Ir para a página of
Manuais similares
-
Switch
Allied Telesis XEM-12S
31 páginas 1.49 mb -
Switch
Allied Telesis AT AT-GS900/24
2 páginas 0.3 mb -
Switch
Allied Telesis AT-8000C
1 páginas 0.03 mb -
Switch
Allied Telesis G6f
11 páginas 0.31 mb -
Switch
Allied Telesis AT 9924SP AT-9924SP-30 AT-9924SP-30
56 páginas 0.5 mb -
Switch
Allied Telesis AT GS900/8POE
52 páginas 0.26 mb -
Switch
Allied Telesis AT-SBXPWRSYS1
222 páginas 5.18 mb -
Switch
Allied Telesis XEM-1XP
31 páginas 1.49 mb
Bom manual de uso
As regras impõem ao revendedor a obrigação de fornecer ao comprador o manual com o produto Allied Telesis AT-S63. A falta de manual ou informações incorretas fornecidas ao consumidor são a base de uma queixa por não conformidade do produto com o contrato. De acordo com a lei, pode anexar o manual em uma outra forma de que em papel, o que é frequentemente utilizado, anexando uma forma gráfica ou manual electrónicoAllied Telesis AT-S63 vídeos instrutivos para os usuários. A condição é uma forma legível e compreensível.
O que é a instrução?
A palavra vem do latim "Instructio" ou instruir. Portanto, no manual Allied Telesis AT-S63 você pode encontrar uma descrição das fases do processo. O objetivo do manual é instruir, facilitar o arranque, a utilização do equipamento ou a execução de determinadas tarefas. O manual é uma coleção de informações sobre o objeto / serviço, um guia.
Infelizmente, pequenos usuários tomam o tempo para ler o manual Allied Telesis AT-S63, e um bom manual não só permite conhecer uma série de funcionalidades adicionais do dispositivo, mas evita a formação da maioria das falhas.
Então, o que deve conter o manual perfeito?
Primeiro, o manual Allied Telesis AT-S63 deve conte:
- dados técnicos do dispositivo Allied Telesis AT-S63
- nome do fabricante e ano de fabricação do dispositivo Allied Telesis AT-S63
- instruções de utilização, regulação e manutenção do dispositivo Allied Telesis AT-S63
- sinais de segurança e certificados que comprovam a conformidade com as normas pertinentes
Por que você não ler manuais?
Normalmente, isso é devido à falta de tempo e à certeza quanto à funcionalidade específica do dispositivo adquirido. Infelizmente, a mesma ligação e o arranque Allied Telesis AT-S63 não são suficientes. O manual contém uma série de orientações sobre funcionalidades específicas, a segurança, os métodos de manutenção (mesmo sobre produtos que devem ser usados), possíveis defeitos Allied Telesis AT-S63 e formas de resolver problemas comuns durante o uso. No final, no manual podemos encontrar as coordenadas do serviço Allied Telesis na ausência da eficácia das soluções propostas. Atualmente, muito apreciados são manuais na forma de animações interessantes e vídeos de instrução que de uma forma melhor do que o o folheto falam ao usuário. Este tipo de manual é a chance que o usuário percorrer todo o vídeo instrutivo, sem ignorar especificações e descrições técnicas complicadas Allied Telesis AT-S63, como para a versão papel.
Por que ler manuais?
Primeiro de tudo, contem a resposta sobre a construção, as possibilidades do dispositivo Allied Telesis AT-S63, uso dos acessórios individuais e uma gama de informações para desfrutar plenamente todos os recursos e facilidades.
Após a compra bem sucedida de um equipamento / dispositivo, é bom ter um momento para se familiarizar com cada parte do manual Allied Telesis AT-S63. Atualmente, são cuidadosamente preparados e traduzidos para sejam não só compreensíveis para os usuários, mas para cumprir a sua função básica de informação
Índice do manual
-
Página 1
613-001022 Rev. C Management Software AT-S63 ◆ Features Guide For Stand-alone AT-9400 Switches and AT-9400Ts Stacks AT-S63 Version 2.2.0 for AT -9400 Layer 2+ Switches AT-S63 Version 4.1.0 for AT-9 400 Basic Layer 3 Switches[...]
-
Página 2
Copyright 2009 Allied Telesis, Inc. All rights reserved. No part o f this pub lication may be repro duced without prior wr itten permission from Al lied Telesis, Inc. Allied Telesis and the Allied Telesis logo are trad emarks of Allied Telesis, Incorporated . Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation. Al[...]
-
Página 3
3 Preface ........ ............. ................ ............. ............. ................ ............. ................ ............. ...... ....................... ...... 21 How This Guide is Organized .............. ................ ................ ............. ................ ................ ......... .... ............. ...... 22 Produ[...]
-
Página 4
Contents 4 Chapter 2: AT-9400Ts Stac ks ................ ............. ................ ............. ............. ................ ............. ................ ... 63 Supported Platform s ..... ................ ............. ............. ................ ............. ................ ............. ... ....................... ...... 64 Introdu[...]
-
Página 5
AT-S63 Management Software Features Guide 5 Load Distribution Methods ......... ... .... ............. ... ... ... ... .... ... ... ... .... ... ... ... .... ... ............. ... ... ... .... .. ....... ................ . 112 Guidelines ............ ................ ............. ................ ............. ................ ............. ......[...]
-
Página 6
Contents 6 Replacing Priorities ................ .... ............. ... ... ... .... ... ... ... ............. ... .... ... ... ... .... ... ............. ... ...... ................ ........ 176 VLAN Tag User Priorities ........... ... ... ... .... ... ... ... .... ... ............. ... ... ... .... ... ... ... .... ... ... ............. ... .. ..[...]
-
Página 7
AT-S63 Management Software Features Guide 7 Chapter 23: Et hernet Pr otection Switch ing Ring Snoopin g ............. ................ ............. ................ .......... 243 Supported Platform s ............ ................ ............. ................ ............. ................ ............. ......... ................. .......... 244[...]
-
Página 8
Contents 8 Associating VLANs to MSTIs ........ ... ............. ... .... ... ... ... ... .... ... ... ... .... ... ... ... .... ............ .... ... ... ... ... ....... ............. . 305 Connecting VLANs Across Different Regions ............................ ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ...... .......... . [...]
-
Página 9
AT-S63 Management Software Features Guide 9 Section VII: Internet Protoc ol Routing .......... ........................................ ............... 361 Chapter 32: Internet Protoc ol Version 4 Packet Routing ........... ................ ............. ................ ............. .... 363 Supported Platform s ............ ................ ....[...]
-
Página 10
Contents 10 Section VIII: Port Security ................... .............................................. .................... 413 Chapter 35: MAC Address-ba sed Port Security ......... ............. ................. ............ ............. ................ ........ 415 Supported Platform s ..... ................ ............. ............. ..[...]
-
Página 11
AT-S63 Management Software Features Guide 11 Chapter 39: PKI Certific ates and SSL ............. ................ ............. ................ ............. ................ ............. .... 463 Supported Platform s ............ ................ ............. ................ ............. ................ ............. ......... ..............[...]
-
Página 12
Contents 12 Internet Protocol Version 4 Pack et Routing ......... ... ... ... ............. ... .... ... ... ............. ... ... .... ... ............. .. ....... ........ 519 Link-flap Protection .......... ... ... .... ............. ... ... ... .... ... ... ... ... .... ... ............. ... ... .... ... ... ... ... .... ... ...... ............[...]
-
Página 13
AT-S63 Management Software Features Guide 13 Appendix D: MIB Objects .............. ............. ................ ............. ................ ................ ............. ................ ....... 557 Access Control Lists ............... ............. ................ ................ ............. ................ ................ .. ........[...]
-
Página 14
Contents 14[...]
-
Página 15
15 Figure 1: AT-StackXG Stacking Modul e . ............ .......................................... .................................... ... ............ .............. ....... 67 Figure 2: Duplex-chain Topology .................. .............. ............ .............. .............. .............. .......... ....................... ............[...]
-
Página 16
Figures 16 Figure 51: Example of a Tagged VLAN ............. .............. .............. ........... .............. .............. ............ ........................ ..........323 Figure 52: GVRP Example..... .............. ........... .............. ........... .............. ........... ........... ............. ..................... .......[...]
-
Página 17
17 Table 1: Basic Operations ................ ........... .............. .............. ............ .............. ........... ......... ..... ........... ........... .............. .....34 Table 2: Advanced Operations .... .............. ........ ........... ........... ............ ........... .............. ........... .. .... ........... .....[...]
-
Página 18
Tables 18 Table 50: Default Mappings of IEEE 802.1p Priority Levels to Priority Queues ............ ............................ .......... ............. 160 Table 51: Customized Mappings of IEEE 802.1 p Pri ority Leve ls to Priority Queues ......................... ........... ........... ...... ... 160 Table 52: Example of Weighted Round Robin Pr[...]
-
Página 19
AT-S63 Management Software Features Guide 19 Table 110: Support for 802.1x Port-based Network Access Control ...................... ........... ............ .............. .... ............. .....422 Table 111: Management Interfaces for 802.1x Port-based Ne twork Access Contro l ........... ............................ .......... .. .....422 Table [...]
-
Página 20
Tables 20[...]
-
Página 21
21 Pr eface This guide describes the feature s of the AT-9400 Layer 2+ and Basic Layer 3 Gigabit Ethernet Switches and the AT-S63 Management Software. This preface contains the f ollowing sections: “How This Guide is Organized” on p age 22 “Product Documenta tion” on p age 25 “Where to Go First” on p age 26 “S tarting [...]
-
Página 22
Preface 22 How This Guide is Organized This guide has the followi ng sections and chapters: Section I: Basic Operations Chapter 1, “Overview” on p age 33 Chapter 2, “A T-9400T s S tacks” on p age 63 Chapter 3, “Enhanced S tacking” on p age 81 Chapter 4, “SNMPv1 and SNMPv2c” on p age 91 Chapter 5, “MAC Address T able” on p ag[...]
-
Página 23
AT-S63 Management Software Features Guide 23 Chapter 23, “Ethernet Protection Switching Ring Sno oping” on p age 243 Section IV : SNMPv3 Chapter 24, “SNMPv3” on pa ge 253 Section V : S panning T ree Protoco ls Chapter 25, “S panning T ree and Rapid S p anning T ree Protocols” on page 269 Chapter 26, “Multiple S panning T ree P[...]
-
Página 24
Preface 24 Appendix B, “SNMPv3 Configurat ion Examples” on p age 543 Appendix C, “Features and S tandards” o n page 549 Appendix D, “MIB Objects” on p age 557[...]
-
Página 25
AT-S63 Management Software Features Guide 25 Product Documentation For overview information on the fe atures of the AT-9400 Switches and th e AT-S63 Management Software, refer to: A T -S63 Management Software Features Guide (PN 613-001022) For instructions on how to start a local or remote manage men t session on stand-alone AT-9400 Switches or[...]
-
Página 26
Preface 26 Where to Go First Allied Telesis recommends that you read Chapter 1, “Ove rview” on page 33 in this guide before you begin to m ana ge the switch for the first time. There you will find a variety of basic information about the u nit and the management software, like the two levels of ma nager access levels and the different types of [...]
-
Página 27
AT-S63 Management Software Features Guide 27 Starting a Management Session For instructions on how to start a local or remote manage men t session on the AT-9400 Switch, refer to the Startin g an AT-S63 Management Session Guide .[...]
-
Página 28
Preface 28 Document Conventions This document uses the following conventions: Note Notes provide additional informatio n. Caution Cautions inform you t hat performing or omitting a specific action may result in equipment damage or loss of data. Warning Warnings inform you that performing or omitting a sp ecific action may result in bodily injury.[...]
-
Página 29
AT-S63 Management Software Features Guide 29 Contacting Allied Telesis This section provides Allied Telesis contact information for technica l support and for sales and corporate information. Online Support You can request technical support onli ne by accessing the Allied Telesis Knowledge Base: www.alliedtel esis.com/support/kb.aspx . You can use [...]
-
Página 30
Preface 30[...]
-
Página 31
Section I: Basic Operations 31 Section I Basic Operations The chapters in this section contain backg round information on basic switch features. The chapters include: Chapter 1, “Overview” on p age 33 Chapter 2, “A T-9400T s S tacks” on page 6 3 Chapter 3, ”Enhanced S tacking” on p age 81 Chapter 4, ”SNMPv1 and SNMPv2c[...]
-
Página 32
32 Section I: Basic Op erations[...]
-
Página 33
33 Chapter 1 Overview This chapter has the following sections: “Layer 2+ and Basic Layer 3 Switches” on p age 34 “A T-S63 Management Software” on p age 40 “Management Interfaces” on p age 41 “Management Access Methods” o n page 47 “Manager Access Levels” o n page 49 “Installation and Management Configu [...]
-
Página 34
Chapter 1: Ove rview 34 Layer 2+ and Basic Layer 3 Switches The switches in the AT-9400 Gigabit Ethernet Series a re divided into two groups: Layer 2+ Switches — AT-9408LC/SP — AT-9424T/GB — AT-9424T/SP Basic Layer 3 Switches — AT-9424T — AT-9424T/POE — AT-9424Ts — AT-9424Ts/XP — AT-9448T/SP — AT-9448Ts/XP Although the swi[...]
-
Página 35
AT-S63 Management Software Features Guide 35 Multiple manager sessions YYYYYY Y T C P / I P p i n g s YYYYYYYYY Y Enhanced stacking YYYYYYYYY Simple Network T ime Protocol (SNTP) YYYYYYYYY SNMPv1 and SNMPv2 YYYYYYYYY Y P a c k e t f i l t e r i n g YYYYYYYYY Y P a c k e t r a t e l i m i t i n g YYYYYYYYY Y P o r t s t a t i s t i c s YYYYYYYYY Y S[...]
-
Página 36
Chapter 1: Ove rview 36 C l a s s o f S e r v i c e YYYYYYYYY Y Q u a l i t y o f S e r v i c e YYYYYYYYY Y G r o u p l i n k c o n t r o l YYYYYY Y Denial of service defenses YYYYYYYYY Power over Ethernet Y 1. The only accessible file system in a st ack is the one on the master switch. 2. The only active event logs in a stack are the ones on the m[...]
-
Página 37
AT-S63 Management Software Features Guide 37 T able 4. SNMPv3 Layer 2+ Switches Basic Layer 3 Switches 08LC 24GB 24SP 24T 24T POE 24T s 24XP 48SP 48XP S tack S N M P v 3 YYYYYYYYY Y T able 5. S panning T ree Protoco ls Layer 2+ Switches Basic Layer 3 Switches 08LC 24GB 24SP 24T 24T POE 24T s 24XP 48SP 48XP S tack S panning T ree Protocol (STP) YYYY[...]
-
Página 38
Chapter 1: Ove rview 38 GARP VLAN Registration Protocol YYYYYYYYY Protected ports VLANs YYYYYYYYY MAC address-based VLANs YYYYYY T able 6. V irtual LANs Layer 2+ Switches Basic Layer 3 Switches 08LC 24GB 24SP 24T 24T POE 24T s 24XP 48SP 48XP S tack T able 7. Internet Protocol Routing Layer 2+ Switches Basic Layer 3 Switches 08LC 24GB 24SP 24T 24T P[...]
-
Página 39
AT-S63 Management Software Features Guide 39 T able 8. Port Security Layer 2+ Switches Basic Layer 3 Switches 08LC 24GB 24SP 24T 24T POE 24T s 24XP 48SP 48XP S tack MAC address-based port security YYYYYYYYY Y 802.1x port-based network access control us ing RADIUS protocol YYYYYYYYY Y T able 9. Management Security Layer 2+ Switches Basic Layer 3 Swi[...]
-
Página 40
Chapter 1: Ove rview 40 AT-S63 Management Software The AT-9400 Switch is managed with the AT-S63 Management So ftware. The software comes preinstalled on the u nit with default settings for all the operating parameters of the switch. If th e default settings are ad equate for your network, you can use t he switch as an unmanaged unit. Note The defa[...]
-
Página 41
AT-S63 Management Software Features Guide 41 Management Interfaces The AT-S63 Management Software has four manageme nt interfaces: S tandard command line AlliedW are Plus comma nd line Menus Web browser windo ws As shown in Table 10, the standard command line and the web browse r windows are supported on all of th e possible platfor[...]
-
Página 42
Chapter 1: Ove rview 42 In other cases, a management interface might support only part of a function. For example, you can set a switch or stack’s name, contact or location with any of the manage ment interfaces, except for the AlliedWare Plus commands, which only lets you set the name. The following tables list the features you ca n configure fr[...]
-
Página 43
AT-S63 Management Software Features Guide 43 Baud rate of the T erminal Po rt Y Y Y Y Y Management console timer Y Y Y Y Y T e l n e t s e r v e r YYY YY Console startup mode Y Y Y 1. Y ou can use the AlliedWare Plus command line to set the name of the switch or stack, but not the contact or location. T able 1 1. Management Interfaces for Basic Ope[...]
-
Página 44
Chapter 1: Ove rview 44 4. Y ou cannot uplo ad or download files to a compact flash card with the web browser windows. Also, that interface does not support switch-to-switch uploa ds. 5. Y ou cannot uplo ad or download files to a compact flash card with the web browser interface . 6. Y ou can not modify the event lo g full action from the web brows[...]
-
Página 45
AT-S63 Management Software Features Guide 45 Multiple S panning T ree Protocol (MSTP) YYYY T able 15. Management Interfaces for S panning T ree Protocols S tand-alone Switches S tacks SCL ACL M WB SCL ACL WB T able 16. Management Interfaces for Virtua l LANs S tand-alone Switches S tacks SCL ACL M WB SCL ACL WB Port-based and t agged VLANs YYYYYYY [...]
-
Página 46
Chapter 1: Ove rview 46 T able 18. Management Interfaces for Po rt Security S tand-alone Switches S tacks SCL ACL M WB SCL ACL WB M A C a d d r e s s - b a s e d p o r t s e c u r i t y YYYYYY 802.1x port-based network access control YYYYYYY T able 19. Management Interfaces for Management Security S tand-alone Switches S tacks SCL ACL M WB SCL ACL [...]
-
Página 47
AT-S63 Management Software Features Guide 47 Management Access Methods You can access the AT-S63 Manageme nt Software on a switch several ways: Local session Remote T elnet session Remote Secure Shell (SSH) session Remote web browser (HTTP or HTTPS) sessio n Remote SNMP session Local Management Sessions To establish a local mana[...]
-
Página 48
Chapter 1: Ove rview 48 Remote Secure Shell (SSH) Sessions The AT-S63 Management Softwa re also has a Secure Shell (SSH) se rver for remote management from SSH clients o n your network. An SSH management session is similar to a Telnet management sessio n except it uses encryption to protect the session from snoopin g. Here are the management interf[...]
-
Página 49
AT-S63 Management Software Features Guide 49 Manager Access Levels The AT-S63 Management Software has two manager access levels of manager and operator. The manager access level lets you view and configure the operating parame ters, while the ope rator access level lets you only view the parameters settings. You log in by entering the appropri ate [...]
-
Página 50
Chapter 1: Ove rview 50 Installation and Management Configurations The AT-9400 Switches can be installed in three con figurations. Stand-alone Switches All the A T-9400 Switches can be inst alled as managed or unmanaged, stand-alone Gig abit Eth ernet switches. AT-9400Ts Stacks The AT-9424Ts, AT-9424Ts/XP and AT-9448T s/XP Switches can be installed[...]
-
Página 51
AT-S63 Management Software Features Guide 51 IP Configuration Do you intend to remotely manage the switch with a Telnet or Secure Shell client, or a web browser? Or, will the management software be accessing application servers on your netwo rk, like a Simple Network Network Time Protocol server for setting its date and time, or a TF TP server for [...]
