shell protocol. Table 110. Support for the Secure Shell Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models AT-9424T...
Secure Shell server and a machine with a Secure Shell client. The AT-S63 Management Software features Secure Shell server software so that network managers can securely manage the switch over an insecure network. It offers the benefit of cryptographic authentication and encryption.
Chapter 37: Secure Shell (SSH) Support for SSH The AT-S63 implementation of the SSH protocol is compliant with the SSH protocol versions 1.3, 1.5, and 2.0. In addition, the following SSH options and features are supported: The following SSH options and features are not supported: Inbound SSH connections (server mode) is supported.
When the SSH server is enabled, connections from SSH clients are accepted. When the SSH server is disabled, connections from SSH clients are rejected by the switch. Within the switch, the AT-S63 Management Software uses well-known port 22 as the SSH default port.
The SSH protocol provides a secure connection between the switch and SSH clients. After you have configured the SSH server, you need to install SSH client software on your management workstations. The AT-S63 Management Software supports both SSH1 and SSH2 clients.
SSH and Enhanced Stacking The AT-S63 Management Software allows for encrypted SSH management sessions between a management station and a master switch of an enhanced stack, but not with slave switches, as explained in this section. When you remotely manage a slave switch, all management communications are conducted through the master switch using the enhanced stacking feature.
Page 444
Chapter 37: Secure Shell (SSH) Because enhanced stacking does not allow for SSH encrypted management sessions between a management station and a slave switch, you configure SSH only on the master switch of a stack. Activating SSH on a slave switch has no affect. Section IX: Management Security...
768 bits. The recommended size for the host key is 1024 bits. You activate and configure SSH on the master switch of an enhanced stack, not on slave switches. The AT-S63 software uses well-known port 22 as the SSH default port. Section IX: Management Security...
Chapter 37: Secure Shell (SSH) General Steps to Configuring SSH Configuring the SSH server involves the following procedures: 1. Create two encryption key pairs on the switch. One pair will function as 2. Configure and activate the Secure Shell server on the switch by 3.
Chapter 38 TACACS+ and RADIUS Protocols This chapter describes the two authentication protocols TACACS+ and RADIUS. Sections in the chapter include: “Supported Platforms” on page 448 “Overview” on page 449 “Guidelines” on page 451 Section IX: Management Security...
Chapter 38: TACACS+ and RADIUS Protocols Supported Platforms Refer to Table 112 and Table 113 for the AT-9400 Switches and the management interfaces that support the TACACS+ and RADIUS protocols. Table 112. Support for the TACACS+ and Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP...
The AT-S63 software comes with TACACS+ and RADIUS client software. You can use the client software to add two security features to the switch.
Page 450
The final function of an authentication protocol is keeping track of user activity on network devices, referred to as accounting. The AT-S63 Management Software does not support RADIUS or TACACS+ accounting as part of manager accounts. However, it does support RADIUS accounting with the 802.1x Port-based Network Access Control...
For RADIUS, management level is controlled by the Service Type attribute. This attribute has 11 different values; only two apply to the AT-S63 Management Software. A value of Administrative for this attribute gives the username and password combination Manager access. A value of NAS Prompt assigns the combination Operator status.
Page 452
For background information on routing interfaces, refer to Chapter 29, “Internet Protocol Version 4 Packet Routing” on page 321. By default, authentication protocol is disabled in the AT-S63 Management Software. Before activating it, you need the following information: You can specify up to three RADIUS or TACACS+ servers. Specifying multiple servers adds redundancy to your network.
Page 453
AT-S63 Management Software Features Guide Note If no authentication server responds or if no servers have been defined, the AT-S63 Management Software defaults to the standard manager and operator accounts. Note For more information on TACACS+, refer to the RFC 1492 standard.
Chapter 39 Management Access Control List This chapter explains how to restrict Telnet and web browser management access to the switch with the management access control list (ACL). Sections in this chapter include: “Supported Platforms” on page 456 “Overview” on page 457 “Parts of a Management ACE”...
Chapter 39: Management Access Control List Supported Platforms Refer to Table 114 and Table 115 for the AT-9400 Switches and the management interfaces that support the management access control list. Table 114. Support for the Management Layer 2+ Models AT-9408LC/SP AT-9424T/GB AT-9424T/SP Basic Layer 3 Models...
AT-S63 Management Software Features Guide Overview This chapter explains how to restrict remote management access of a switch by creating a management access control list (management ACL). This feature controls which management stations can remotely manage the device using the Telnet application protocol or a web browser.
Chapter 39: Management Access Control List Parts of a Management ACE An ACE has the following three parts: IP Address You can specify the IP address of a specific management station or a subnet. Mask The mask indicates the parts of the IP address the switch should filter on. A binary “1”...