-
Página 52
Chapter 1: Ove rview 52 Configuration Files Stand-alone switches and stacks store their paramet er settings in configuration files in their file systems. The devices use these files to configure their parameter settings whenever they initialize their management software, such as when you power on or reset the units. The switches do not update the f[...]
-
Página 53
AT-S63 Management Software Features Guide 53 Redundant Twisted Pair Ports Several AT-9400 Switches have twisted pair ports and GBIC or SFP slots that are paired together. The twisted pair ports are identified with the letter “R” for “Redundant” as part of their n umber on the front facep late of the unit. The switch models with paired ports[...]
-
Página 54
Chapter 1: Ove rview 54 Note These guidelines do not apply to the SFP slots on the AT-9408LC/SP Switch and the XFP slots on the A T-9424T s/XP and AT-9448Ts/XP Switches.[...]
-
Página 55
AT-S63 Management Software Features Guide 55 History of New Features The following sections outline the history of new features in the AT-S63 Management Software. Version 4.1.0 AlliedWare Plus™ Command Line: This version includes new AlliedW are Plus comma nds. Group Link Control: This featu re is used to group the lin k states of ports o[...]
-
Página 56
Chapter 1: Ove rview 56 already familiar with the commands in the Allied W are Plus operating system, you may find this new interface more convenient to use than the standard command line . Some of the manageme nt functions you can perform with this new interface are: — Configure port parameters, such as Auto-Negotiation, speed, and duplex mode ?[...]
-
Página 57
AT-S63 Management Software Features Guide 57 Note The new MODULE parameter can only be used on stacks that already have Version 4.0.0 or later. To update member switches th at have versions earlier than 4.0.0, you have to disconnect them from the stack and update them as stand-alone un its. The 802.1x port-based network access control featur e [...]
-
Página 58
Chapter 1: Ove rview 58 Version 3.0.0 Table 21 lists the new features in version 3.0.0 of the AT-S63 Management Software. T able 21. New Features in A T-S63 V ersion 3.0.0 Feature Change S tacking with the A T-S t ackXG S tacking Module New feature. For information, refer to Chapter 1, Overview in the AT-S63 Stack Command Line Interface User’s Gu[...]
-
Página 59
AT-S63 Management Software Features Guide 59 Version 2.1.0 Table 22 lists the new features in version 2.1.0. Version 2.0.0 Table 23 lists the new feature in version 2.0.0 of the AT-S63 Manageme nt Software. T able 22. New Features in A T-S63 V ersion 2.1.0 Feature Change Internet Protocol version 4 p acket routing Added the following new features: [...]
-
Página 60
Chapter 1: Ove rview 60 Version 1.3.0 Table 24 lists the new features in version 1.3.0 of the AT-S63 Management Software. T able 24. New Features in A T-S63 V ersion 1.3.0 Feature Change 802.1x Port-based Network Access Control Added the following new features: Guest VLAN. For background information, see “Guest VLAN” on page 438. VLAN A[...]
-
Página 61
AT-S63 Management Software Features Guide 61 Version 1.2.0 Table 25 lists the new features in version 1.2.0. T able 25. New Features in A T-S63 V ersion 1.2.0 Feature Change MAC Address T able Added the following new parameters to the CL I commands for displaying and deleting specific types of MAC addresses in the MAC address table : ST A TIC, [...]
-
Página 62
Chapter 1: Ove rview 62 802.1x Port-based Network Access Control Added a new parameter to authenticator ports: Supplicant Mode for supporting multiple supplican t accounts on an authenticator port. For background information, see “Authenticator Ports with Single and Mult iple Supplicants” on p age 429. T able 25. New Features in A T-S63 V e[...]
-
Página 63
63 Chapter 2 A T-9400T s S tacks This chapter has the following sections: “Supported Platforms” on p age 64 “Introduction” on p age 65 “A T-S63 Management Software” on p age 66 “Supported Models” on p age 66 “A T-S t ackXG S tacking Module” o n page 67 “Maximum Number of Switches in a S tack” on p age[...]
-
Página 64
Chapter 2: AT-9400 Ts Stacks 64 Section I: Basic Op erations Supported Platforms Table 26 and Table 27 list the AT-9400 Switches and the management interfaces that support AT-9400Ts Sta cks. T able 26. Support for AT-9400Ts Stacks Switch Supported Layer 2+ Models A T-9408LC/SP A T-9424T/GB A T-9424T/SP Basic Layer 3 Models A T-9424T A T-9424T/POE A[...]
-
Página 65
AT-S63 Management Software Features Guide Section I: Basic Operat ions 65 Introduction The switches in the AT-9400 Series are d ivided into the Layer 2+ group and the Basic Layer 3 group. The two groups share many of the same features, but there are a number of sig nificant differences. For instance , the Internet Protocol version 4 packet routing [...]
-
Página 66
Chapter 2: AT-9400 Ts Stacks 66 Section I: Basic Op erations AT-S63 Management Software Stacking requires Version 3.0.0 or later of the AT -S63 Management Software. Note Version 3.0.0 is only supported on the AT-9424T, AT-9424T/POE, AT-9424Ts, AT-9424Ts/XP, AT-9448T/SP, and AT-944 8Ts/XP Basic Layer 3 Switches. Do not install it on the AT-94 08LC/S[...]
-
Página 67
AT-S63 Management Software Features Guide Section I: Basic Operat ions 67 AT-StackXG Stacking Module To be part of a stack, the AT-9400Ts Switch mu st have the AT-StackXG Stacking Module, shown in Figure 1. You install the module in the switch’s expansion slot on the back panel. The installation instructio ns are provided in the AT-9400Ts Stack I[...]
-
Página 68
Chapter 2: AT-9400 Ts Stacks 68 Section I: Basic Op erations Maximum Number of Switches in a Stack Stacks of the 24-port AT-9424Ts Switch or the AT-9424Ts/ XP Switch can have up to eight units. A stack can have both models and either model can be the master switch of the stack. Allied Telesis does not recomm end using the 4 8-port AT-9448Ts/XP Swit[...]
-
Página 69
AT-S63 Management Software Features Guide Section I: Basic Operat ions 69 Enhanced Stacking If you have prior experience with Allied Tele sis products, you might already be familiar with a feature that happens to have a similar name to the feature discussed in this chapter. The feature is enhanced stacking and what it allows you to do is mana ge th[...]
-
Página 70
Chapter 2: AT-9400 Ts Stacks 70 Section I: Basic Op erations Stack Topology The switches of an AT-9400Ts Sta ck are cabled with the AT-StackXG Stacking Module and its two full-duplex, 12-Gbps stacking ports. There are two supported topologies. The first to pology is the duplex-chain topology, where a port on one stacking module is connected to a po[...]
-
Página 71
AT-S63 Management Software Features Guide Section I: Basic Operat ions 71 Figure 3. Duplex-ring Topology Both topologies offer the same in terms of network sp eed and performance. But the duplex-ring t opology adds redundanc y by providing a secondary path through the stacking mod ules. This can protect a stack against the failure of a stacking por[...]
-
Página 72
Chapter 2: AT-9400 Ts Stacks 72 Section I: Basic Op erations Discovery Process When the switches of a stack are powered on or reset, they synchronize their operating software in a two phase process before they begin to forward network traffic through their ports. In the first phase the switches init ialize their AT-S63 Management Software. It takes[...]
-
Página 73
AT-S63 Management Software Features Guide Section I: Basic Operat ions 73 Master and Member Switches The activities of the de vices of a stack are coord inated by a master switch. There can be only one master switch, but it can be any unit in a stack. The master switch is assigned module ID 1, as explained in “Module ID Numbers” on page 74. Thi[...]
-
Página 74
Chapter 2: AT-9400 Ts Stacks 74 Section I: Basic Op erations Module ID Numbers The switches of a stack are identified by module ID number s. Each switch must have it own unique number. The ra nge is 1 to 8. The switches assigned the module ID numbers 1 and 2 be come the master switch and the backup master switch of a stack, re spectively. The comma[...]
-
Página 75
AT-S63 Management Software Features Guide Section I: Basic Operat ions 75 Stack Configuration Files The parameter settings of a stack are stored in the a ctive configuration file in the master switch’s file system. The ma ster switch restores the parameter settings in the file to the switches whenever the stack perfo rms the discovery process, su[...]
-
Página 76
Chapter 2: AT-9400 Ts Stacks 76 Section I: Basic Op erations If the switch determines that it s ID numb er is set to ST A TIC with the value 1, then it knows that it’ s the master switch of the st ack and th at it is responsible for maint aining the ST ACK.CFG file for the entire st ack. If the switch determines that it s ID numb er is se[...]
-
Página 77
AT-S63 Management Software Features Guide Section I: Basic Operat ions 77 MAC Address Tables The MAC address tables of the switches in a stack are a ll the same. This is because the switches share their MAC addresse s as they learn them. When a switch learns a new address on a po rt, it stores the address in its MAC address table and sends the addr[...]
-
Página 78
Chapter 2: AT-9400 Ts Stacks 78 Section I: Basic Op erations Stack IP Address If you do not intend to use the pa cket routing feature, you must still a ssign one routing interface to the stack if it will be performing any of the following management functions: Remote T elnet or web browser management Sending event messages to a syslog serve[...]
-
Página 79
AT-S63 Management Software Features Guide Section I: Basic Operat ions 79 Upgrading the AT-S63 Management Software The AT-9400 Switch must have Version 3.0.0 or later of the AT-S63 Management Software to be a memb er of a stack. To update the management software on an existing stack for versions after Version 3.0.0, you must di sconnect the stackin[...]
-
Página 80
Chapter 2: AT-9400 Ts Stacks 80 Section I: Basic Op erations[...]
-
Página 81
Section I: Basic Operations 81 Chapter 3 Enhanced S tacking This chapter contains the following sections: “Supported Platforms” on p age 82 “Overview” on page 83 “Master and Slave Switches” on p age 84 “Common VLAN” on p age 85 “Master Switch and the Local Interface ” on page 86 “Slave Switches” on pa[...]
-
Página 82
Chapter 3: En hanced Stacking 82 Section I: Basic Op erations Supported Platforms Table 29 and Table 30 list the AT-9400 Switches and the management interfaces that support enhance d stacking. T able 29. Support for Enhanced Stacking Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer 3 Models A T-942[...]
-
Página 83
AT-S63 Management Software Features Guide Section I: Basic Operat ions 83 Overview Having to manage a large numb er of network devices typically involves starting a separate management session o n each devic e. This usually means having to end one management session in order to start a new session on another unit. The enhanced stacking f eature can[...]
-
Página 84
Chapter 3: En hanced Stacking 84 Section I: Basic Op erations Master and Slave Switches An enhanced stack must have at least one master switch. This switch is your management access point to the switches of a stack. After you have started a local or remote management session on a ma ster switch, you can redirect the session to any o f the other swi[...]
-
Página 85
AT-S63 Management Software Features Guide Section I: Basic Operat ions 85 Common VLAN A master switch searches for the oth er switches in an enhanced stack by sending out a broadcast packet out a local subnet. (The designation of this subnet is explained in “Master Switch and t he Local Interface,” next.) Since a broadcast packet cannot cross a[...]
-
Página 86
Chapter 3: En hanced Stacking 86 Section I: Basic Op erations Master Switch and the Local Interface Before a switch can function a s the master switch of an enhanced stack, it needs to know which subnet is acti ng as the common subnet among the switches in the stack. It uses that in formation to know which subn et to send out its broadcast packets [...]
-
Página 87
AT-S63 Management Software Features Guide Section I: Basic Operat ions 87 Slave Switches The slave switches of an enhanced stac k must be connected to the master switch through a common VLAN. A slave switch ca n be connected indirectly to the master switch so long as the re is an uninterrupted path of the common VLAN from the slave switch to the ma[...]
-
Página 88
Chapter 3: En hanced Stacking 88 Section I: Basic Op erations Enhanced Stacking Compatibility This version of enhanced stacking is compatible with earlier AT-S63 versions and the enhanced stacking feature in the AT-8400 Series and AT-8500 Series Switches. As such, an enhanced stack can consist of various switch models, though the fo llowing issues [...]
-
Página 89
AT-S63 Management Software Features Guide Section I: Basic Operat ions 89 Enhanced Stacking Guidelines Here are the guidelines to using the enhanced stacking featu re: There can be up to 24 switches in an enhanced st ack. The switches in an enhanced sta ck must be connected with a common port-based or t agged VLAN. The VLAN must have the sa[...]
-
Página 90
Chapter 3: En hanced Stacking 90 Section I: Basic Op erations General Steps Here are the basic steps to imp lementing the enhanced stacking feature on the AT-9400 Switches in your network: 1. Select a switch to act as the master switch of the enhanced stack. This can be any Allied Telesis switch that supports th is feature. In a stack with differen[...]
-
Página 91
Section I: Basic Operations 91 Chapter 4 SNMPv1 and SNMPv2c This chapter describes SNMPv1 and SNMPv2c community strings for SNMP management of the switch. Sections in the chapter include: “Supported Platforms” on p age 92 “Overview” on page 93 “Community S tring Attributes” on page 94 “Default SNMP Community S trings?[...]
-
Página 92
Chapter 4: SNMPv1 a nd SNMPv2c 92 Section I: Basic Op erations Supported Platforms Refer to Table 31 and Table 32 for the AT-9400 Switches and the management interfaces that support SNMPv1 an d SNMPv2c community strings. T able 31. Support for SNMPv1 and SNMPv2c Community Strings Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es[...]
-
Página 93
AT-S63 Management Software Features Guide Section I: Basic Operat ions 93 Overview You can manage a switch by viewing and chan ging the management information base (MIB) ob jects on the device with the Simple Network Management Program (SNMP). The AT-S63 Man agement Software supports SNMPv1, SNMPv2c, and SNMPv3. This chapter explains SNMPv1 and SNM[...]
-
Página 94
Chapter 4: SNMPv1 a nd SNMPv2c 94 Section I: Basic Op erations Community String Attributes A community string has attributes fo r controlling who can use the string and what the string will allow a network management to do on the switch. The community string attributes are defined below: Community String Name A community string must have a name of [...]
-
Página 95
AT-S63 Management Software Features Guide Section I: Basic Operat ions 95 the community strings. Each community string can have up to eight trap IP addresses. It does not matter which community stri ngs you assign your trap receivers. When the switch sends a trap, it looks at all the community strings and sends the trap to all trap receivers on all[...]
-
Página 96
Chapter 4: SNMPv1 a nd SNMPv2c 96 Section I: Basic Op erations Default SNMP Community Strings The AT-S63 Management Software prov ides two defau lt community strings: public and private. The public string h as an access mode of just Read and the private string ha s an access mode of Read/Write . If you activate SNMP management on the switch, you sh[...]
-
Página 97
Section I: Basic Operations 97 Chapter 5 MAC Addr ess T able This chapter contains background in formation about the MAC a ddress table.This chapter contains the following section: “Overview” on page 98[...]
-
Página 98
Chapter 5: MAC Address Table 98 Section I: Basic Op erations Overview The AT-9400 Switch has a MAC address table with a st orage capacity of 16,000 entries. The table stores the MAC addresses of the network nodes connected to its ports and the p ort numbers where the addresses were learned. A switch learns the MAC addresses of the end nodes by exam[...]
-
Página 99
AT-S63 Management Software Features Guide Section I: Basic Operat ions 99 no longer active. The period of time a switch waits before pu rging inactive dynamic MAC addresses is called the aging time . This valu e is adjustable on the AT-9400 Switch. The default value is 300 se conds (5 minutes). The MAC address table can also store st atic MAC addre[...]
-
Página 100
Chapter 5: MAC Address Table 100 Section I: Basic Operati ons[...]
-
Página 101
Section I: Basic Operations 101 Chapter 6 S tatic Port T runks This chapter describes static port trunk s. Sections in the chapter include: “Supported Platforms” on p age 102 “Overview” on page 103 “Load Distribution Methods” on p age 104 “Guidelines” on p age 106[...]
-
Página 102
Chapter 6: St atic Port Trunks 102 Section I: Basic Operati ons Supported Platforms Refer to Table 33 and Table 34 for the AT-9400 Switches and the management interfaces that support static po rt trunks. T able 33. Support for S tatic Port T runks Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer 3 [...]
-
Página 103
AT-S63 Management Software Features Guide Section I: Basic Operat ions 103 Overview A static port trunk is a group of two to e ight ports that function as a single virtual link between the switch and anot her device. Traff ic is distributed across the ports to improve perfo rmance an d enhance reliability by reducing the reliance on a single physic[...]
-
Página 104
Chapter 6: St atic Port Trunks 104 Section I: Basic Operati ons Load Distribution Methods This section discusses the load distribut ion methods of static port trunks and LACP port trunks, described in Chapter 7, “L ACP Port Trunks” on page 107. When you create a static or LACP port trunk, you h ave to select a load distribution method. This con[...]
-
Página 105
AT-S63 Management Software Features Guide Section I: Basic Operat ions 105 A similar method is used for the two load distribution methods that employ both the source and destination addresses. Only here the last three bits of both addresses are combine d by an XOR process to de rive a single valu e which is then compared against the mappings o f th[...]
-
Página 106
Chapter 6: St atic Port Trunks 106 Section I: Basic Operati ons Guidelines Here are the guidelines to static trunks: Allied T elesis recommends limiting st atic port trunks to Allie d T elesis network devices to ensure comp atibility . A static trunk ca n have up to eight port s. S tand-alone switches and A T-9400T s S tacks can support[...]
-
Página 107
Section I: Basic Operations 107 Chapter 7 LACP Port T runks This chapter explains Link Aggregati on Control Protocol (LACP) port trunks. Sections in the chapter include: “Supported Platforms” on p age 108 “Overview” on page 109 “LACP System Priority” on page 1 10 “Adminkey Parameter” on p age 1 1 1 “LACP Port P[...]
-
Página 108
Chapter 7: LACP Port Trunks 108 Section I: Basic Operati ons Supported Platforms Refer to Table 35 and Table 36 for the AT-9400 Switches and the management interfaces that support L ACP port trunks. T able 35. Support for LACP Po rt T runks Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer 3 Models [...]
-
Página 109
AT-S63 Management Software Features Guide Section I: Basic Operat ions 109 Overview LACP (Link Aggregation Control Protocol) port trunks p erform the same function as static trunks. They increase the bandwidth between netwo rk devices by distributing the traffic lo ad over multiple physical links. The advantage of an LACP trunk over a static port t[...]
-
Página 110
Chapter 7: LACP Port Trunks 110 Section I: Basic Operati ons LACP System Priority It is possible for two devices interc onnected by an a ggregate trunk to encounter a conflict when they f orm the trunk. For example, the two devices might not support the same nu mber of active ports in an aggregate trunk or might not a gree on which ports are to be [...]
-
Página 111
AT-S63 Management Software Features Guide Section I: Basic Operat ions 111 Adminkey Parameter The adminkey is a hexadecimal value from 1 to FFFF that ide ntifies an aggregator. Each aggregator on a switch must have a unique a dminkey. The adminkey is restricted to a switch. Two aggregators on different switches can have the same adminkey without ge[...]
-
Página 112
Chapter 7: LACP Port Trunks 112 Section I: Basic Operati ons Load Distribution Methods The load distribution method determines the manner in which t he switch distributes the traffic across the active ports o f an aggregate trunk. The method is assigned to an aggregator and applies to all aggregate trun ks within it. If you want to assign different[...]
-
Página 113
AT-S63 Management Software Features Guide Section I: Basic Operat ions 113 Guidelines The following guidelines apply to cr eating aggregators: LACP must be activated on both the switch and the other device. The other device must be 802.3ad-comp liant. An aggregator can consist of a ny number of port s. The A T-S63 Management Softwar[...]
-
Página 114
Chapter 7: LACP Port Trunks 114 Section I: Basic Operati ons When creating a new aggregator , you can specify either a name for the aggregator or an admin key , but not both. If you specify a name, the adminkey is based on the operator key of the lowe st numbered port in the aggregator . If you specify an adminkey , the default name is DEF AUL [...]
-
Página 115
Section I: Basic Operations 115 Chapter 8 Port Mirr or This chapter explains the port mirror f eature. Sections in the chapter include: “Supported Platforms” on p age 1 16 “Overview” on page 1 17 “Guidelines” on p age 1 17[...]
-
Página 116
Chapter 8: Po rt Mirror 116 Section I: Basic Operati ons Supported Platforms Refer to Table 37 and Table 38 for the AT-9400 Switches and the management interfaces that support t he port mirror. T able 37. Support for the Port Mirror Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer 3 Models A T-9424[...]
-
Página 117
AT-S63 Management Software Features Guide Section I: Basic Operat ions 117 Overview The port mirror feature allows for th e unobtrusive monitoring of ingress or egress traffic on one or more ports on a switch, without impacting network performance or speed. It copies th e tr affic from specified ports to another switch port where the traffic can b [...]
-
Página 118
Chapter 8: Po rt Mirror 118 Section I: Basic Operati ons[...]
-
Página 119
Section I: Basic Operations 119 Chapter 9 Link-flap Pr otection This chapter explains link-flap p rotec tion. The sections in this chapt er include: “Supported Platforms” on p age 120 “Overview” on page 121 “Guidelines” on p age 122 “Configuring the Feature” on p age 123[...]
-
Página 120
Chapter 9: Link-flap Protection 120 Section I: Basic Operati ons Supported Platforms Refer to Table 39 and Table 40 for the AT-9400 Switches and the management interfaces that support link-flap protection. T able 39. Support for Link-flap Protection Switch Supported Layer 2+ Models A T-9408LC/SP A T-9424T/GB A T-9424T/SP Basic Layer 3 Models A T-94[...]
-
Página 121
AT-S63 Management Software Features Guide Section I: Basic Operat ions 121 Overview A port that is unable to maintain a re liable connection to a network node may experience a condition referred to as link-flapping. This prob lem, which is usually caused by intermittent problems with network cab les or network nodes, causes the state of a link on a[...]
-
Página 122
Chapter 9: Link-flap Protection 122 Section I: Basic Operati ons Guidelines Here are the guidelines to link-flap protect ion: The rate and duration are set at the switch or the stack le vel and apply to all of the ports. Y ou can enable this feature on a per- port basis. The performance of the switch is not af fected if you enable it on[...]
-
Página 123
AT-S63 Management Software Features Guide Section I: Basic Operat ions 123 Configuring the Feature Here are the commands that are used to con figure the link-flap protection feature. The first example uses the st andard commands and the second example uses the AlliedWare Plus co mmands. T hey co nfigu re th e fe ature such that link-flap events are[...]
-
Página 124
Chapter 9: Link-flap Protection 124 Section I: Basic Operati ons[...]
-
Página 125
Section II: Advanced Operations 125 Section II Advanced Operations This section contains t he following chapters: Chapter 10, ”File System” on page 127 Chapter 1 1, ”Event Logs and the Syslog Client” on p age 131 Chapter 12, ”Classifiers” on p age 135 Chapter 13, ”Access Control List s” on p age 145 Chapter 14, ?[...]
-
Página 126
126 Section II: Advanced Operations[...]
-
Página 127
Section II: Advanced Operations 127 Chapter 10 File System The chapter explains the switch’s file system and contains the following sections: “Overview” on page 128 “File Naming Conventions” on p age 129 “Using Wildcards to S pecify Groups of Files” on p age 130[...]
-
Página 128
Chapter 10: File Sys tem 128 Section II: Advanced Operations Overview The AT-9400 Switch has a file system in flash memory for storing system files. You can view a list of the files a s well as copy, rename, and delete files. For those AT-9400 Switches tha t support a compact flash memory card, you can perform the same functions on t he files store[...]
-
Página 129
AT-S63 Management Software Features Guide Section II: Advance d Operations 129 File Naming Conventions The flash memory file system is a flat file system—directories are no t supported. However, directories are supported on compact flash cards. In both types of storage, files are un iquely identified by a file name in the following format: filena[...]
-
Página 130
Chapter 10: File Sys tem 130 Section II: Advanced Operations Using Wildcards to Specify Groups of Files You can use the asterisk character (* ) as a wildcard character in some fields to identify groups of files. In addition, a wildcard can be combined with other characters. The following are examples of valid wildcard expressions: *.cfg *.key 28*.c[...]
-
Página 131
Section II: Advanced Operations 131 Chapter 11 Event Logs and the Syslog Client This chapter describes how to mo nitor t he activity of a switch by viewing the event messages in the event logs an d sending the messages to a syslog server. Sections in the chapter include: “Supported Platforms” on p age 132 “Overview” on page 133 [...]
-
Página 132
Chapter 11: Event Lo gs and the Sysl og Client 132 Section II: Advanced Operations Supported Platforms Refer to Table 42 and Table 43 for the AT-9400 Switches and the management interfaces that support t he event logs and the syslog client. T able 42. Support for the Event Logs and the Syslog Client Switch Supported Layer 2+ Models A T-9408LC/SP Y [...]
-
Página 133
AT-S63 Management Software Features Guide Section II: Advance d Operations 133 Overview A managed switch is a complex piece of computer equipment that includes both hardware and software. Multiple software feat ures operate simultaneously, interoperating with e ach other and processing large amounts of network traffic. It is often difficu lt to det[...]
-
Página 134
Chapter 11: Event Lo gs and the Sysl og Client 134 Section II: Advanced Operations Syslog Client The management software features a syslog client to send event messages to a syslog server on your network. A syslog server can function as a central repository fo r events from many different net work devices. In order for the switch to send eve nts to[...]
-
Página 135
Section II: Advanced Operations 135 Chapter 12 Classifiers This chapter explains classifiers for access control lists and Quality of Service policies. The sections in this chapter include : “Supported Platforms” on p age 136 “Overview” on page 137 “Classifier Criteria” on page 139 “Guidelines” on p age 144[...]
-
Página 136
Chapter 12: Cl assifiers 136 Section II: Advanced Operations Supported Platforms Refer to Table 44 and Table 45 for the AT-9400 Switches and the management interfaces that support classifiers. T able 44. Support for Classifiers Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer 3 Models A T-9424T Y e[...]
-
Página 137
AT-S63 Management Software Features Guide Section II: Advance d Operations 137 Overview A classifier defines a traffic flow . A traffic flow consists of packets that share one or more characteristics. A traffic flow can range from being very broad to very specific. An example of the former might b e all IP traffic while an example of the latter cou[...]
-
Página 138
Chapter 12: Cl assifiers 138 Section II: Advanced Operations is dictated by the QoS p olicy, as explained in Chapter 15, “Quality of Service” on page 165. In summary, a class ifier is a list of variables that define a traffic flow. You apply a classifier to an ACL or a QoS policy t o define the traffic flow you want the ACL or Qo S policy to af[...]
-
Página 139
AT-S63 Management Software Features Guide Section II: Advance d Operations 139 Classifier Criteria The components of a classifier are defin ed in the following subsections. Destination MAC Address (Layer 2) Source MAC Address (Layer 2) You can identify a traffic flow by s pecifying a source and/or destin ation MAC address. For instance, you might c[...]
-
Página 140
Chapter 12: Cl assifiers 140 Section II: Advanced Operations Figure 5. User Priority and VLAN Fields within an Etherne t Frame You can identify a traf fic flow of tagged packets using the user priority value. A classifier for such a traffic flow would instruct a port to watch for tagged packets containing the specif ied user priority level. The pri[...]
-
Página 141
AT-S63 Management Software Features Guide Section II: Advance d Operations 141 Observe the following guidelines when using this variable: When selecting a Layer 3 or Layer 4 variable, this variable must be lef t blank or set to IP . If you choose to specify a protocol by its number , you can enter the value in decimal or hexadecimal format.[...]
-
Página 142
Chapter 12: Cl assifiers 142 Section II: Advanced Operations Observe these guidelines when using this criterion: The Protocol variable must be lef t blank or set to IP . Y ou cannot specify both an IP T oS value and an IP DSCP value in the same classifier . IP Protocol (Layer 3) You can define a traffic flow by the following Layer 3 protoco[...]
-
Página 143
AT-S63 Management Software Features Guide Section II: Advance d Operations 143 Observe this guideline wh en using these criteria: The Protocol variable must be lef t blank or set to IP . TCP Source Ports (Layer 4) TCP Destination Ports (Layer 4) A traffic flow can be identified by a source and/or destin ation TCP port number contained within th[...]
-
Página 144
Chapter 12: Cl assifiers 144 Section II: Advanced Operations Guidelines Follow these guidelines wh en creating a classifier: Each classifier represent s a separate t raffic flow . The variables within a classifier ar e linked by AND. The more variables you define within a classifier , the more specific it becomes in terms of the flow it def[...]
-
Página 145
Section II: Advanced Operations 145 Chapter 13 Access Contr ol Lists This chapter describes access cont rol lists (ACL) and how they can improve network security and performan ce. This chapter co ntains the following sections: “Supported Platforms” on p age 146 “Overview” on page 147 “Parts of an ACL” on page 149 “Guid[...]
-
Página 146
Chapter 13: Access Control Lists 146 Section II: Advanced Operations Supported Platforms Refer to Table 46 and Table 47 for the AT-9400 Switches and the management interfaces that support t he access control lists. T able 46. Support for the Access Co ntrol Lists Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y e[...]
-
Página 147
AT-S63 Management Software Features Guide Section II: Advance d Operations 147 Overview An access control list is a filte r that controls the ingress traffic o n a port. It defines a category of traffic and the action of the p ort when it receives packets of the category. The action c an be to accept the defined packets or discard them. You can use[...]
-
Página 148
Chapter 13: Access Control Lists 148 Section II: Advanced Operations 4. Finally, if a packet does not meet the criteria of any ACLs on a port, it is accepted by the port.[...]
-
Página 149
AT-S63 Management Software Features Guide Section II: Advance d Operations 149 Parts of an ACL An ACL must have the following informat ion: Name - An ACL must have a name. The name of an ACL should indicate the type of traf fic flow being filtered and, perhap s, also the action. An example might be “HTTPS flow - permit.” The more specific t[...]
-
Página 150
Chapter 13: Access Control Lists 150 Section II: Advanced Operations Guidelines Here are the rules to creating ACLs: Ports can have mu ltiple permit and de ny ACLs. ACLs must have at least on e classifier . ACLs can have up to sixteen classifiers. ACLs can be assigned to more than one switch port. ACLs filter ingress traffic, bu[...]
-
Página 151
AT-S63 Management Software Features Guide Section II: Advance d Operations 151 Examples This section contains seve ral examples of ACLs. In this example, port 4 has been assigne d one ACL, a deny ACL for the subnet 149.11.11.0. This ACL preve nts the port from acceptin g any traffic originating from that subnet. Since th is is the only ACL o n the [...]
-
Página 152
Chapter 13: Access Control Lists 152 Section II: Advanced Operations To deny traffic from several subne ts on the same port, you can create multiple classifiers and apply them to the same ACL , as illustrated in the next example. Three subnets a re denied access to port 4. The three classifiers defining the subne ts are applied to the same ACL. Fig[...]
-
Página 153
AT-S63 Management Software Features Guide Section II: Advance d Operations 153 The same result can be achieved by assigning t he classifiers to different ACLs and assigning the ACLs to the sa me port, as in this example, a gain for port 4. Figure 9. ACL Example 3 Create Access Control Lists (A CL) 1 - A CL ID ................. 22 2 - Description ..[...]
-
Página 154
Chapter 13: Access Control Lists 154 Section II: Advanced Operations In this example, the traffic on ports 14 a nd 15 is restrict ed to packets from the source subnet 149.44.44.0. All other IP traffic is denied. Classifier ID 11, which specifies the traffic flow to be permitted by the ports, is assigned to an ACL with an action of permit. Classifie[...]
-
Página 155
AT-S63 Management Software Features Guide Section II: Advance d Operations 155 The next example limits the ingress tr affic on p ort 17 to IP packets from the subnet 149.22.11.0 an d a Type of Service settin g of 6, destined to the end node with the IP address 149.22.22.22. All other IP tra ffic and ARP packets are prohibited. Figure 12. ACL Exampl[...]
-
Página 156
Chapter 13: Access Control Lists 156 Section II: Advanced Operations[...]
-
Página 157
Section II: Advanced Operations 157 Chapter 14 Class of Service This chapter describes the Class of Se rv ice (CoS) feature. Sections in the chapter include: “Supported Platforms” on p age 158 “Overview” on page 159 “Scheduling” on p age 162[...]
-
Página 158
Chapter 14: Class of Service 158 Section II: Advanced Operations Supported Platforms Refer to Table 48 and Table 49 for the AT-9400 Switches and the management interfaces that support t he Class of Service feature. T able 48. Support for the Class of Service Fe ature Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP[...]
-
Página 159
AT-S63 Management Software Features Guide Section II: Advance d Operations 159 Overview When a port on an Ethernet switch becomes oversubscribe d—its egress queues contain more packets than the port can handle in a time ly manner—the port may be forced to delay the transmission of some packets, resulting in the dela y of packets reaching their [...]
-
Página 160
Chapter 14: Class of Service 160 Section II: Advanced Operations For example, when a tagged packe t with a priority level of 3 enters a por t on the switch, the packet is stored in Q3 queue on the egre ss port. Note that priority 0 is mapp ed to CoS queue 1 instead of CoS queu e 0 because tagged traffic that has neve r been prioritized has a VLAN t[...]
-
Página 161
AT-S63 Management Software Features Guide Section II: Advance d Operations 161 Note that because all ports must use the same priority-to-eg ress queue mappings, these mappings are app lied at the switch level. They cannot be set on a per-port basis. You can configure a port to completely ignor e the priority levels in its tagged packets and instead[...]
-
Página 162
Chapter 14: Class of Service 162 Section II: Advanced Operations Scheduling A switch port needs a mechanism that specifies the order of transmittal of the packets from its eight egress queu es. For example, should a port that has packets in all its queues transmit all the packe ts from Q7, the highest priority queue, before moving on to th e oth er[...]
-
Página 163
AT-S63 Management Software Features Guide Section II: Advance d Operations 163 Table 52 shows an example. In this example, the port transmits a maximum n umber of 15 pa cke ts from Q7 before moving to Q6, from where it transmits up to 10 packets, and so forth. For Q0 to Q6, the range o f the maximum number of transmitted packets is 1 to 15. The ran[...]
-
Página 164
Chapter 14: Class of Service 164 Section II: Advanced Operations Q6 15 Q7 0 T able 53. Example of a W eight of Zero for Priority Qu eue 7 (Continued) Port Egress Queue Maximum Number of Packet s[...]
-
Página 165
Section II: Advanced Operations 165 Chapter 15 Quality of Service This chapter describes Quality of Serv ice ( QoS). Sections in the chapter include: “Supported Platforms” on p age 166 “Overview” on page 167 “Classifiers” on page 169 “Flow Groups” on p age 170 “T raf fic Classes” on p age 171 “Policies?[...]
-
Página 166
Chapter 15: Quali ty of Service 166 Section II: Advanced Operations Supported Platforms Refer to Table 54 and Table 55 for the AT-9400 Switches and the management interfaces that support Quality of Service . T able 54. Support for Qualit y of Service Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer[...]
-
Página 167
AT-S63 Management Software Features Guide Section II: Advance d Operations 167 Overview Quality of Service allows you to prioritize traffic and/o r limit the bandwidth available to it. The concept of QoS is a departure from the original networking protocols, which tre ated all traffic on the Internet or within a LAN in the same manner. Without QoS,[...]
-
Página 168
Chapter 15: Quali ty of Service 168 Section II: Advanced Operations The QoS functionality described in this chapter sorts packets in to various flows, according to the QoS policy that applies to the port the traffic is received on. The switch then allocates resources to direct this traffic according to bandwidth or priority settings in the policy. [...]
-
Página 169
AT-S63 Management Software Features Guide Section II: Advance d Operations 169 Classifiers Classifiers identify a particular traffic flow, and rang e from general to specific. (See Chapter 12, “Classifiers” on page 135 for more information.) Note that a single classifier should not be used in different flows that will end up, through traffic cl[...]
-
Página 170
Chapter 15: Quali ty of Service 170 Section II: Advanced Operations Flow Groups Flow groups group similar traffic flows together, a nd allow more specific QoS controls to be used, in preference to those specified by the traffic class. Flow groups consist of a sma ll set of QoS parameters a nd a group of classifiers. After a flow group has been adde[...]
-
Página 171
AT-S63 Management Software Features Guide Section II: Advance d Operations 171 Traffic Classes Traffic classes are the central component of the QoS solution . They provide most of the QoS controls that allow a QoS solution to be deployed. A traffic class can be a ssigned to only one policy. Traffic classes co nsist of a set of QoS parameters and a [...]
-
Página 172
Chapter 15: Quali ty of Service 172 Section II: Advanced Operations Policies QoS policies consist of a collection of user defined traffic classes. A policy can be assigned to more than o ne port, but a port may only have one policy. Note that the switch can only perfor m error checking of parameters and parameter values for the policy and its traff[...]
-
Página 173
AT-S63 Management Software Features Guide Section II: Advance d Operations 173 QoS Policy Guidelines Following is a list of QoS policy guidelines: A classifier may be assigned to many flow groups. However , assigning a classifier more than once within the same policy may lead t o undesirable result s. A classifier may be used su ccessfully in m[...]
-
Página 174
Chapter 15: Quali ty of Service 174 Section II: Advanced Operations Packet Processing You can use the switch’s QoS to ols to perform any combination of the following functions on a packet flow: Limiting bandwid th Prioritizing p ackets to determine the leve l of precedence the switch will give to the packet for p rocessing Replacing t[...]
-
Página 175
AT-S63 Management Software Features Guide Section II: Advance d Operations 175 Both the VLAN tag User Priority and th e traffic class / flow group priority setting allow eight different priorit y values (0-7). These eight priorities are mapped to the switch’s eight CoS queue s. The switch’s default mapping is shown in Table 50 on page 160. Note[...]
-
Página 176
Chapter 15: Quali ty of Service 176 Section II: Advanced Operations Replacing Priorities The traffic class or flow group priority (if set) determines the egress que ue a packet is sent to when it egresse s the switch, but by d efault has no effect on how the rest of the network processes the pa cket. To permanently change the packet’s priority, y[...]
-
Página 177
AT-S63 Management Software Features Guide Section II: Advance d Operations 177 DiffServ Domains Differentiated Services (DiffServ) is a metho d of dividing IP traffic into classes of service, without requiring that every router in a network remember detailed information abo ut traf fic flows. DiffServ operates within a DiffServ domain , a network o[...]
-
Página 178
Chapter 15: Quali ty of Service 178 Section II: Advanced Operations To use the QoS tool set to configure a DiffServ doma in: 1. As packets come into the domai n at edge swit ches, replace their DSCP value, if required. Classify the packets according to the required characteristics. Fo r available options, see Chapter 12, “Cla ssifiers” on p[...]
-
Página 179
AT-S63 Management Software Features Guide Section II: Advance d Operations 179 Examples The following examples demonstrate how to implement QoS in three situations: “V oice Applications,” next “Video Applicatio ns” on pa ge 181 “Critical Database” on p age 183 Voice Applications Voice applications typically require a small b[...]
-
Página 180
Chapter 15: Quali ty of Service 180 Section II: Advanced Operations Figure 14. QoS Voice Application Example The parts of the policies are: Classifier - Defines the traf fic flow by specifying the I P address of the node with the voice application. The cl assifier for Policy 6 specifies the address as a source address because this classifie r i[...]