AT-S63 Management Software Features Guide Guidelines Below are guidelines for the management ACL: The default setting for this feature is disabled. A switch can have only one management ACL. A management ACL can have up to 256 ACEs. An ACE must have an IP address and mask.
Chapter 39: Management Access Control List Examples Following are several examples of ACEs. This ACE allows the management station with the IP address 149.11.11.11 to remotely manage the switch using either the Telnet application protocol or a web browser, and to ping the device: If the management ACL had only this ACE, remote management of the switch would be restricted to just that management station.
Page 461
IP address 149.11.11.4: IP Address: Mask: Application Type: Section IX: Management Security ACE #1 IP Address: 149.11.11.11 Mask: 255.255.255.255 Application Type: ACE #2 IP Address: 149.22.22.0 Mask: 255.255.255.0 Application Type: 149.11.11.4 255.255.255.255 Ping AT-S63 Management Software Features Guide...
Page 462
Chapter 39: Management Access Control List Section IX: Management Security...
Appendix A AT-S63 Management Software Default Settings This appendix lists the factory default settings for the AT-S63 Management Software. The features are listed in alphabetical order: “Address Resolution Protocol Cache” on page 465 “Boot Configuration File” on page 466 “BOOTP Relay Agent” on page 467 “Class of Service”...
Page 464
Appendix A: AT-S63 Management Software Default Settings “Telnet Server” on page 495 “Virtual Router Redundancy Protocol” on page 496 “VLANs” on page 497 “Web Server” on page 498...
Appendix A: AT-S63 Management Software Default Settings Boot Configuration File The following table lists the names of the default configuration files. Stand-alone Switch Stack of AT-9400 Basic Layer 3 Switches and the AT-StackXG Stacking Module Boot Configuration File Default boot.cfg...
BOOTP Relay Agent The following table lists the default setting for the BOOTP relay agent. Status Hop Count 1. Hop count is not adjustable. BOOTP Relay Agent Setting AT-S63 Management Software Features Guide Default Disabled...
Appendix A: AT-S63 Management Software Default Settings Class of Service The following table lists the default mappings of IEEE 802.1p priority levels to egress port priority queues. IEEE 802.1p Priority Level Port Priority Queue Q0 (lowest) Q7 (highest)
Denial of Service Prevention Setting IP Address Subnet Mask Uplink Port SYN Flood Defense Smurf Defense Land Defense Teardrop Defense Ping of Death Defense IP Options Defense AT-S63 Management Software Features Guide Default 0.0.0.0 0.0.0.0 Highest numbered existing port Disabled Disabled Disabled Disabled...
Appendix A: AT-S63 Management Software Default Settings 802.1x Port-Based Network Access Control The following table describes the 802.1x Port-based Network Access Control default settings. Port Access Control Authentication Method Port Role The following table lists the default settings for RADIUS accounting.
Page 471
The following table lists the default settings for a supplicant port. Supplicant Port Setting Auth Period Held Period Max Start Start Period User Name User Password AT-S63 Management Software Features Guide Default Enabled Both Disabled None Default 30 seconds 60 seconds...
AT-S63 Management Software Features Guide Ethernet Protection Switching Ring (EPSR) Snooping The following table lists the EPSR default setting. EPSR Setting Default EPSR State Disabled...
Appendix A: AT-S63 Management Software Default Settings Event Logs The following table lists the default settings for both the permanent and temporary event logs. Status Full Log Action Event Log Setting Default Enabled Wrap...
GVRP This section provides the default settings for GVRP. Status GIP Status Join Timer Leave Timer Leave All Timer Port Mode AT-S63 Management Software Features Guide GVRP Setting Default Disabled Enabled 20 centiseconds 60 centiseconds 1000 centiseconds Normal...
Split Horizon with Poison Reverse Autosummarization of Routes Packet Routing Setting Note The update and invalid timers are not adjustable. The switch does not support the IPv4 routing holddown and flush timers. AT-S63 Management Software Features Guide Default Enabled None 30 seconds 180 seconds...
Appendix A: AT-S63 Management Software Default Settings MAC Address-based Port Security The following table lists the MAC address-based port security default settings. Security Mode Intrusion Action Participating MAC Limit MAC Address-based Port Security Setting Default Automatic (no security) Discard No Limit...
AT-S63 Management Software Features Guide MAC Address Table The following table lists the default setting for the MAC address table. MAC Address Table Setting Default MAC Address Aging Time 300 seconds...
Appendix A: AT-S63 Management Software Default Settings Management Access Control List The following table lists the default setting for the management access control list. Management ACL Setting Default Status Disabled...