-
Página 181
AT-S63 Management Software Features Guide Section II: Advance d Operations 181 T raf fic Class - No action is taken by the traffic class, o ther than to specify the flow group. T raffic class has a priority setting you can use to override the priority level of p acket s, just as in a flow group. If you enter a priority value in both places, the[...]
-
Página 182
Chapter 15: Quali ty of Service 182 Section II: Advanced Operations Figure 15. QoS Video Application Example The parts of the policies are: Classifier - S pecifies the IP address of the node with a video application. The classifier for Polic y 17 spe cifies the address as a source address since this classifi er is pa rt of a policy concerning p[...]
-
Página 183
AT-S63 Management Software Features Guide Section II: Advance d Operations 183 packet s so they leave containing the new leve l, you would change option 5, Remark Priority , to Y es. T raf fic Class - The packet stream is assigned a maximu m bandwidth of 5 Mbps. Bandwid th assignment can onl y be made at the traf fic class level. Policy - S[...]
-
Página 184
Chapter 15: Quali ty of Service 184 Section II: Advanced Operations Policy Component Hierarchy The purpose of this example is to illustrate the hierarchy of the components of a QoS policy and how that hierarchy needs to be taken into account when assigning new priority a nd DSCP values. A new priority can be set at the flow group and traffic class [...]
-
Página 185
AT-S63 Management Software Features Guide Section II: Advance d Operations 185 Figure 17. Policy Component Hierarchy Example Create Classifier 01 - Classifier ID: ..... 1 . 14 - Dst IP Addr ..... 149.11.11.0 15 - Dst IP Mask ..... 255.255.255.0 Create Flow Group 1 - Flow Group ID ......... 1 . 3 - DSCP V alue ............. 10 . 9 - Classifier List [...]
-
Página 186
Chapter 15: Quali ty of Service 186 Section II: Advanced Operations[...]
-
Página 187
Section II: Advanced Operations 187 Chapter 16 Gr oup Link Contr ol This chapter explains group link contro l. The sections in this chapter include: “Supported Platforms” on p age 188 “Overview” on page 189 “Guidelines” on p age 197 “Configuring the Feature” on p age 198[...]
-
Página 188
Chapter 16: Group L ink Control 188 Section II: Advanced Operations Supported Platforms Refer to Table 56 and Table 57 for the AT-9400 Switches and the management interfaces that support g roup link control. T able 56. Support for Group Link Contr ol Switch Supported Layer 2+ Models A T-9408LC/SP A T-9424T/GB A T-9424T/SP Basic Layer 3 Models A T-9[...]
-
Página 189
AT-S63 Management Software Features Guide Section II: Advance d Operations 189 Overview Group link control is designed to imp rove the effectiveness of the redundant systems in a network. It enables the switch to alert network devices about problems they might not otherwise detect o r respond to, so that they can implement their redundan t systems,[...]
-
Página 190
Chapter 16: Group L ink Control 190 Section II: Advanced Operations In the first diagram a server with two teamed network ad apter cards is connected to different AT-9 400 Switches, with the active link to switch 3. If there was a failure on the active link, the server would be ab le to detect it directly and would respond by automatic ally transfe[...]
-
Página 191
AT-S63 Management Software Features Guide Section II: Advance d Operations 191 But if the failure occurred further upst ream between switches 1 and 3, the server would not detect the problem. Unaware of the problem, it would lose connectivity to the network because it would contin ue to transmit packets to switch 3, which would disc ard the packets[...]
-
Página 192
Chapter 16: Group L ink Control 192 Section II: Advanced Operations Figure 20. Group Link Control Example 3 When a link on an upstream port is reestablished, the switch automatically reactivates the downstream counterpar t. Referring to the example, when the link on port 17 is reestablished, the switch enable s port 24 again. A link control group c[...]
-
Página 193
AT-S63 Management Software Features Guide Section II: Advance d Operations 193 Figure 21. Group Link Contro l Example 4 Switch 1 Network Switch 3 Switch 2 Switch 4 Upstream ports 17, 20 Downstream ports 24, 25 Primary trunk Secondary trunk[...]
-
Página 194
Chapter 16: Group L ink Control 194 Section II: Advanced Operations If connectivity is lost on both ports 17 an d 20, the downstream ports 24 and 25 are disabled. Figure 22. Group Link Control Example 5 In the previous examples the ports of the group s on the switch are connected to different devices, making it possible for do wnstream devices to k[...]
-
Página 195
AT-S63 Management Software Features Guide Section II: Advance d Operations 195 This is illustrated in this figure. Switch 1 and switch 3 are connect ed with a static or LACP trunk of three links. A backup trunk from switch 2 to switch 3 is placed in the blocking state by the spanning tree protocol to prevent a network loop. Figure 23. Group Link Co[...]
-
Página 196
Chapter 16: Group L ink Control 196 Section II: Advanced Operations In this example the primary and backup trunks have four links each. Figure 24. Group Link Control Example 7 If you wanted switch 3 to shutdo wn the primary trunk if any two links were lost, you would need to create six g roups to cover all of the possible combinations. The groups a[...]
-
Página 197
AT-S63 Management Software Features Guide Section II: Advance d Operations 197 Guidelines Here are the guidelines to group link control: The switch or stack can support up to eight group s. A group can have any numb er of port s, up to the tot al number of port s on the switch. Ports can be members of more tha n one group. Port s can al[...]
-
Página 198
Chapter 16: Group L ink Control 198 Section II: Advanced Operations Configuring the Feature Here are a few examples on how to configure the feature. The first example configures the g roup in Figure 20 on page 192 in which port 17 is the upstream port and port 24 is th e downstream port. To create the group, to enable group link control, a nd to ve[...]
-
Página 199
AT-S63 Management Software Features Guide Section II: Advance d Operations 199 awplus(confi g-if)# inter fa ce 8 awplus(confi g-if)# gr oup link con trol upstr eam 2 awplus(confi g-if)# gr oup link con trol downs tream 1 awplus(confi g-if)# gr oup link con trol downs tream 3 awplus(confi g-if)# inter fa ce 9 awplus(confi g-if)# gr oup link con trol[...]
-
Página 200
Chapter 16: Group L ink Control 200 Section II: Advanced Operations[...]
-
Página 201
Section II: Advanced Operations 201 Chapter 17 Denial of Service Defenses This chapter explains the defen se mechanisms in the management software that can protect your netwo rk against denial of service (DoS) attacks. Sections in the chapter include : “Supported Platforms” on p age 202 “Overview” on page 203 “SYN Flood Attack[...]
-
Página 202
Chapter 17: Denia l of Service Defens es 202 Section II: Advanced Operations Supported Platforms Refer to Table 60 and Table 61 for the AT-9400 Switches and the management interfaces that support t he denial of service de fenses. T able 60. Support for the Denial of Service Defenses Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y[...]
-
Página 203
AT-S63 Management Software Features Guide Section II: Advance d Operations 203 Overview The AT-S63 Management Software can help protect your netwo rk against the following types of denial of service attacks. SYN Flood Attack Smurf Attack Land Attack T eardrop Att ack Ping of Death Atta ck IP Options Attack The following sect[...]
-
Página 204
Chapter 17: Denia l of Service Defens es 204 Section II: Advanced Operations SYN Flood Attack In this type of attack, an attacker sends to a victim a la rge number of TCP connection requests (TCP SYN packe ts) with bogus source add resses. The victim responds with acknow ledgements (SYN ACK packet s), but because the original source addresses are b[...]
-
Página 205
AT-S63 Management Software Features Guide Section II: Advance d Operations 205 Smurf Attack This DoS attack is instigated by an at tacker se nding a ICMP Echo (Ping) request that has the network’s I P broadcast address as the dest ination address and the address of the victim as the source of th e ICMP Echo (Ping) request. This overwhe lms the vi[...]
-
Página 206
Chapter 17: Denia l of Service Defens es 206 Section II: Advanced Operations Land Attack In this attack, an attacker sends a bogus IP pa cket where the source and destination IP addresses are the same. This leaves the victim thinking that it is sending a message to itself. The most direct approach for defendin g against this form of attack wo uld b[...]
-
Página 207
AT-S63 Management Software Features Guide Section II: Advance d Operations 207 2. If the source IP address is no t local to the network, it discards th e packet because it assumes that a packe t with an IP address that is not local to the network should not be a ppearing on a port that is not an uplink port. This protects against the possib ility o[...]
-
Página 208
Chapter 17: Denia l of Service Defens es 208 Section II: Advanced Operations Teardrop Attack An attacker sends an IP packet in se veral fragments with a bogus offset value, used to reconstruct the packet, in one of the fragments to a victim. Because of the bogus o ffset value, th e victim is unable to reassemble the packet, possibly causing it to f[...]
-
Página 209
AT-S63 Management Software Features Guide Section II: Advance d Operations 209 Ping of Death Attack The attacker sends an oversized, fragmented ICMP Echo (Pin g) request (greater than 65,535 bits) to the victim, which, if lacking a policy for handling oversized packets, may freeze. To defend against this form o f attack, a switch port searches for [...]
-
Página 210
Chapter 17: Denia l of Service Defens es 210 Section II: Advanced Operations IP Options Attack In the basic scenario of an IP attack, an attacker sends packets containing bad IP options. There are several types of IP option attacks and the AT-S63 Management Sof tware does not distingu ish between them. Rather, the defense mechanism counts the numbe[...]
-
Página 211
AT-S63 Management Software Features Guide Section II: Advance d Operations 211 Mirroring Traffic The Land, Teardrop, Ping of Death, and IP Options defense mechanisms allow you to copy the examined traffi c to a mirror port for furthe r analysis with a data sniffer or analyzer. This featu re differs slightly from port mirroring in that prior to an a[...]
-
Página 212
Chapter 17: Denia l of Service Defens es 212 Section II: Advanced Operations Denial of Service Defense Guidelines Below are guidelines to observe when using this feature : A switch port can support more than one DoS defense at a time. The T eardrop and the Ping of Death defenses are CPU intensive. Use these defenses with caution.[...]
-
Página 213
Section II: Advanced Operations 213 Chapter 18 Power Over Ethernet This chapter contains background info rmation on Power over Ethe rnet (PoE) for the AT-9424T/POE Switch. Sections in the chapt er include: “Supported Platforms” on p age 214 “Overview” on page 215 “Power Budgeting” on p age 216 “Port Prioritization” o[...]
-
Página 214
Chapter 18: Power Over Etherne t 214 Section II: Advanced Operations Supported Platforms Refer to Table 62 and Table 63 for the AT-9400 Switch and the management interfaces that support t he Power over Ethernet feature. T able 62. Support for the Power Over Ethernet Featu re Switch Supported Layer 2+ Models A T-9408LC/SP A T-9424T/GB A T-9424T/SP B[...]
-
Página 215
AT-S63 Management So ftware Menus User’s Gui de Section II: Advance d Operations 215 Overview Power over Ethernet (PoE) is a mechan ism for supplying power to network devices over the same twisted pair cabl es that carry the network traffic. This feature, defined in the IEEE 802.3af standard, can make the installation and maintenance of a network[...]
-
Página 216
Chapter 18: Power Over Etherne t 216 Section II: Advanced Operations Power Budgeting The AT-9424T/POE Switch has a maximu m power budget of 38 0 watts. The maximum possible load on the swit ch from the powered devices is 360W. The latter number assumes that all of the twenty four ports are connected to powered devices t hat are drawing the maximum [...]
-
Página 217
AT-S63 Management So ftware Menus User’s Gui de Section II: Advance d Operations 217 Port Prioritization Port prioritization is used to control which ports on the switch are to receive PoE in the event the power requiremen ts of the devices exceed the switch’s power budget. Port priorit ization should be unnecessary on the AT-9424T/POE Switch s[...]
-
Página 218
Chapter 18: Power Over Etherne t 218 Section II: Advanced Operations PoE Device Classes The IEEE 802.3af standard specifies four levels of classes for powered devices that are defined by power usa ge. The classes are: 0 - 0.44 W to 12.95 W 1 - 0.44 W to 3.84 W 2 - 3.84 W to 6.49 W 3 - 6.49 W to 12.95 W (The standard actually specifi[...]
-
Página 219
Section III: Snooping Protocols 219 Section III Snooping Pr otocols The chapters in this section contai n overview informat ion on the snooping protocols. The chapters include: Chapter 19, ”Internet Group Management Protocol Snooping” on p age 221 Chapter 20, ”Internet Group Man agement Protocol Snooping Querier” on page 225 Cha[...]
-
Página 220
220 Section III: Snooping Protocols[...]
-
Página 221
Section III: Snooping Protocols 221 Chapter 19 Internet Gr oup Management Pr otocol Snooping This chapter explains the Intern et Group Management Protoco l (IGMP) snooping feature in the following sections: “Supported Platforms” on p age 222 “Overview” on page 223[...]
-
Página 222
Chapter 19: Internet Group Management Proto col Snooping 222 Section III: Snooping Protocols Supported Platforms Refer to Table 64 and Table 65 for the AT-9400 Switches and the management interfaces that support t he Internet Group Management Protocol (IGMP) snooping feature. T able 64. Support for Internet Group Manageme nt Protocol Snooping Switc[...]
-
Página 223
AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 223 Overview IPv4 routers use IGMP to create lists of nodes tha t are members of multicast groups. (A multicast group is a group of end node s that want to receive multicast packets from a mult icast application.) The router crea tes a multicast membership list by periodica [...]
-
Página 224
Chapter 19: Internet Group Management Proto col Snooping 224 Section III: Snooping Protocols Without IGMP snooping a switch would have to flood multicast packets out all of its ports, except the port on which it received the packet. Such flooding of packets can negative ly impact network p erformance. The AT-9400 Switch maintains its list of multic[...]
-
Página 225
Section III: Snooping Protocols 225 Chapter 20 Internet Gr oup Management Pr otocol Snooping Querier This chapter explains IGMP snooping querier and contains th e following sections: “Supported Platforms” on p age 226 “Overview” on page 227 “Guidelines” on p age 230 “Configuring the Feature” on p age 231[...]
-
Página 226
Chapter 20: Internet Group Management Proto col Snooping Querier 226 Section III: Snooping Protocols Supported Platforms Refer to Table 66 and Table 67 for the AT-9400 Switches and the management interfaces that support I GMP snooping querie r. T able 66. Support for IGMP Snoopin g Querier Switch Supported Layer 2+ Models A T-9408LC/SP A T-9424T/GB[...]
-
Página 227
AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 227 Overview Multicast routers are essential for IP multicasting. They send out the queries to the network nodes to determine g roup memberships, route the multicast packets across networks, an d maintain lists of the multicast groups and the ports where the members of the g[...]
-
Página 228
Chapter 20: Internet Group Management Proto col Snooping Querier 228 Section III: Snooping Protocols Figure 25. IGMP Snooping Querier Exa mple 1 The next example adds a second switch that has t he same VLAN, the Default VLAN. IGMP snooping is enabled on the switch so that it can build its list of nodes for the multicast group. Sin ce a LAN can have[...]
-
Página 229
AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 229 Figure 26. IGMP Snooping Querier Examp le 2 Multicast source: IP address: 149.123.48.1 Switch 1: VLAN: Default_VLAN VID: 1 IGMP snooping: Enabled IGMP snooping querier : Enabled Routing inte rface addr ess: 149.123.48 .2 Host nodes: IP addresses: 149.44.44.3 to 149.123.4[...]
-
Página 230
Chapter 20: Internet Group Management Proto col Snooping Querier 230 Section III: Snooping Protocols Guidelines The guidelines for IGMP snooping querier are liste d here: The network can have only one LAN. There cannot be any multicast routers. IGMP snooping must be enabled on the switch. IGMP snooping querier should be ena bled on [...]
-
Página 231
AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 231 Configuring the Feature The procedures in this section illustrate how to use the standard commands and the AlliedWare Plus comman ds to configu re the switch for IGMP snooping querier. The procedures c onfigure the settings for switch 1 in Figure 25 on page 228. To confi[...]
-
Página 232
Chapter 20: Internet Group Management Proto col Snooping Querier 232 Section III: Snooping Protocols 5. To confirm that IGMP snooping and IGMP snooping querier are enabled on the switch and that the interfa ce is functioning as the querier: show igmpsnoopi ng Figure 28. SHOW IGMPSNOOPING Command 6. To save the configur ation: save configurat ion To[...]
-
Página 233
AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 233 2. To enable IGMP snooping: awplus(conf ig)# ip ig mp snooping 3. To enable IGMP snooping querier and apply it to th e VLAN: awplus(conf ig)# ip ig mp querier-l ist 1 awplus(conf ig)# exit 4. To confirm the routing interface: awplus# sho w ip inter face 5. To confirm tha[...]
-
Página 234
Chapter 20: Internet Group Management Proto col Snooping Querier 234 Section III: Snooping Protocols[...]
-
Página 235
Section III: Snooping Protocols 235 Chapter 21 Multicast Listener Discovery Snooping This chapter explains Multicast Li stener Discover y (MLD) snooping: “Supported Platforms” on p age 236 “Overview” on page 237[...]
-
Página 236
Chapter 21: Mult icast Listener Di scovery Snooping 236 Section III: Snooping Protocols Supported Platforms Refer to Table 68 and Table 69 for the AT-9400 Switches and the management interfaces that support Mult icast Listener Discovery snooping. T able 68. Support for Multicast Listener Discovery Snoo ping Switch Supported Layer 2+ Models A T-9408[...]
-
Página 237
AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 237 Overview MLD snooping performs the same fun ction as IGMP snooping. The switch uses the feature to build multicast membership lists. It uses the lists to forward multicast packets only to switch ports where there are host nodes that are members of the multicast groups. T[...]
-
Página 238
Chapter 21: Mult icast Listener Di scovery Snooping 238 Section III: Snooping Protocols[...]
-
Página 239
Section III: Snooping Protocols 239 Chapter 22 Router Redundancy Pr otocol Snooping This chapter explains Router Redundancy Protocol (RRP) sno oping and contains the following sections: “Supported Platforms” on p age 240 “Overview” on page 241 “Guidelines” on p age 242[...]
-
Página 240
Chapter 22: Ro uter Redundancy Pro tocol Snooping 240 Section III: Snooping Protocols Supported Platforms Refer to Table 70 and Table 71 for the AT-9400 Switches and the management interfaces that support Rou ter Redundancy Protocol Snooping. T able 70. Support for Router Redundancy Protocol Sno oping Switch Supported Layer 2+ Models A T-9408LC/SP [...]
-
Página 241
AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 241 Overview The Router Redundancy Protocol (RRP) a llows multiple routers to share the same virtual IP address and MAC address. In network topologies where redundant router paths or links e xist, the protocol enables routers, through an election process, to desig nate one a[...]
-
Página 242
Chapter 22: Ro uter Redundancy Pro tocol Snooping 242 Section III: Snooping Protocols Guidelines The following guidelines apply to the RRP snooping feature: The default setting for this feature is disable d. Activating the feature flushes all dynamic MAC addresses from th e MAC address table. RRP snooping is supported on ports oper atin[...]
-
Página 243
Section III: Snooping Protocols 243 Chapter 23 Ethernet Pr otection Switching Ring Snooping This chapter has the following sections: “Supported Platforms” on p age 244 “Overview” on page 245 “Restrictions” on page 247 “Guidelines” on p age 249[...]
-
Página 244
Chapter 23: Ethern et Protection Swit ching Ring Snoopin g 244 Section III: Snooping Protocols Supported Platforms Refer to Table 72 and Table 73 for the AT-9400 Switches and the management interfaces that support Eth ernet Protection Switching Ring Snooping. T able 72. Support for Ethernet Protectio n Switching Ring Snooping Switch Supported Layer[...]
-
Página 245
AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 245 Overview Ethernet Protection Switching Ring is a feature fou nd on selected Allied Telesis products, such as the AT-x 900 Advance d Layer 3 Switches. It offers an effective alternative to span ning tree based optio ns when using ring based topologies to create high speed[...]
-
Página 246
Chapter 23: Ethern et Protection Swit ching Ring Snoopin g 246 Section III: Snooping Protocols After creating the VLANs, you activa te EPSR snooping by specifyin g the control VLAN with the ENABLE EPSRSNOOPING command. The switch immediately begins to monitor the VLAN for control me ssages from the master switch and reacts accordingl y should it re[...]
-
Página 247
AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 247 Restrictions EPSR snooping has three important restrictions. All the restrictions are related to control EPSR messages and the fact that EPSR snooping can not generate these messages. The AT-9400 Switch cannot fulfill the role o f master node of a ring because EPSR snoop[...]
-
Página 248
Chapter 23: Ethern et Protection Swit ching Ring Snoopin g 248 Section III: Snooping Protocols Figure 29. Double Fault C ondition in EPSR Snooping Now assume the lin k is reestablished between the switch and transit node. At that point, the port on the transit node enters a preforwarding state in which it forwards EPSR packets over the control VLAN[...]
-
Página 249
AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 249 Guidelines The guidelines to EPSR snooping are: The A T-9400 Switch can support up to sixteen control VLANs and so up to sixteen EPSR instances. The A T-9400 Switch cannot be the master node of a ring. EPSR snooping does not support t he transit node unso lic[...]
-
Página 250
Chapter 23: Ethern et Protection Swit ching Ring Snoopin g 250 Section III: Snooping Protocols[...]
-
Página 251
Section IV: SNMPv3 251 Section IV SNMPv3 The chapter in this section con tains overview information on SNMPv3. The chapter is: Chapter 24, ”SNMPv3” on pa ge 253[...]
-
Página 252
252 Section IV: SNMPv3[...]
-
Página 253
Section IV: SNMPv3 253 Chapter 24 SNMPv3 This chapter provides a description of the AT-S63 implemen tation of the SNMPv3 protocol. The following sections are provided: “Supported Platforms” on p age 254 “Overview” on page 255 “SNMPv3 Authentication Protoco ls” on p age 256 “SNMPv3 Privacy Protocol” on pa ge 257 ?[...]
-
Página 254
Chapter 24: SNMP v3 254 Section IV: SNMPv3 Supported Platforms Refer to Table 74 and Table 75 for the AT-9400 Switches and the management interfaces that support SNMPv3. T able 74. Support for SNMPv3 Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer 3 Models A T-9424T Y es A T-9424T/POE Y es A T-942[...]
-
Página 255
AT-S63 Management Software Features Guide Section IV: SNMPv3 255 Overview The SNMPv3 protocol builds on the exist ing SNMPv1 and SNMPv2c protocol implementation which is de scribed in Cha pter 4, “SNMPv1 and SNMPv2c” on page 91. In SNMPv3, User-based Security Model (USM) authentication is implemented along with encryption, allowing yo u to conf[...]
-
Página 256
Chapter 24: SNMP v3 256 Section IV: SNMPv3 SNMPv3 Authentication Protocols The SNMPv3 protocol supports two authe ntication protocols—HMAC- MD5-96 (MD5) and HMAC-SHA-96 (SHA). Bo th MD5 and SHA use an algorithm to generate a message digest. Each authentica tion protocol authenticates a user by checking the message digest. In addition , both proto[...]
-
Página 257
AT-S63 Management Software Features Guide Section IV: SNMPv3 257 SNMPv3 Privacy Protocol After you have configured an authentic ation protocol, you have the option of assigning a privacy protocol if yo u have the encrypted version of the AT-S63 software. In SNMPv3 protocol te rminology, privacy is equivalent to encryption. Currently, the DES pro to[...]
-
Página 258
Chapter 24: SNMP v3 258 Section IV: SNMPv3 SNMPv3 MIB Views The SNMPv3 protocol allows you to configure MIB views for users and groups. The MIB tree is defined by RFC 1155 (Structure of Management Information). See Figure 30. Figure 30. MIB Tree The AT-S63 software supports the MIB tree, startin g with the Internet MIBs, as defined by 1.3.6.1. Ther[...]
-
Página 259
AT-S63 Management Software Features Guide Section IV: SNMPv3 259 After you specify a MIB subtree view you have the option of further restricting a view by defining a subtree ma sk. The relationship between a MIB subtree view and a subtree mask is analogous to th e relationship between an IP address a nd a subnet mask. The switch uses the subne t ma[...]
-
Página 260
Chapter 24: SNMP v3 260 Section IV: SNMPv3 SNMPv3 Storage Types Each SNMPv3 table entry has its own storag e type. You can choose between nonvolatile storage which allows you to save the table entry or volatile storage which does not allow you to save an e ntry. If you select the volatile storage type, when you power off the switch your SNMPv3 conf[...]
-
Página 261
AT-S63 Management Software Features Guide Section IV: SNMPv3 261 SNMPv3 Message Notification When you generate an SNMPv3 message from the switch, there are three basic pieces of information included in the message: The type of message The destination of the message SNMP security information To configure the type of message, yo u need to[...]
-
Página 262
Chapter 24: SNMP v3 262 Section IV: SNMPv3 SNMPv3 Tables The SNMPv3 configuration is neatly divided into configuring SNMPv3 user information and configuring the messag e notificatio n. You must configure all seven tables to successfully configure the SNMPv3 protocol. You use the following tables for user configuration: Configure SNMPv3 User T a[...]
-
Página 263
AT-S63 Management Software Features Guide Section IV: SNMPv3 263 Configure SNMPv3 Notify T able Configure SNMPv3 T arget Address T able Configure SNMPv3 T arget Parameters T able You start the message notification configu ration by defining the typ e of message you want to send with the SNMPv3 Notify Table. Then yo u define a IP address[...]
-
Página 264
Chapter 24: SNMP v3 264 Section IV: SNMPv3 “SNMPv3 T arget Parameters T able” on page 265 “SNMPv3 Community T able” on page 265 SNMPv3 User Table The Configure SNMPv3 User Table menu allows you to crea te an SNMPv3 user and provides the options o f configuring authentication and privacy protocols. With the SNMPv3 protocol, users are[...]
-
Página 265
AT-S63 Management Software Features Guide Section IV: SNMPv3 265 SNMPv3 Notify Table The Configure SNMPv3 Notify Table menu allows you to define the type of message that is sent from the switch to the SNMP host. In addition, you have the option of def ining the message typ e as either an Inform or a Trap message. The difference between these two ty[...]
-
Página 266
Chapter 24: SNMP v3 266 Section IV: SNMPv3 SNMPv3 Configuration Example You may want to have two classes of SNMPv3 users—Managers and Operators. In this scenario, you would configure on e group, called Managers, with full access privileges. Then you would configure a second group, called Operators, with monitoring privilege s only. For a detailed[...]
-
Página 267
Section V: Spanning Tree Protocols 267 Section V Spanning T r ee Protocols The section has the following chapters: Chapter 25, “S panning T ree and Rapid S p anning T ree Protocols” on page 269 Chapter 26, “Multiple S panning T ree Protocol” on p age 289[...]
-
Página 268
268 Section V: Spanning Tree Pro tocols[...]
-
Página 269
Section V: Spanning Tree Protocols 269 Chapter 25 Spanning T r ee and Rapid Spanning T r ee Pr otocols This chapter provides background information on the Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). Th e sections in this chapter include: “Supported Platforms” on p age 270 “Overview” on page 271 “Bridg[...]
-
Página 270
Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 270 Section V: Spanning Tree Pro tocols Supported Platforms Refer to Table 76 and Table 77 for the AT-9400 Switches and the management interfaces that support t he Spanning Tree and Rapid Spanning Tree Protocols. T able 76. Support for the Spann ing Tree and Rapid Spannin g Tree Protocol[...]
-
Página 271
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 271 Overview The performance of a Ethernet network can be negatively impacted by the formation of a data loop in the netwo rk topology. A data loop exists when two or more nodes on a network can transmit data to each other over more than one data path. The problem that dat[...]
-
Página 272
Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 272 Section V: Spanning Tree Pro tocols Bridge Priority and the Root Bridge The first task that bridges perform when a sp anning tree protocol is activated on a network is the selection of a ro ot bridge . A root bridge distributes network topology information to the other network bridge[...]
-
Página 273
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 273 Path Costs and Port Costs After the root bridge has been selecte d, the bridges determine if the network contains redundant path s and, if one is found, select a pref erred path while placing the redunda nt paths in a backup or blocking state . Where there is only one [...]
-
Página 274
Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 274 Section V: Spanning Tree Pro tocols Table 80 lists the STP port costs with Au to-Detect when a port is part of a port trunk. Table 81 lists the RSTP port costs with Auto-Detect. Table 82 lists the RSTP port costs with Auto-Detect when the port is part of a port trunk. You can overrid[...]
-
Página 275
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 275 T able 83. Port Priority V alue Increments Increment Bridge Priority Increment Bridge Priority 0081 2 8 1 16 9 144 2 3 21 01 6 0 3 48 1 1 176 4 6 41 21 9 2 5 8 01 32 0 8 6 9 61 42 2 4 7 1 12 15 240[...]
-
Página 276
Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 276 Section V: Spanning Tree Pro tocols Forwarding Delay and Topology Changes If there is a change in the network topology due to a failure, removal, o r addition of any active components, the active topology also changes. This may trigger a change in the state of some blo cked ports. Ho[...]
-
Página 277
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 277 seconds and the default is two second s. Consequently, if the AT-9400 Switch is selected as the root bridge of a spa nning tree domain, it transmits a BPDU every two seconds. Point-to-Point and Edge Ports Note This section applies only to RSTP. Part of the task of conf[...]
-
Página 278
Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 278 Section V: Spanning Tree Pro tocols Figure 34. Edge Port A port can be both a point-to-point and an edge port at the same time. It operates in full-duplex and has no ST P or RSTP devices co nnected to it. Figure 35 illustrates a port functioning a s both a point-to-point and e dge po[...]
-
Página 279
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 279 Mixed STP and RSTP Networks RSTP IEEE 802.1w is fully compliant with STP IEEE 802.1d. A network can have both protocols. If both RSTP and ST P are present in a network, they operate together to cre ate a single spanning tr ee domain. Given this, if you decide to activa[...]
-
Página 280
Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 280 Section V: Spanning Tree Pro tocols Spanning Tree and VLANs The STP and RSTP implementations in th e AT-S63 Management Software support a single-instance spa nning tree that encompasses all the ports on the switch. If the ports are divid ed into different VLANs, the spanning tree cro[...]
-
Página 281
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 281 RSTP BPDU Guard This feature monitors RSTP edge por ts on stand -alone switches or AT-9400Ts stacks and disables the p o rts if they receive BPDU packets. The benefit of this feature is that it prevents the u se of edge ports by RSTP devices and so reduces the possibil[...]
-
Página 282
Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 282 Section V: Spanning Tree Pro tocols BPDU guard is supported only on RSTP . It is not supporte d on STP or MSTP . This feature is supported on the base ports of the switch and any expansion modu les and fiber optic transceivers insta lled in the unit. Note A port that the BPDU[...]
-
Página 283
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 283 RSTP Loop Guard Although RSTP is intended to detect an d prevent the forma tion of loo ps in a network topology, it is possible th at the protocol might inadvertently create a loop. This can happen in the unlikely situation where a link between two RSTP devices remains[...]
-
Página 284
Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 284 Section V: Spanning Tree Pro tocols This feature is supported on th e base ports of t he switch as well as on any expansion modules and fiber optic transceivers insta lled in the unit. This feature is not supported in STP or MSTP. It is also not supported on RSTP edge ports. The foll[...]
-
Página 285
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 285 Figure 38. Loop Guard Example 2 But if loop guard is enabled on port 14 on switch 3, the port, instead of changing to the forwarding state, stays in the blocking state, preventing the formation of the loop. Figure 39. Loop Guard Example 3 The previous example illustrat[...]
-
Página 286
Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 286 Section V: Spanning Tree Pro tocols In the first example the root bridge stops transmitting BPDUs. If switch 3 is not using loop guard, it continues to forward traffic on port 4, but since no BPDUs are received on the port, it assu mes that the device connected to the port is not an [...]
-
Página 287
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 287 Figure 41. Loop Guard Example 5 Switch 3 Switch 1 Old root bridge RSTP stops operating Port 4 Loop guard changes the port to the blocking state from the forwarding state Switch 2 New root bridge Port 14 Transitions from the blocking st ate to the forwarding state[...]
-
Página 288
Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 288 Section V: Spanning Tree Pro tocols[...]
-
Página 289
Section V: Spanning Tree Protocols 289 Chapter 26 Multiple Spanning T r ee Protocol This chapter provides background information on the Multiple Spanning Tree Protocol (MSTP). The sections in this chap ter include: “Supported Platforms” on p age 290 “Overview” on page 291 “Multiple S panning T ree Instance (MSTI)” on page 29[...]
-
Página 290
Chapter 26: Multipl e Spanning Tree Protocol 290 Section V: Spanning Tree Pro tocols Supported Platforms Refer to Table 84 and Table 85 for the AT-9400 Switches and the management interfaces that support t he Multiple Spanning Tree Protocol. T able 84. Support for the Multiple Spanning Tree Protocol Switch Supported Layer 2+ Models A T-9408LC/SP Y [...]
-
Página 291
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 291 Overview As mentioned in Chapter 25, ”Spanning Tree and Rapid Spanning Tree Protocols” on page 269, STP and RSTP are referred to as single-instance spanning trees that search for physi cal loops across all VLANs in a bridged network. When loops are detecte d , the [...]
-
Página 292
Chapter 26: Multipl e Spanning Tree Protocol 292 Section V: Spanning Tree Pro tocols Multiple Spanning Tree Instance (MSTI) The individual spanning trees in MSTP are referred to as Multiple Spanning Tree Instances (MST Is). A MSTI can span any number of AT-9400 Switches. The switch can su pport up to 16 MSTIs at a time . To create a MSTI, you first[...]
-
Página 293
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 293 Figure 42. VLAN Fragmentatio n with STP or RSTP Blocke d Port FAULT RPS MASTER POWER CLASS 1 LASER PRODUCT STA TUS TERMINAL PORT 13579 1 1 2 4 6 8 10 12 13 15 17 19 21 23R 14 16 18 20 22 24R A T -9424T/SP Gigabit Ethernet Switch 1 3 5 7 9 11 13 15 17 19 21 23R 2 4 6 8 [...]
-
Página 294
Chapter 26: Multipl e Spanning Tree Protocol 294 Section V: Spanning Tree Pro tocols Figure 43 illustrates the same two AT-9400 Switches and the same two virtual LANs. But in this example, the two switches are running MSTP a nd the two VLANs have been assigned different spann ing tree instances. Now that they reside in different MSTIs, both links r[...]
-
Página 295
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 295 A MSTI can contain more than one VLAN. This is illustrated in Figure 44 where there are two AT-9400 Switches wit h four VLANs. There are two MSTIs, each containing two VLANs. MSTI 1 contains t he Sales and Presales VLANs and MSTI 2 contains the Design and Engineering V[...]
-
Página 296
Chapter 26: Multipl e Spanning Tree Protocol 296 Section V: Spanning Tree Pro tocols MSTI Guidelines The following are several guideline s to keep in mind about MSTIs: The AT-9400 Switch can support up to 16 spanning tree instances, including the CIST . A MSTI can contain a ny number of VLANs. A VLAN can belong to only o ne MSTI at a ti[...]
-
Página 297
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 297 VLAN and MSTI Associations Part of the task to configu ring MSTP involves assigning VLANs to spanning tree instances. The mapping of VLANs to MSTIs is ca lled associations . A VLAN, either port-based or tagged, can belong to only one instance at a time, but an insta nc[...]
-
Página 298
Chapter 26: Multipl e Spanning Tree Protocol 298 Section V: Spanning Tree Pro tocols Ports in Multiple MSTIs A port can be a member of mo re than one MSTI at a time if it is a tagg ed member of one or more VLANs assign ed to different MSTI’s. I n this circumstance, a port might be have to operate in differen t spanning tree states simultaneously,[...]
-
Página 299
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 299 Multiple Spanning Tree Regions Another important concept of MSTP is re gions . A MSTP region is defin ed as a group of bridges that sha re exactly the same MSTI char acteristics. Those characteristics are: Configuration name Revision number VLANs VLAN t[...]
-
Página 300
Chapter 26: Multipl e Spanning Tree Protocol 300 Section V: Spanning Tree Pro tocols Figure 45 illustrates the concept of regions. It shows one MSTP region consisting of two AT-9400 Switches. Each switch in the region has the same configuration name and revisio n level. The switches also have the same five VLANs and the VLANs are associa ted with t[...]
-
Página 301
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 301 The same is true for any ports connected to bridge s running the single- instance spanning tree ST P or RSTP. Th ose ports are also considered as part of another region. Each MSTI functions as an independ ent spanning tree within a region. Consequently, each MSTI must [...]
-
Página 302
Chapter 26: Multipl e Spanning Tree Protocol 302 Section V: Spanning Tree Pro tocols Common and Internal Spanning Tree (CIST) MSTP has a default spanning tree insta nce called the Common and Internal Spanning Tree (CIST). This insta nce has an MSTI ID of 0. This instance has unique features and funct ions that make it different from the MSTIs that [...]
-
Página 303
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 303 Summary of Guidelines Careful planning is essential for the successful implementation of MSTP. This section reviews all the rules and guidelines mentioned in earlier sections, and contains a few new ones: The AT-9400 Switch can support up to 16 sp anning tree insta[...]
-
Página 304
Chapter 26: Multipl e Spanning Tree Protocol 304 Section V: Spanning Tree Pro tocols Note The AT-S63 MSTP implementation comp lies fully with the new IEEE 802.1s standard. Any other vendor’s fully compliant 802.1s implementation is interoperable with the AT-S63 implementa tion.[...]
-
Página 305
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 305 Associating VLANs to MSTIs Allied Telesis recommends that you assign all VLANs on a switch to an MSTI. You should not leave a VLAN as signed to just the CIST, including the Default_VLAN. This is to pre vent the blocking of a port that should be in the forwarding state [...]
-
Página 306
Chapter 26: Multipl e Spanning Tree Protocol 306 Section V: Spanning Tree Pro tocols Figure 47. CIST and VLAN Guideline - Example 2 When port 4 on switch B receives a BPDU, the swit ch notes the port sending the packet belongs only to CIST. Therefore, switch B uses CIST in determining whether a loop exists. The result would be that the switch detec[...]
-
Página 307
AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 307 Connecting VLANs Acro ss Different Regions Special consideration needs to be taken into account when you connect different MSTP regions or an MSTP region and a single-instance STP or RSTP region. Unless planned proper ly, VLAN fragmentation can occu r between the VL AN[...]
-
Página 308
Chapter 26: Multipl e Spanning Tree Protocol 308 Section V: Spanning Tree Pro tocols Another approach is to group those VLANs that need to span regions into the same MSTI. Those VLANs that d o not span regions can be assigne d to other MSTIs. Here is an example. Assume that yo u have two regions that contain the following VLANS: Region 1 VLANs Regi[...]
-
Página 309
Section VI: Virtual LANs 309 Section VI V irtual LANs The chapters in this section d iscuss the various types of virtual LANs supported by the AT-9400 Switch. The chapters include: Chapter 27, “Port-based and T agged VLANs” on page 31 1 Chapter 28, “GARP VLAN Registration Protocol” on p age 325 Chapter 29, “Multiple VLAN Mode [...]