Public Key Infrastructure The following table lists the PKI default settings, including the generate enrollment request settings. Switch Distinguished Name Maximum Number of Certificates Request Name Key Pair ID Format Type AT-S63 Management Software Features Guide PKI Setting Default None None PKCS10...
Appendix A: AT-S63 Management Software Default Settings Port Settings The following table lists the port configuration default settings. Status 10/100/1000Base-T Speed Duplex Mode MDI/MDI-X Packet Filtering Packet Rate Limiting Override Priority Head of Line Blocking Threshold Back Pressure Back Pressure Threshold...
The following table lists the RJ-45 serial terminal port default settings. Data Bits Stop Bits Parity Flow Control Baud Rate The baud rate is the only adjustable parameter on the port. RJ-45 Serial Terminal Port Setting AT-S63 Management Software Features Guide Default None None 9600 bps...
Appendix A: AT-S63 Management Software Default Settings Simple Network Management Protocol The following table describes the SNMP default settings. SNMP Status Authentication Failure Trap Status Community Name Community Name Status (public) Status (private) Open Status (public) Open Status (private) SNMP Communities Setting...
Simple Network Time Protocol The following table lists the SNTP default settings. System Time SNTP Status SNTP Server UTC Offset Daylight Savings Time (DST) Poll Interval AT-S63 Management Software Features Guide SNTP Setting Default 00:00:00 on January 1, 1980 Disabled 0.0.0.0 Enabled...
Appendix A: AT-S63 Management Software Default Settings Spanning Tree Protocols (STP, RSTP, and MSTP) This section provides the spanning tree, STP RSTP, and MSTP, default settings. Spanning Tree The following table describes the Spanning Tree Protocol default settings for the switch.
Maximum Hops Configuration Name Revision Level CIST Priority Port Priority Port Internal Path Cost Port External Path Cost Point-to-Point Edge Port AT-S63 Management Software Features Guide MSTP Setting Default Disabled MSTP null Increment 8 (32768) Increment 8 (128) Auto Update...
Appendix A: AT-S63 Management Software Default Settings Secure Shell Server The following table lists the SSH default settings. Status Host Key ID Server Key ID Server Key Expiry Time Login Timeout SSH Port Number The SSH port number is not adjustable.
Secure Sockets Layer The following table lists the SSL default settings. Maximum Number of Sessions Session Cache Timeout AT-S63 Management Software Features Guide SSL Setting Default 300 seconds...
Appendix A: AT-S63 Management Software Default Settings System Name, Administrator, and Comments Settings The following table describes the IP default settings. System Name Administrator Comments IP Setting None None None Default...
Telnet Server The following table lists the Telnet server default settings. Telnet Server Telnet Port Number NULL Character The Telnet port number is not adjustable. Telnet Server Setting AT-S63 Management Software Features Guide Default Enabled...
Appendix A: AT-S63 Management Software Default Settings Web Server The following table lists the web server default settings. Status Operating Mode HTTP Port Number HTTPS Port Number Web Server Configuration Setting Default Enabled HTTP...
Appendix B SNMPv3 Configuration Examples This appendix provides two examples of SNMPv3 configuration using the SNMPv3 Table menus and a worksheet to use as an aid when configuring the SNMPv3 protocol. It includes the following sections: “SNMPv3 Manager Configuration” on page 500 “SNMPv3 Operator Configuration”...
Appendix B: SNMPv3 Configuration Examples SNMPv3 Configuration Examples In addition an SNMPv3 Configuration Table is provided to record your SNMPv3 configuration. For more information about the SNMPv3 protocol, see Chapter 21, “SNMPv3” on page 219. SNMPv3 This section provides a sample configuration for a Manager with a User Name of systemadmin24.
Operator and not an SNMP host, you do not need to configure message notification Configuration for this user. Configure SNMPv3 User Table Menu User Name: nikoeng73 Authentication Protocol: MD5 Privacy Protocol: None Storage Type: NonVolatile AT-S63 Management Software Features Guide...
Appendix B: SNMPv3 Configuration Examples Configure SNMPv3 View Table Menu Configure SNMPv3 Access Table SNMPv3 This section supplies a table that you can use a worksheet when configuring SNMPv3. Each SNMPv3 Table is listed with its associated Worksheet parameters. SNMPv3 User Table User Name Authentication Protocol Authentication Password...
Page 503
AT-S63 Management Software Features Guide SNMPv3 Parameters (Continued) Security Model Security Level Read View Name Write View Name Notify View Name Storage Type SNMPv3 SecurityToGroup Table User Name Security Model Group Name Storage Type SNMPv3 Notify Table Notify Name Notify Tag...