-
Página 310
310 Section VI: Virtual LANs[...]
-
Página 311
Section VI: Virtual LANs 311 Chapter 27 Port-based and T agged VLANs This chapter contains overview information about port-base d and tagged virtual LANs (VLANs). This chapter contains the following section s: “Supported Platforms” on p age 312 “Overview” on page 313 “Port-base d VLAN Overvi ew” on page 315 “T agged VL[...]
-
Página 312
Chapter 27: Port-based and Tagged VLANs 312 Section VI: Virtual LANs Supported Platforms Refer to Table 86 and Table 87 for the AT-9400 Switches and the management interfaces that support t he port-based and tagged VLANs. T able 86. Support for Port-based and Tagged VLANs Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-942[...]
-
Página 313
AT-S63 Management Software Features Guide Section VI: Virtual LANs 313 Overview A VLAN is a group of ports on an Ethernet switch that form a logical Ethernet segment. The ports of a VLAN form an indep endent traffic domain where the traffic generated by the nodes of a VLAN remains within the VLAN. With VLANs, you can segment your network through th[...]
-
Página 314
Chapter 27: Port-based and Tagged VLANs 314 Section VI: Virtual LANs Management Sof tware. Y ou can change the VLAN memberships through the management sof tware without moving the workst ations physically , or changing group memberships by moving cables from one switch port to another . In addition, a virtual LAN can sp an more than one swit ch. Th[...]
-
Página 315
AT-S63 Management Software Features Guide Section VI: Virtual LANs 315 Port-based VLAN Overview As explained in “Overview” on page 313, a VLAN consists of a group of ports on one or more Et hernet switches that form an independen t traffic domain. Traffic generated by the end nodes of a VLAN remains within the VLAN and does not cross over to th[...]
-
Página 316
Chapter 27: Port-based and Tagged VLANs 316 Section VI: Virtual LANs three AT-9400 Switches, you would assign the Ma rketing VLAN on each switch the same VID. You can assign this number manually or allow the AT-S6 3 Management Software to do it automatically. If you a llow the management software to do it automatically, it selects the next availab [...]
-
Página 317
AT-S63 Management Software Features Guide Section VI: Virtual LANs 317 Guidelines to Creating a Port- based VLAN Below are the guidelin es to creating a port-based VLAN. Each port-based VLAN must be assigned a unique VID. If a particular VLAN spans multiples switch es, each p art of the VLAN on the dif ferent switches should be assigned the sam[...]
-
Página 318
Chapter 27: Port-based and Tagged VLANs 318 Section VI: Virtual LANs Port-based Example 1 Figure 49 illustrates an example of one AT-9424T/SP Gigabit Eth ernet Switch with three port-based VLANs. (For p urposes of the following examples, the Default_VLAN is not shown.) Figure 49. Port-based VLAN - Example 1 The table below lists t he port assignmen[...]
-
Página 319
AT-S63 Management Software Features Guide Section VI: Virtual LANs 319 In the example, each VLAN has one port connected to the router. T he router interconnects the various VL ANs and functions as a gate way t o the WAN. Port-based Example 2 Figure 50 illustrates more port-based VL ANs. In this example, two VLANs, Sales and Engineering, span two AT[...]
-
Página 320
Chapter 27: Port-based and Tagged VLANs 320 Section VI: Virtual LANs The table below lists t he port assignmen ts for the Sa les, Engineering, and Production VLANs on the switches: Sales VLAN - This VLAN sp ans both switches. It has a VID value o f 2 and consists of six untagged ports o n the top switch and five untagge d ports on the bo ttom s[...]
-
Página 321
AT-S63 Management Software Features Guide Section VI: Virtual LANs 321 Tagged VLAN Overview The second type of VLAN supported b y the AT-S63 Management Software is the tagged VLAN . VLAN membership in a tagged VLAN is determined by information within the frames that are received on a port. This differs from a port-based VLAN, where the PVIDs assign[...]
-
Página 322
Chapter 27: Port-based and Tagged VLANs 322 Section VI: Virtual LANs Port VLAN Identifier Note For explanations of VLAN n ame and VLAN identifier, refer back to “VLAN Name” on page 315 and “VLAN Identifier” on page 315. Tagged and Untagged Ports You need to specify which ports will b e members of the VLAN. In the case of a tagged VLAN, [...]
-
Página 323
AT-S63 Management Software Features Guide Section VI: Virtual LANs 323 Tagged VLAN Example Figure 51 illustrates how tagged ports ca n be used to intercon nect IEEE 802.1Q-based products. Figure 51. Example of a Tagged VLAN WA N 2 3 4 5 6 79 1 9 12 1 2 3 17 15 11 13 8 10 12 14 18 20 22 24 16 2 3 4 5 6 79 1 9 12 1 2 3 17 15 11 13 8 10 12 14 18 20 22[...]
-
Página 324
Chapter 27: Port-based and Tagged VLANs 324 Section VI: Virtual LANs The port assignments for the VLANs ar e as follows: This example is nearly identical to the “Port-based Example 2” on page 319. Tagged ports have been added to simplify network implementation and management. One of the tagged ports is port 2 on the top switch. This port has be[...]
-
Página 325
Section VI: Virtual LANs 325 Chapter 28 GARP VLAN Registration Pr otocol This chapter describes the GARP VLAN Registration Protocol (GVRP) and contains the following sections: “Supported Platforms” on p age 326 “Overview” on page 327 “Guidelines” on p age 330 “GVRP and Network Security” on p age 331 “GVRP-inact[...]
-
Página 326
Chapter 28: GARP VLAN Registrat ion Protocol 326 Section VI: Virtual LANs Supported Platforms Refer to Table 88 and Table 89 for the AT-9400 Switches and the management interfaces that support t he GARP VLAN Registration Protocol. T able 88. Support for the GARP VLAN Registration Protocol Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424[...]
-
Página 327
AT-S63 Management Software Features Guide Section VI: Virtual LANs 327 Overview The GARP VLAN Registration Protocol (GVRP) allows network devices to share VLAN information. The main purpose of GVRP is to allow switches to automatically discover some of the VLAN information that would otherwise need to be manua lly configured in each switch. This is[...]
-
Página 328
Chapter 28: GARP VLAN Registrat ion Protocol 328 Section VI: Virtual LANs Figure 52 provides an example of how GVRP works. Figure 52. GVRP Example Switches #1 and #3 contain t he Sales VLAN, but switch #2 does not. Consequently, the end nodes of the two parts of the Sales VLANs are unable to communicate with each other. Without GVRP, you would need[...]
-
Página 329
AT-S63 Management Software Features Guide Section VI: Virtual LANs 329 as an tagged dynamic GVRP port. If t he port is already a me mber of the VLAN, then no change is made. 5. Switch #3 sends a PDU out port 4 to switch #2. 6. Switch #2 receives the PDU on port 3 and then adds the port as a tagged dynamic GVRP port to t he dynamic GVRP_VLAN_11 VLAN[...]
-
Página 330
Chapter 28: GARP VLAN Registrat ion Protocol 330 Section VI: Virtual LANs Guidelines Following are guidelines to obser ve when using this feature: GVRP is supported with STP and RSTP , or without spannin g tree. GVRP is not supported with MSTP . GVRP is supported when the switch is operating in the t agged VLAN mode, which is the VLAN mode [...]
-
Página 331
AT-S63 Management Software Features Guide Section VI: Virtual LANs 331 GVRP and Network Security GVRP should be used with caution b eca use it can expose your network to unauthorized access. A network intruder can access to rest ricted parts of the network by connecting to a swit ch port running GVRP and transmitting a bogus GVRP PDU containing VID[...]
-
Página 332
Chapter 28: GARP VLAN Registrat ion Protocol 332 Section VI: Virtual LANs GVRP-inactive Intermediate Switches If two GVRP-active devices are separat ed by a GVRP-inactive switch, the GVRP-active devices may not be able to share VL AN information. There are two issues involved. The first is whether the intermediate switch forwards the GVRP PDUs th a[...]
-
Página 333
AT-S63 Management Software Features Guide Section VI: Virtual LANs 333 Generic Attribute Registration Protocol (GARP) Overview The following is a technical overview of GARP. An understanding of GARP may prove helpful when you u se GVRP. The purpose of the Generic Attribute Registration Protocol (GARP) is to provide a generic framework where by devi[...]
-
Página 334
Chapter 28: GARP VLAN Registrat ion Protocol 334 Section VI: Virtual LANs GARP architecture is shown in Figure 53. Figure 53. GARP Architecture The GARP application component of the GARP participa nt is responsible for defining the semantics associated with the parameter values and operators received in GARP PDUs, and for generating GARP PDUs for t[...]
-
Página 335
AT-S63 Management Software Features Guide Section VI: Virtual LANs 335 Figure 54. GID Architecture GARP registers and deregisters attribute values through GARP messages sent at the GID level. A GARP participant that wishes to make a declaration (an applicant registering an attribute value) sends a JoinIn or JoinEmpty message. An applicant that wish[...]
-
Página 336
Chapter 28: GARP VLAN Registrat ion Protocol 336 Section VI: Virtual LANs To control the applicant state machine, an applicant admin istrative control parameter is provided. This parameter dete rmines whether or not the applicant state machine participates in GARP protocol exchanges. The default value has the applicant pa rticipating in the exchang[...]
-
Página 337
Section VI: Virtual LANs 337 Chapter 29 Multiple VLAN Modes This chapter describes the multiple VLAN mo des. This chapter contains the following sections: “Supported Platforms” on p age 338 “Overview” on page 339 “802.1Q- Compliant Multiple VLAN Mode” on p age 340 “Non-802.1Q Compliant Multiple VLAN Mode” on p age 34[...]
-
Página 338
Chapter 29: Multipl e VLAN Modes 338 Section VI: Virtual LANs Supported Platforms Refer to Table 90 and Table 91 for the AT-9400 Switches and the management interfaces that support t he multiple VLAN modes. T able 90. Support for the Mu ltiple VLAN Modes Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic L[...]
-
Página 339
AT-S63 Management Software Features Guide Section VI: Virtual LANs 339 Overview The multiple VLAN modes are designed to simplify the task of configuring the switch in network environments that require a high deg ree of network segmentation. In a multiple VLAN mode, the ports on a switch are prohibited from forwarding traffic to each other and are o[...]
-
Página 340
Chapter 29: Multipl e VLAN Modes 340 Section VI: Virtual LANs 802.1Q- Compliant Multiple VLAN Mode In this mode, each port is placed into a sep arate VLAN as an untagged port. The VLAN names and VID numbers are based on the port numb ers. For example, the VLAN for port 4 is named Client_VLAN_4 a nd is given the VID of 4, the VLAN for port 5 is name[...]
-
Página 341
AT-S63 Management Software Features Guide Section VI: Virtual LANs 341 This highly segmented confi guration is useful in situations where traffic generated by each end no de or network segment connected to a port on the switch needs to be kept separate from all other n etwork traffic, while still allowing access to an uplink to a WAN. Unicast traff[...]
-
Página 342
Chapter 29: Multipl e VLAN Modes 342 Section VI: Virtual LANs Non-802.1Q Compliant Multiple VLAN Mode Unlike the 802.1Q-compliant VL AN mode, which isolates port traffic by placing each port in a separate VLAN, this mode forms o ne VLAN with a VID of 1 that encompasses all po rts. To establish traffic iso lation, it uses port mapping. The result, h[...]
-
Página 343
Section VI: Virtual LANs 343 Chapter 30 Pr otected Ports VLANs This chapter explains protecte d ports VLANs. It contains the following sections: “Supported Platforms” on p age 344 “Overview” on page 345 “Guidelines” on p age 347[...]
-
Página 344
Chapter 30: Protected Ports VLANs 344 Section VI: Virtual LANs Supported Platforms Refer to Table 93 and Table 94 for the AT-9400 Switches and the management interfaces that support t he protected ports VLANs. T able 93. Support for Protected Ports VLANs Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic L[...]
-
Página 345
AT-S63 Management Software Features Guide Section VI: Virtual LANs 345 Overview The purpose of a protected ports VL AN is to allow multiple ports on the switch to share the same uplink port but not share traffic with each other. This feature has some of the same ch aracteristics as the multiple VLAN modes described in the previous chapter , but it [...]
-
Página 346
Chapter 30: Protected Ports VLANs 346 Section VI: Virtual LANs To create a protected ports VLAN, you perform many of the same steps that you do when you create a new port-b ased or tagged VLAN. You give it a name and a unique VID, and you indicate which of the ports will be tagged and untagged. What makes creating this type of VLAN different is tha[...]
-
Página 347
AT-S63 Management Software Features Guide Section VI: Virtual LANs 347 Guidelines Following are the guidelines for im plementing p rotected ports VLANS: A protected port s VLAN should contain a minimum of two group s. A protected port s VLAN of only one group can be replaced with a p ort- based or tagged VLAN instea d. A protected port s VL[...]
-
Página 348
Chapter 30: Protected Ports VLANs 348 Section VI: Virtual LANs[...]
-
Página 349
Section VI: Virtual LANs 349 Chapter 31 MAC Addr ess-based VLANs This chapter contains overview information about MAC address-based VLANs. Sections in the chapter includ e: “Supported Platforms” on p age 350 “Overview” on page 351 “Egress Ports” on p age 352 “VLANs That S pan Switches” on p age 355 “VLAN Hierar[...]
-
Página 350
Chapter 31: MAC Address-b ased VLANs 350 Section VI: Virtual LANs Supported Platforms Refer to Table 95 and Table 96 for the AT-9400 Switches and the management interfaces that support MAC address-b ased VLANs. T able 95. Support for MAC Ad dress-based VLANs Switch Supported Layer 2+ Models A T-9408LC/SP A T-9424T/GB A T-9424T/SP Basic Layer 3 Mode[...]
-
Página 351
AT-S63 Management Software Features Guide Section VI: Virtual LANs 351 Overview As explained in “Overview” on page 313, VLANs are a means for creating independent LAN segments within a network and are typically employed to improve network performance a nd security. The AT-S63 Management Software offers several different types of VLANs, includin[...]
-
Página 352
Chapter 31: MAC Address-b ased VLANs 352 Section VI: Virtual LANs Egress Ports Implementing a MAC address-based VLAN involves more than entering the MAC addresses of the end nodes that are members of the VLAN. You must also designate the egress ports o n the switch for the packets from the nodes. The egress ports d efine the limits of flooding of p[...]
-
Página 353
AT-S63 Management Software Features Guide Section VI: Virtual LANs 353 The community characteristic of egress po rts relieves you from having to map each address to its corresponding egress port. You only need to be sure that all the egress ports in a MAC address-based VL AN are assigned to at least one address. It is also important to note that a [...]
-
Página 354
Chapter 31: MAC Address-b ased VLANs 354 Section VI: Virtual LANs If security is a major concern for your network, yo u might not want to assign a port as an egress port to more tha n one VLAN when pla nning your MAC address-based VLANs. When a packet whose source MAC address is part of a MAC address- based VLAN arrives on a port, the switch perfor[...]
-
Página 355
AT-S63 Management Software Features Guide Section VI: Virtual LANs 355 VLANs That Span Switches To create a MAC address-based VLAN that spa ns switches, you must replicate the MAC addresses of the VLAN nodes on all the switches where the VLAN exists. The same MAC addre ss-based VLAN on different switches must have the same list of MAC a ddresses. F[...]
-
Página 356
Chapter 31: MAC Address-b ased VLANs 356 Section VI: Virtual LANs T able 99. Example of a MAC Address-based VLAN S panning Switches Switch A Switch B VLAN Name: Sales VLAN Name: Sales MAC Address Egress Port s MAC Address Egress Port s Address_1 1,3,4,5 Address_1 1 1,12,14,16 Address_2 1 Address_2 1 1 Address_3 1 Address_3 1 1 Address_4 1 Address_4[...]
-
Página 357
AT-S63 Management Software Features Guide Section VI: Virtual LANs 357 VLAN Hierarchy The switch’s management software employs a VLAN hierarchy when handling untagged packets that arrive on a port that is an egre ss port of a MAC address-based VLAN as well as an untagged port of a port-based VLAN. (A port can be a member of both types of VLANs at[...]
-
Página 358
Chapter 31: MAC Address-b ased VLANs 358 Section VI: Virtual LANs Steps to Creating a MAC Address-based VLAN Here are the three main steps to creating a MAC address-based VLAN: 1. Assign the VLAN a name and a VID. You must also se t the VLAN type to MAC Based. 2. Assign the MAC addresses to the VLAN. 3. Add the egress ports to the MAC ad dresses. T[...]
-
Página 359
AT-S63 Management Software Features Guide Section VI: Virtual LANs 359 Guidelines Follow these guidelines when imp lementing a MAC address-based VLAN: MAC address-based VLANs are not supported on the A T-9408LC/SP, A T-9424T/GB and A T-9424T/SP Switches. The switch can support up to a tot al of 4094 p ort-based, tagged, protected port s, an[...]
-
Página 360
Chapter 31: MAC Address-b ased VLANs 360 Section VI: Virtual LANs Egress ports canno t be part o f a static or LACP trunk. Since this type of VLAN does not sup port tagge d packet s, it is not suitable in environment s where a ne twork device, such as a network server , needs to be shared between multiple VLANs. Ports 49 and 50 on the A[...]
-
Página 361
Section VII: Internet Proto col Routing 361 Section VII Internet Pr otocol Routing This section has the following chapters: Chapter 32, “Internet Protoco l V ersion 4 Packet Routing” on page 363 Chapter 33, “BOOTP Relay Agent” on page 397 Chapter 34, “V irtual Router Redundancy Pro tocol” on p age 403[...]
-
Página 362
362 Section VII: Internet Pro tocol Routing[...]
-
Página 363
363 Chapter 32 Internet Pr otocol V ersion 4 Packet Routing This chapter describes Internet Protocol version 4 (IPv4) packet routing on the AT-9400 Basic Layer 3 Switc hes. The chapt er covers routing interfaces, static routes, and the Routing Information Protocol (RIP) versions 1 and 2. The sections in the ch apter include: “Supported Platfo[...]
-
Página 364
Chapter 32: Internet Protocol Version 4 Packet Routing 364 Section VII: Routing Supported Platforms Refer to Table 100 and Table 101 for the AT-9400 Switches and the management interfaces that support t he IPv4 packet routing feature . Here are a few things you need to know ab out the supported platfo rms and the management interfaces for the IP pa[...]
-
Página 365
AT-S63 Management Software Features Guide Section VII: Routin g 365 Features” on page 384 and “A T-9408LC/SP A T-9424T/GB, and A T-9424T/SP Switches” on page 388. A T-9400T s S tacks support static routes bu t not RIP . Y ou can use the menus on a stand-alon e switch to configure the routing interfaces, but not st atic routes or RIP .[...]
-
Página 366
Chapter 32: Internet Protocol Version 4 Packet Routing 366 Section VII: Routing Overview This section contains an overview of the IPv4 routing fea ture on the AT-9400 Switch. It begins with an e xplanation of the following ava ilable routing methods: Routing interfaces S tatic routes RIP version 1 and 2 A routing interface is a log ical[...]
-
Página 367
AT-S63 Management Software Features Guide Section VII: Routin g 367 At the end of this overview are two examples that illustra te the sequence of commands to implementing the f eat ures described in this chapter. You can refer there to see how the comman ds are used in practice. The sections are “Routing Command Example” on page 390 and “Non-[...]
-
Página 368
Chapter 32: Internet Protocol Version 4 Packet Routing 368 Section VII: Routing Routing Interfaces The IPv4 packet routing feature on the switch is bu ilt on the foundation of the routing interface. An interf ace functions as a logical connection to a subnet that allows the egress and ing ress of IPv4 packets to the subnet from other local and remo[...]