Appendix C Features and Standards This appendix lists the features and standards of the AT-9400 Switch. Section include: ”10/100/1000Base-T Twisted Pair Ports” on page 506 ”Denial of Service Defenses” on page 506 ”Fiber Optic Ports (AT-9408LC/SP Switch)” on page 507 ”File System”...
Appendix C: Features and Standards 10/100/1000Base-T Twisted Pair Ports IEEE 802.1d IEEE 802.3 IEEE 802.3u IEEE 802.3ab IEEE 802.3u IEEE 802.3x IEEE 802.3z — — — — Denial of Service Defenses Smurf SYN Flood Teardrop Land IP Option Ping of Death Ethernet Protection Switching Ring Snooping —...
Appendix C: Features and Standards Port Security IEEE 802.1x RFC 2865 RFC 2866 — Port Trunking and Mirroring IEEE 802.3ad — — Spanning Tree Protocols IEEE 802.1D IEEE 802.1w IEEE 802.1s System Monitoring RFC 3195 — — — Port-based Network Access Control: Supports multiple supplicants per port and the following authentication methods: EAP-MD5...
Switch. Sections in the appendix include: The Allied Telesis MIB files for the AT-9400 Switch are: The MIB files are available from the Allied Telesis web site. Objects in the private MIBs have the prefix “1.3.6.1.4.1.207.” ”Access Control Lists” on page 514 ”Class of Service”...
Appendix D: MIB Objects Management Access Control List Table 46. Management Access Control List Status (AtiStackSwitch MIB) Object Name atiStkSwSysMgmtACLGroup atiStkSwSysMgmtACLStatus Table 47. Management Access Control List Entries (AtiStackSwitch MIB) Object Name atiStkSwSysMgmtACLConfigTable atiStkSwSysMgmtACLConfigEntry atiStkSwSysMgmtACLConfigModuleId atiStkSwSysMgmtACLConfigId atiStkSwSysMgmtACLConfigIpAddr atiStkSwSysMgmtACLConfigMask atiStkSwSysMgmtACLConfigApplication atiStkSwSysMgmtACLConfigRowStatus 1.3.6.1.4.1.207.8.17.1.7 1.3.6.1.4.1.207.8.17.1.7.1 1.3.6.1.4.1.207.8.17.1.7.2...
Appendix D: MIB Objects VLANs The objects in Table 58 display the specifications of the Default_VLAN. Table 58. VLAN Table (AtiStackSwitch MIB) Object Name atiStkSwVlanConfigTable atiStkSwVlanConfigEntry atiStkSwVlanId atiStkSwVlanName atiStkSwVlanTaggedPortListModule1 atiStkSwVlanUntaggedPortListModule1 atiStkSwVlanConfigEntryStatus atiStkSwVlanActualUntaggedPortListModule1 The objects in Table 59 display the names and VIDs of all the VLANs on a switch, but not the VLAN ports.
465 adminkey parameter in aggregate trunks 107 aggregate trunk 105 aggregator 105 aging time, MAC address table 95, 479 associations 255 AT-S63 Management Software default settings 463 described 36 AT-StackXG Stacking Module 63 authentication protocols 449 See also RADIUS, TACACS+...
Page 534
CoS. See Class of Service (CoS) CRL. See certificate revocation list (CRL) default route described 334 examples 350, 353 default settings, AT-S63 Management Software 463 denial of service defenses default settings 469 described 179 guidelines 188 IP options attack 186...
Page 535
82, 345 local management session 43 locked port security mode 376 MAC address table 94 MAC address-based port security default settings 478 AT-S63 Management Software Features Guide described 375 guidelines 378 intrusion actions 377 levels 375 MAC address-based VLANs...
Page 536
Index regions 257 revision number 257 with STP and RSTP 260 multiple VLAN modes 297 non-802.1Q compliant VLAN mode 300 none port role 384 nonvolatile storage, described 226 operator accounts, default settings 481 password, default 45 path cost 239 permit access control lists 137 ping of death attack 185 PKI.
Page 537
SNMPv3 Community Table, described 231 SNMPv3 Engine ID, defined 222 SNMPv3 entities 221 SNMPv3 Notify Table, described 231 SNMPv3 protocol authentication protocols 222 AT-S63 Management Software Features Guide Configure SNMPv3 Community Table 231 Engine ID 222 message notification 227 MIB views 224 overview 221...
Page 538
Index supported platforms 448 tagged ports 280 tagged VLANs default settings 497 described 279 example 281 guidelines 280 supported platforms 270 TCP destination ports in classifiers 133 TCP flags in classifiers 133 TCP source ports in classifiers 133 teardrop attack 184 Telnet management sessions 43 Telnet server 43 default settings 495...