-
Página 369
AT-S63 Management Software Features Guide Section VII: Routin g 369 Note Routing interfaces can be config ured from eit her the command line interface or the menus interface. The following subsecti ons describe the three main componen ts of a routing interface: VLAN ID (VID) Interface number IP address and subnet mask VLAN ID (VID) An i[...]
-
Página 370
Chapter 32: Internet Protocol Version 4 Packet Routing 370 Section VII: Routing the other interfaces in the same VLAN must be assigned manually. Fo r example, if there are four interfaces and ea ch of their respective subnets resided in a separate VLAN, then each in terface can obtain it s IP address and subnet mask from a DHCP or BOOTP server. How[...]
-
Página 371
AT-S63 Management Software Features Guide Section VII: Routin g 371 Interface Names Many of the IPv4 routing commands have a parameter for an interface name. An interface name consists of a VLAN and an inte rface number, separated by a dash. The VLAN is de signated by “vlan” followed by the VLAN identification number (VID) or the VLAN na me. He[...]
-
Página 372
Chapter 32: Internet Protocol Version 4 Packet Routing 372 Section VII: Routing Static Routes In order for the switch to route an IPv4 p acket to a remote network or subnet, there must be a route to the destination in the routing table of the switch. The route must consist of the IP addre ss of the remote de stinatio n and the IP address of the nex[...]
-
Página 373
AT-S63 Management Software Features Guide Section VII: Routin g 373 The commands for managin g static routes are ADD IP ROUTE, DELETE IP ROUTE, and SET IP ROUTE.[...]
-
Página 374
Chapter 32: Internet Protocol Version 4 Packet Routing 374 Section VII: Routing Routing Information Protocol (RIP) A switch can automatically learn routes to remote destinations by sharing the contents of its routing table with its n eighboring routers in the ne twork with the Routing Information Pr otocol (RIP) versions 1 and 2. RIP is a fairly si[...]
-
Página 375
AT-S63 Management Software Features Guide Section VII: Routin g 375 Note A RIP version 2 password is sent in plaintext. The AT-S63 Management Software does no t support encrypted RIP password s. The switch transmits its routin g tabl e every thirty seconds from those interfaces that have RIP. This in terval is not adjustable on the switch. The enti[...]
-
Página 376
Chapter 32: Internet Protocol Version 4 Packet Routing 376 Section VII: Routing Default Routes A default route is a “match all” d esti nation entry in the routing table. The switch uses it to route packets whose remote destinations a re not in the routing table. Rather than discard th e packet s, the switch sends them to the next hop specified [...]
-
Página 377
AT-S63 Management Software Features Guide Section VII: Routin g 377 Equal-cost Multi-pa th (ECMP) Routing When there are multiple routes in the routing tab le to the same remote destinations, ECMP enables the switch to u se the different routes to forward traffic. This can improve network performa nce by increasing the available bandwidth for the t[...]
-
Página 378
Chapter 32: Internet Protocol Version 4 Packet Routing 378 Section VII: Routing ECMP also applies to default routes. Th is enables the switch to store up to 32 default routes with up to eight of the rou tes active at one time. The ECMP feature can be enabled and disabled on the switch. The operating status of ECMP does not affect the switch’s abi[...]
-
Página 379
AT-S63 Management Software Features Guide Section VII: Routin g 379 Routing Table The switch maintains its routing informat ion in a table of routes that tells the switch how to find a local or remot e destination. Each route is uniquely identified in the table by its I P address, network mask, next hop, protocol, and routing interface. When the sw[...]
-
Página 380
Chapter 32: Internet Protocol Version 4 Packet Routing 380 Section VII: Routing Route Selection Process Here is the route selection process the switch goes throug h when routing packets to a destination: If there is only one route to a destination, forward the p ackets using the route. If there is more than one route to a destination, selec[...]
-
Página 381
AT-S63 Management Software Features Guide Section VII: Routin g 381 Address Resolution Protocol (ARP) Table The switch maintains an ARP table of IP addresses and the ma tching Ethernet MAC addresses. It refers to the tab le when routing packets to determine the destination MAC addres ses of the nodes, as well as interfaces and ports from where the [...]
-
Página 382
Chapter 32: Internet Protocol Version 4 Packet Routing 382 Section VII: Routing Internet Control Message Protocol (ICMP) ICMP allows routers to send error and control messa ges to other routers or hosts. It provides the comm unication between IP software on one system and IP software on another. The switch impleme nts the ICMP functions listed in T[...]
-
Página 383
AT-S63 Management Software Features Guide Section VII: Routin g 383 T ime to Live Excee ded (1 1) If the TTL field in a p acket falls to zero the switch wil l send a “T ime to live exceeded” packet. This could occur if a route was excessively long or if too many hop s were in the path. T able 102. ICMP Messages Implemented on the A T-9400 Switc[...]
-
Página 384
Chapter 32: Internet Protocol Version 4 Packet Routing 384 Section VII: Routing Routing Interfaces and Management Features Routing interfaces are primary intende d for the IPv4 packet routing feature. There are, however, a number of management functions that rely on the presence of at least one routing inte rface on the switch to operate properly. [...]
-
Página 385
AT-S63 Management Software Features Guide Section VII: Routin g 385 As an example, assume you decided not to implement t he IPv4 routing feature on a switch that had four local su bnets, but you wanted the switch to send its events to a syslog se rver and have access to a RADIUS authentication server. Assume also that you wan ted t o use a TFTP ser[...]
-
Página 386
Chapter 32: Internet Protocol Version 4 Packet Routing 386 Section VII: Routing Pinging a Remote Device This function is used to valid ate the existence of an active path between the switch and another network node. T he switch can ping a device if it has a routing interface on the local subn et from where the device is reached. In previous version[...]
-
Página 387
AT-S63 Management Software Features Guide Section VII: Routin g 387 Local Interface The local interface is used with the enhanced stacking feature . It is also used with remote management of a switch with a Telnet or SSH client, or a web browser. The local interface d oes the following: With an enhanced stack, it designates on the master switch[...]
-
Página 388
Chapter 32: Internet Protocol Version 4 Packet Routing 388 Section VII: Routing AT-9408LC/SP AT-9424T/GB, and AT-9424T/SP Switches The AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP Switches d o not support the IPv4 packet routing fe ature. T hey do, however, support a limited version of some of the fe atures. Local Interface You can create one routing[...]
-
Página 389
AT-S63 Management Software Features Guide Section VII: Routin g 389 Note The AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP Switches do not use the ARP table to move packets through the switching matrix. They refer to the table only when they perform a management function requiring them to communicate with ano ther network node. Default Gateway The def[...]
-
Página 390
Chapter 32: Internet Protocol Version 4 Packet Routing 390 Section VII: Routing Routing Command Example This section contains an example of the IPv4 routing feature. It illustrates the sequence of commands to implementing the feature. To make the example easier to explain, some of the co mmand options are not mentioned and the default valu es are u[...]
-
Página 391
AT-S63 Management Software Features Guide Section VII: Routin g 391 Creating the VLANs The first step is to create the VLANs for the lo cal subnets on the switch. The VLANs must be created be fore the routing interfaces. The following command creates a VLAN for the Sales department with a VID of 4 a nd the appropriate ports: create vlan =Sales vi d[...]
-
Página 392
Chapter 32: Internet Protocol Version 4 Packet Routing 392 Section VII: Routing command. Adding a Static Route and Default Route Building on our example, assume you d ecided to manually enter a route to a remote subnet as a static route. The command for creating a stat ic route is ADD IP ROUTE. Here is the basic information for defining a static ro[...]
-
Página 393
AT-S63 Management Software Features Guide Section VII: Routin g 393 Adding RIP Rather than adding the static routes to remote destinations, or perhaps to augment them, you decide that the switch should learn routes by exchanging its route table with its rou ting neighbors usin g RIP. To implement RIP, you add it to the routing interfaces where rout[...]
-
Página 394
Chapter 32: Internet Protocol Version 4 Packet Routing 394 Section VII: Routing Non-routing Command Example This example illustrates how to assign an IP address to a switch by creating just one interface. This example is appropriate in ca ses where you want to implement the managem en t functions described in “Routing Interfaces and Management Fe[...]
-
Página 395
AT-S63 Management Software Features Guide Section VII: Routin g 395 The following command creates a defau lt route for the example and specifies the next hop as 149.44.55.6: add ip rout e=0.0.0.0 nexthop=14 9.44.55.6[...]
-
Página 396
Chapter 32: Internet Protocol Version 4 Packet Routing 396 Section VII: Routing Upgrading from AT-S63 Version 1.3.0 or Earlier When the AT-9400 Switch running AT-S63 version 1.3.0 or earlier is upgraded to the latest version of the manag ement software, the switch automatically creates a routing interface that preserves the previous IP configuratio[...]
-
Página 397
397 Chapter 33 BOOTP Relay Agent This chapter has the following sections: “Supported Platforms” on p age 398 “Overview” on page 399 “Guidelines” on p age 401[...]
-
Página 398
Chapter 33: BOOTP Relay Age nt 398 Section VII: Routing Supported Platforms Refer to Table 104 and Table 105 for the AT-9400 Switches and the management interfaces that support t he BOOTP relay agent. T able 104. Support for the BOOTP Relay Agent Switch Supported Layer 2+ Models A T-9408LC/SP A T-9424T/GB A T-9424T/SP Basic Layer 3 Models A T-9424T[...]
-
Página 399
AT-S63 Management Software Features Guide Section VII: Routin g 399 Overview The AT-S63 Management Software comes with a BOOTP relay age nt for relaying BOOTP messages between clients and DHCP or BOOTP servers. When a client sends a BOOTP reques t to a DHCP or BOOTP server for an IP configuration, it transmits the request as a broadcast packet beca[...]
-
Página 400
Chapter 33: BOOTP Relay Age nt 400 Section VII: Routing A routing interface that receives a BOOTP reply from a server inspects the broadcast flag field in the packet to det ermine whether the client, in its original request to the server, set this flag to signal that the re sponse must be sent as a broadcast datagram. Some olde r nodes have this de[...]
-
Página 401
AT-S63 Management Software Features Guide Section VII: Routin g 401 Guidelines These guidelines apply to the BOOTP relay agent: A routing interface functions as th e BOOTP relay agent for the local clients in it s subnet. Y ou can specify up to eight DHCP or BOOTP servers. The TTL for BOOTP request relay p ackets is preset on the A T -9[...]
-
Página 402
Chapter 33: BOOTP Relay Age nt 402 Section VII: Routing[...]
-
Página 403
403 Chapter 34 V irtual Router Redundancy Pr otocol The chapter has the following sections: “Supported Platforms” on p age 404 “Overview” on page 405 “Master Switch” on page 406 “Backup Switches” on pag e 407 “Interface Monitoring” on p age 408 “Port Monitoring” on page 409 “VRRP on the Switch?[...]
-
Página 404
Chapter 34: Virtual Rout er Redundancy Protocol 404 Section VII: Routing Supported Platforms Refer to Table 106 and Table 107 for the AT-9400 Switches and the management interfaces that support t he Virtual Router Redundancy Protocol. T able 106. Support for the Virtual Rou ter Redundancy Protocol Switch Supported Layer 2+ Models A T-9408LC/SP A T-[...]
-
Página 405
AT-S63 Management Software Features Guide Section VII: Routin g 405 Overview This chapter describes the Virtual Router Redundan cy Protocol (VRRP) of the AT-9400 Basic Layer 3 Switches. One of the functions that switche s provide to the hosts of a LAN is to act as gateways. The local hosts use the gateways to communica te with the hosts on the WAN.[...]
-
Página 406
Chapter 34: Virtual Rout er Redundancy Protocol 406 Section VII: Routing Master Switch The virtual router has a virtual MAC address known by all th e switches that participate in the virtual rout er. The virtual MAC add ress is derived from the virtual router identifier, which is a user-defined value from 1 to 255. All the hosts on the LAN are conf[...]
-
Página 407
AT-S63 Management Software Features Guide Section VII: Routin g 407 Backup Switches All the other switches participating in the virtua l router are designated as backup switches. A switch can be part of several diffe rent virtual routers on one LAN, provided that all the virtual routers have different virtual router identifiers. When a switch funct[...]
-
Página 408
Chapter 34: Virtual Rout er Redundancy Protocol 408 Section VII: Routing Interface Monitoring The virtual router can monitor certain inte rfaces to change the priority o f switches if the master switch loses its connection to th e outside world. This is known as interface monitoring . Interface monitoring reduces the priority of the switch when an [...]
-
Página 409
AT-S63 Management Software Features Guide Section VII: Routin g 409 Port Monitoring Port monitoring is the process of detecting the failure of ports that are part of a VLAN that a virtual rou ter is running over. If a port fails or is disab led, the VRRP priority is reduced by the st epvalue or by an amount that reflects the proportion of the VLAN?[...]
-
Página 410
Chapter 34: Virtual Rout er Redundancy Protocol 410 Section VII: Routing VRRP on the Switch VRRP is disabled by default. When a virtual router is crea ted on the switch, it is enabled by default, but the VRRP mo dule must be enabled before it is operational. The VRRP modul e or a specific virtual router can be enabled or disabled afterwards by usin[...]
-
Página 411
AT-S63 Management Software Features Guide Section VII: Routin g 411 prevents a switch from inadvertently backing up another switch. The authentication type and, in the case of pla intext authentication, the password, must be the same for all switches in the virtual router. By default, the virtual router has no authent ication. Auth entication is se[...]
-
Página 412
Chapter 34: Virtual Rout er Redundancy Protocol 412 Section VII: Routing[...]
-
Página 413
Section VIII: Port Secu rity 413 Section VIII Port Security The chapters in this section contai n overview information on the port security features of the AT-9400 Switch. The chapter s include: Chapter 35, “MAC Address-based Port Security” on page 415 Chapter 36, “802.1x Port-based Network Access Control” on p age 421[...]
-
Página 414
414 Section VIII: Port Security[...]
-
Página 415
Section VIII: Port Secu rity 415 Chapter 35 MAC Addr ess-based Port Security The sections in this chapter include: “Supported Platforms” on p age 416 “Overview” on page 417 “Invalid Frames and Intrusion Actions” on p age 419 “Guidelines” on p age 420[...]
-
Página 416
Chapter 35: MAC Address-b ased Port Security 416 Section VIII: Port Security Supported Platforms Refer to Table 108 and Table 109 for the AT-9400 Switches and the management interfaces that support MAC address-b ased port security. Note This port security feature is not supported on GBIC, SFP, or XFP modules. T able 108. Support for MAC Address-bas[...]
-
Página 417
AT-S63 Management Software Features Guide Section VIII: Port Security 417 Overview You can use this feature to enha nce the security of your network by controlling which end nodes can forwar d frames through the switch, and so prevent unauthorized individuals from accessing your network. It uses a frame’s source MAC address to dete rmine whether [...]
-
Página 418
Chapter 35: MAC Address-b ased Port Security 418 Section VIII: Port Security Secured This security level uses only static MAC addresses assigned to a port to forward frames. Consequently, only those end nodes whose MAC addresses are entered as static addresses are able to fo rward frames through a port. Dynamic MAC addresses already le arned on a p[...]
-
Página 419
AT-S63 Management Software Features Guide Section VIII: Port Security 419 Invalid Frames and Intrusion Actions When a port receives an invalid frame, it has to select an in trusion action , which defines the port’s response to the packet. But before defining the intrusion actions, it helps to understand wh at constitutes an invalid frame. This di[...]
-
Página 420
Chapter 35: MAC Address-b ased Port Security 420 Section VIII: Port Security Guidelines The following guidelines apply to MAC address-based port security: The filtering of a packet occurs on th e ingress port, not on the egress port. Y ou cannot use MAC address port security and 802.1x port-based access control on the same port. T o configu[...]
-
Página 421
Section VIII: Port Secu rity 421 Chapter 36 802.1x Port-based Network Access Contr ol The sections in this chapter a re: “Supported Platforms” on p age 422 “Overview” on page 423 “Authentication Process” on p age 425 “Port Roles” on page 426 “Authenticator Ports with Single and Multip le Supplicant s” on page[...]
-
Página 422
Chapter 36: 802.1x Port-based Network Access Con trol 422 Section VIII: Port Security Supported Platforms Refer to Table 110 and Table 111 for the AT-9400 Switches and the management interfaces that support 8 02.1x port-based network access control. T able 1 10. Support for 802.1x Port-based Network Access Control Switch Supported Layer 2+ Models A[...]
-
Página 423
AT-S63 Management Software Features Guide Section VIII: Port Security 423 Overview The AT-S63 Management Software has several different metho ds for protecting your network and its reso urces from unauthorized access. For instance, Chapter 35, “MAC Address-b ased Port Security” on page 415, explains how you can restrict network access using the[...]
-
Página 424
Chapter 36: 802.1x Port-based Network Access Con trol 424 Section VIII: Port Security Authentication server - The authentication server is the network device that has the RADIUS server sof tware. This is the device that d oes the actual authenticating of the supplicant s. The AT-9400 Switch does not authenticate any of the su pplicants connecte[...]
-
Página 425
AT-S63 Management Software Features Guide Section VIII: Port Security 425 Authentication Process Below is a brief overvie w of the authenticat ion process that occurs between a supplicant, authenticator, and authentication server. For furth er details, refer to the IEEE 802.1x sta ndard. Either the authenticator (th at is, a switch port) or the[...]
-
Página 426
Chapter 36: 802.1x Port-based Network Access Con trol 426 Section VIII: Port Security Port Roles Part of the task of implementing this feat ure is specifying the roles of the ports on the switch. A port can have one o f three roles: None Authenticator Supplicant None Role A switch port in the None role does not participate in port-ba se[...]
-
Página 427
AT-S63 Management Software Features Guide Section VIII: Port Security 427 Assigning unique username and password combinations to your network users and requiring the users to provide the information when they initially send traf fic through the switch can enhance network security by limiting network access to only those su pplicants who h ave been [...]
-
Página 428
Chapter 36: 802.1x Port-based Network Access Con trol 428 Section VIII: Port Security Note A supplicant connected to an authenticat or port set to force- authorized must have 802.1x client software if the port’s authenticator mode is 802.1x. Though the fo rce-authorized setting prevents an authentication exchan ge, the supplicant must still have [...]
-
Página 429
AT-S63 Management Software Features Guide Section VIII: Port Security 429 Authenticator Ports with Single and Multiple Supplicants An authenticator port has two operating modes. The modes relate to t he number of clients using the port and, in situations where an authenticator port is supporting more than one client, whether just one client or all [...]
-
Página 430
Chapter 36: 802.1x Port-based Network Access Con trol 430 Section VIII: Port Security Figure 57. Authenticator Port in Single Operating Mode with a Single Client The example in Figure 58 on page 431 illustrates a configu ration that uses the piggy-back mode. Multiple clients are connected to an authenticato r port on the switch through an Ethernet [...]
-
Página 431
AT-S63 Management Software Features Guide Section VIII: Port Security 431 Figure 58. Single Operating Mode with Multiple Clients Using the Piggy- back Feature - Example 1 Because the piggy-back mode is activated on the authenticat or port, only one client needs to be authenticated in orde r for all the clients to forward traffic through the port. I[...]
-
Página 432
Chapter 36: 802.1x Port-based Network Access Con trol 432 Section VIII: Port Security If the clients are connected to an 80 2.1x-compliant device, such a s another AT-9400 Switch, you can automate the initial log on and reauthentications by configuring one of the switch ports as a supplicant. In this manner, the log on and reauth entications are pe[...]
-
Página 433
AT-S63 Management Software Features Guide Section VIII: Port Security 433 Figure 60. Single Operating Mode with Multiple Clients Using the Piggy- back Feature - Example 3 Multiple Operating Mode The second type of operating mode for an authenticator port is the Multiple mode. You use this mode when a port is supporting more tha n one client and you[...]
-
Página 434
Chapter 36: 802.1x Port-based Network Access Con trol 434 Section VIII: Port Security An example of this authenticator operating mode is illustra ted in Figure 61. The clients are connected to a hub o r non-802.1x-compliant switch wh ich is connected to an authen ticator port on the AT-9400 Switch. If the authenticator port is set to the 802.1x aut[...]
-
Página 435
AT-S63 Management Software Features Guide Section VIII: Port Security 435 none, port 6 on switch A will discard the packe ts because switch B wo uld not be logged on to the port. Also notice that the ports where the clients are connected on switch B are set to the none role. This is because a client can log on only once. If, in this example, you we[...]
-
Página 436
Chapter 36: 802.1x Port-based Network Access Con trol 436 Section VIII: Port Security Supplicant and VLAN Associations One of the challenges to man aging a network is accommod ating end users that roam. These are individual s whose work requires that they access the network resources from differe nt points at different times. The difficulty arises [...]
-
Página 437
AT-S63 Management Software Features Guide Section VIII: Port Security 437 Single Operating Mode Here are the operating characteristics for the switch when an authen ticator port is set to the Single operating mode: If the switch receives a valid VLAN ID or VLAN name from the RADIUS server , it moves the authenticator port to the designated VLAN[...]
-
Página 438
Chapter 36: 802.1x Port-based Network Access Con trol 438 Section VIII: Port Security Guest VLAN An authenticator port in the una uthorized state typically accepts and transmits only 802.1x packets while waiting to a uthenticate a supplicant. However, you can configure an authent icator port to be a member of a Guest VLAN when no supplicant is logg[...]
-
Página 439
AT-S63 Management Software Features Guide Section VIII: Port Security 439 RADIUS Accounting The AT-S63 Management Software supports RADIUS accounting for switch ports set to the Authenticator role. This feature sends information about the status of the supplican ts to the RADIUS server so that you can monitor network activity and use. The switch se[...]
-
Página 440
Chapter 36: 802.1x Port-based Network Access Con trol 440 Section VIII: Port Security General Steps Here are the general steps to implementing 802.1x Port-based Network Access Control and RADIUS a ccounting on the switch: 1. You must install a RADIUS se rver on one or more of your network servers or management stations. Authentication pro tocol ser[...]
-
Página 441
AT-S63 Management Software Features Guide Section VIII: Port Security 441 Guidelines The following are general guide lines to using this fea ture: Ports operating und er port-based access control do not support dynamic MAC address learning. The appropriate port role for a port o n the AT-9400 Switch connected to a RADIUS authentication serv[...]
-
Página 442
Chapter 36: 802.1x Port-based Network Access Con trol 442 Section VIII: Port Security An authenticator port cannot be part of a static port t runk, LACP port trunk, or port mirror . If a switch port set to the supplicant role is connected to a port on another switch that is not set to the authenticator role, the port, af ter a timeout perio[...]
-
Página 443
AT-S63 Management Software Features Guide Section VIII: Port Security 443 Here are guidelines for adding VLAN assignments to su pplicant accounts on a RADIUS server: The VLAN can be either port-base d or tagge d. The VLAN must already exist on the switch. A client can have only one VLAN associated wit h it on the RADIUS server . Whe[...]
-
Página 444
Chapter 36: 802.1x Port-based Network Access Con trol 444 Section VIII: Port Security[...]
-
Página 445
Section IX: Manageme nt Security 445 Section IX Management Security The chapters in this section descr ibe the management secu rity features of the AT-9400 Switch. The chapters includ e: Chapter 37, “W eb Server” on pa ge 447 Chapter 38, “Encryption Ke ys” on p age 453 Chapter 39, “PKI Certificates and SSL” on p age 463 [...]
-
Página 446
446 Section IX: Management Security[...]
-
Página 447
Section IX: Manageme nt Security 447 Chapter 37 W eb Server The sections in this chapter a re: “Supported Platforms” on p age 448 “Overview” on page 449 “Configuring the W eb Server for HTTP” on p age 450 “Configuring the W eb Server for HTTPS” on page 451[...]
-
Página 448
Chapter 37: Web Server 448 Section IX: Management Security Supported Platforms Refer to Table 112 and Table 113 for the AT-9400 Switches and the management interfaces that support t he web server. T able 1 12. Support for the Web Server Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer 3 Models A T-[...]
-
Página 449
AT-S63 Management Software Features Guide Section IX: Management Securi ty 449 Overview The AT-S63 Management Software has a web server and a specia l web browser interface that allow you to remotely manage the switch from a management workstation on your network using a web browser. (For instructions on the switch’s web browser interface, refer [...]
-
Página 450
Chapter 37: Web Server 450 Section IX: Management Security Configuring the Web Server for HTTP The following steps configure the w eb serve r for non-secure HTTP operation. The steps re ference only the comma nd line commands, but the web server can be configure d from the menus interface, too. 1. Disable the web server with the DISABLE HTTP SERVER[...]
-
Página 451
AT-S63 Management Software Features Guide Section IX: Management Securi ty 451 Configuring the Web Server for HTTPS The following sections outline the steps for configuring t he web server on the switch for HTTPS operation with a self-signed or CA certificate. Th e steps reference only the command line command s, but the web server can be configure[...]
-
Página 452
Chapter 37: Web Server 452 Section IX: Management Security 6. After receiving the certificates from the CA, down load them into the switch’s file syste m using t he LOAD METHOD=TFTP or LOAD METHOD=XMODEM command. 7. Add the certificates to the certificate data base with the ADD PKI CERTIFICATE command. 8. Disable the web server with the DISABLE H[...]
-
Página 453
Section IX: Manageme nt Security 453 Chapter 38 Encryption Keys The sections in this chapter a re: “Supported Platforms” on p age 454 “Overview” on page 455 “Encryption Key Length” on pag e 456 “Encryption Key Guidelines” on page 457 “T echnical Overview” on p age 458 For an overview of the procedures to conf[...]
-
Página 454
Chapter 38: Encrypti on Keys 454 Section IX: Management Security Supported Platforms Refer to Table 114 and Table 115 for the AT-9400 Switches and the management interfaces that support e ncryption keys. T able 1 14. Support for Encryption Keys Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer 3 Mod[...]
-
Página 455
AT-S63 Management Software Features Guide Section IX: Management Securi ty 455 Overview Protecting your managed switches from u nauthorized management access is an important role for a netwo rk manager. Network operations and security can be severely compromised if an in truder gains access to critical switch information, such as a manager’s lo g[...]
-
Página 456
Chapter 38: Encrypti on Keys 456 Section IX: Management Security Encryption Key Length When you create a key pair, you have to specify its length in bits. The range is 512, the default, to 1,536 bits, in increments of 2 56 bits. The longer the key, the more difficult it is for someone to decipher. If you are particularly concerned about the safety [...]
-
Página 457
AT-S63 Management Software Features Guide Section IX: Management Securi ty 457 Encryption Key Guidelines Observe the following guidelines when creating an encryption key pair: Web browser encrypt ion requires only one ke y pair . SSH encryption requires two key p airs. The keys must be of dif ferent lengths of at least one increment (256 bi[...]
-
Página 458
Chapter 38: Encrypti on Keys 458 Section IX: Management Security Technical Overview The encryption feature provides the follo wing data security services: Data encryptio n Data authen tica tion Key exchange algorithms Key creation and stora ge Data Encryption Data encryption for switches is driven by the need for organ izations to k[...]
-
Página 459
AT-S63 Management Software Features Guide Section IX: Management Securi ty 459 algorithm and key . For a given input block of plaintext ECB always produces the same block of ciphertext. Cipher Block Chaining (CBC) is the most popular form of DES encryption. CBC also operates on 64-bit blocks of data, but in clu des a feedback step which chains [...]
-
Página 460
Chapter 38: Encrypti on Keys 460 Section IX: Management Security secret. Only the decryption, or private key, needs to be kept secret. The other name for this type of algorithm is public key e ncryption. The public and private key pair cannot be randomly assigned, but must be generated together. In a typical scenario, a decryption station g enerate[...]
-
Página 461
AT-S63 Management Software Features Guide Section IX: Management Securi ty 461 It is very hard to find another messag e and key which give the same hash The two most commonly used one-way hash a lgorithms are MD5 (Message Digest 5, defined in RFC 1321) and SHA-1 (Secure Hash Algorithm, defined in FIPS-180-1). MD5 returns a 128-bit hash and SHA-[...]
-
Página 462
Chapter 38: Encrypti on Keys 462 Section IX: Management Security A Diffie-Hellman algorithm requires more processing overhead than RSA- based key exchange schemes, but it does not need the initial exchange of public keys. Instead, it uses publish ed and well t ested public key values. The security of the Diffie-Hellman algorith m depends on these v[...]
-
Página 463
Section IX: Manageme nt Security 463 Chapter 39 PKI Certificates and SSL The sections in this chapter a re: “Supported Platforms” on p age 464 “Overview” on page 465 “T ypes of Certificates” on page 465 “Distinguished Names” on p age 467 “SSL and Enhanced S tacking” on p age 469 “Guidelines” on p age [...]
-
Página 464
Chapter 39: PKI Certificat es and SSL 464 Section IX: Management Security Supported Platforms Refer to Table 116 and Table 117 for the AT-9400 Switches and the management interfaces that support t he PKI certificates and SSL. T able 1 16. Support for PKI Certificates and SSL Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-[...]
-
Página 465
AT-S63 Management Software Features Guide Section IX: Management Securi ty 465 Overview This chapter describes the second part of the encryption feature of the AT-S63 Management Software—PKI certificates. The first part is explained in Chapter 38, “Encryption Ke ys” on page 453. Encryption keys and certificates allow you to encry pt the commu[...]
-
Página 466
Chapter 39: PKI Certificat es and SSL 466 Section IX: Management Security network equipment. With private CAs, companies can keep tra ck of the certificates and control access to various network devices. If your company is large enough, it might have a private CA and you might want the group to issue the certificate for the AT-9400 Switch so that y[...]
-
Página 467
AT-S63 Management Software Features Guide Section IX: Management Securi ty 467 Distinguished Names Part of the task to creating a self-signed certificate or enrollment request is selecting a distinguished name . A distingu ished name is integrated into a certificate along with the key an d can have up to five parts. The parts are: cn - common n[...]
-
Página 468
Chapter 39: PKI Certificat es and SSL 468 Section IX: Management Security If your network has a Domain Name System and you mapped a name to the IP address of a switch, you can specify the swit ch’s name instead of the IP address as the distinguished name. For those switches that do not ha ve an IP address, such as slave switches of an enhanced st[...]
-
Página 469
AT-S63 Management Software Features Guide Section IX: Management Securi ty 469 SSL and Enhanced Stacking Secure Sockets Layer (SSL) is supported in an enhanced stack, but only when all switches in the sta ck are using the feature. When a switch’s web server is operating in HTTP, management packets are transmitted in plaintext. When it operates in[...]
-
Página 470
Chapter 39: PKI Certificat es and SSL 470 Section IX: Management Security Guidelines The guidelines for creating certificates are: A certificate can have only one key . A switch can use only those certificates th at contain a key that was generated on the switch. Y ou can create multip le certificates on a switch, but the device uses th[...]
-
Página 471
AT-S63 Management Software Features Guide Section IX: Management Securi ty 471 Technical Overview This section describes the Secure Sockets Layer (SSL) feature , a security protocol that provides a secure and private TCP connection between a client and server. SSL can be used with many higher la yer prot ocols including HTTP, File Transfer Protocol[...]
-
Página 472
Chapter 39: PKI Certificat es and SSL 472 Section IX: Management Security SSL uses asymmetrical (Public Key) encryption to establish a conne ction between client and server, and symmetrical (Secret Key) encryption for the data transfer phase. User Verification An SSL connect ion has two phases: ha ndshake and data transfer . The handshake initiates[...]
-
Página 473
AT-S63 Management Software Features Guide Section IX: Management Securi ty 473 To verify the authenticity of a server, the serve r has a public and private key. The public key is given to the user. SSL uses certificates for authentication. A certificate binds a public key to a server name. A certification authorit y (CA) issues ce rtificates after [...]
-
Página 474
Chapter 39: PKI Certificat es and SSL 474 Section IX: Management Security this, and other attacks, PKI provides a me ans for secure transfe r of public keys by linking an identity and that ide ntity’s public key in a secure certificate. Caution Although a certificate binds a public key to a subject to ensure the public key’s security, it does n[...]
-
Página 475
AT-S63 Management Software Features Guide Section IX: Management Securi ty 475 Elements of a Public Key Infrastructure A public key infrastructure is a set of applicatio ns which manage the creation, retrieval, validation and storage of certificates. A PKI consists of the following key elements: At least one certification authority (CA), which [...]
-
Página 476
Chapter 39: PKI Certificat es and SSL 476 Section IX: Management Security Certificate Validation To validate a certificate, the end en tity verifies the signature in the certificate, using the public key of the CA who issued the certificate. CA Hierarchies and Certificate Chains It may not be practical for every individu al certificate in an organi[...]
-
Página 477
AT-S63 Management Software Features Guide Section IX: Management Securi ty 477 PKI Implementation The following sections discuss the implementation of PKI on the AT-9400 Switch. The following topics are covered: PKI S tandards Certificate Retrieval and S torage Certificate V alidation Root CA Certificates PKI Standards The following[...]
-
Página 478
Chapter 39: PKI Certificat es and SSL 478 Section IX: Management Security[...]
-
Página 479
Section IX: Manageme nt Security 479 Chapter 40 Secur e Shell (SSH) The sections in this chapter a re: “Supported Platforms” on p age 480 “Overview” on page 481 “Support for SSH” on pag e 482 “SSH Server” on page 483 “SSH Clients” on p age 484 “SSH and Enhanced S tacking” on pa ge 485 “SSH Confi[...]
-
Página 480
Chapter 40: Secure She ll (SSH) 480 Section IX: Management Security Supported Platforms Refer to Table 118 and Table 119 for the AT-9400 Switches and the management interfaces that support t he Secure Shell protocol. T able 1 18. Support for the Secure Shell Protocol Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP[...]
-
Página 481
AT-S63 Management Software Features Guide Section IX: Management Securi ty 481 Overview Secure management is increasingly important in modern networks, as the ability to easily and effectively manage switches and the requ irement for security are two universal requireme nts. Switches are oft en remotely managed using remote sessions via the Telnet [...]
-
Página 482
Chapter 40: Secure She ll (SSH) 482 Section IX: Management Security Support for SSH The AT-S63 implementation of the SSH protocol is complia nt with the SSH protocol versions 1 .3, 1.5, and 2.0. In addition, the following SSH opt ions and features are supported: Inbound SSH connections (server mo de) is supported. The following security alg[...]
-
Página 483
AT-S63 Management Software Features Guide Section IX: Management Securi ty 483 SSH Server When the SSH server is enabled, connections from SSH clients are accepted. When the SSH server is di sabled, connect ions from SSH clients are rejected by the switch. Within the switch, the AT-S63 Management Software uses well-known port 22 as th e SSH default[...]
-
Página 484
Chapter 40: Secure She ll (SSH) 484 Section IX: Management Security SSH Clients The SSH protocol provides a secure connection be tween the switch and SSH clients. After you have configured th e SSH server, you need to install SSH client software on your manageme nt workstations. The AT-S63 Management Software supports both SSH1 and SSH2 clients. Yo[...]
-
Página 485
AT-S63 Management Software Features Guide Section IX: Management Securi ty 485 SSH and Enhanced Stacking The AT-S63 Management Software allows for encrypted SSH management sessions between a management station and a master switch of an enhanced stack, but not with sla ve switches, as explained in this section. When you remotely manage a sla ve swit[...]
-
Página 486
Chapter 40: Secure She ll (SSH) 486 Section IX: Management Security Because enhanced stacking does not allow for SSH encrypted management sessions between a management station and a slave switch, you configure SSH only on the ma ster switch of a stack. Activating SSH on a slave switch has no affect.[...]
-
Página 487
AT-S63 Management Software Features Guide Section IX: Management Securi ty 487 SSH Configuration Guidelines Here are the guidelines to configuring SSH: SSH requires two encryption key p airs. One key pair functions as the host key and the other as the server key . The two encryption key pairs must be of dif ferent lengths of at least one in[...]
-
Página 488
Chapter 40: Secure She ll (SSH) 488 Section IX: Management Security General Steps to Configuring SSH Configuring the SSH server involves the fo llowing procedures: 1. Create two encryption key pairs on the switch . One pair will function as the host key and the other the se rver key. 2. Configure and activate the Secure Shell serve r on the switch [...]
-
Página 489
Section IX: Manageme nt Security 489 Chapter 41 T ACACS+ and RADIUS Pr otocols This chapter describes the two aut h entication protocols TACACS+ and RADIUS. Sections in the chapter in clude: “Supported Platforms” on p age 490 “Overview” on page 491 “Guidelines” on p age 493[...]
-
Página 490
Chapter 41: TACACS+ and RADIUS Prot ocols 490 Section IX: Management Security Supported Platforms Refer to Table 120 and Table 121 for the AT-9400 Switches and the management interfaces that support t he TACACS+ and RADIUS protocols. T able 120. Support for the TACACS+ and RADIUS Protocols Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-942[...]
-
Página 491
AT-S63 Management Software Features Guide Section IX: Management Securi ty 491 Overview TACACS+ and RADIUS are authentication protocols that can e nhance the manageability of your network. In general terms, the se authentication protocols transfer the ta sk of auth enticating network access from a network device to an auth entication protocol serve[...]
-
Página 492
Chapter 41: TACACS+ and RADIUS Prot ocols 492 Section IX: Management Security When a network manager logs in to a swit ch to manage the device, the switch passes the username and password entered by the manager to the authentication protocol server. The server checks to see if the username and password are valid. This is referred to as au thenticat[...]
-
Página 493
AT-S63 Management Software Features Guide Section IX: Management Securi ty 493 Guidelines Here are the main steps to using the TACACS+ or RADIUS client on the switch. 1. Install a TACACS+ or RADIUS server on one or more of your network servers or management stations. Authentica tion protocol server software is not available from Allied Telesis. 2. [...]
-
Página 494
Chapter 41: TACACS+ and RADIUS Prot ocols 494 Section IX: Management Security maximum length for a password is 16 alphanumeric characters and spaces. – To create an account for a supplicant connected to an authenticator port set to the MAC address-based authentication mode, enter the MAC address of the node used by the supplicant as both its user[...]
-
Página 495
AT-S63 Management Software Features Guide Section IX: Management Securi ty 495 Note If no authentication server re sponds or if no servers h ave been defined, the AT-S63 Management So ftware defaults to the stand ard manager and operator accounts. Note For more information on TACACS+, refer to the RFC 1492 standard. For more information on RADIUS, [...]
-
Página 496
Chapter 41: TACACS+ and RADIUS Prot ocols 496 Section IX: Management Security[...]
-
Página 497
Section IX: Manageme nt Security 497 Chapter 42 Management Access Contr ol List This chapter explains how to restri ct Telnet and web browser managemen t access to the switch with the ma n agement access control list (ACL). Sections in this chapter include: “Supported Platforms” on p age 498 “Overview” on page 499 “Parts of a [...]
-
Página 498
Chapter 42: Manage ment Access Control Li st 498 Section IX: Management Security Supported Platforms Refer to Table 122 and Table 123 for the AT-9400 Switches and the management interfaces that support t he management access control list . T able 122. Support for the Management Access Control List Switch Supported Layer 2+ Models A T-9408LC/SP Y es[...]
-
Página 499
AT-S63 Management Software Features Guide Section IX: Management Securi ty 499 Overview This chapter explains how t o restrict remote man agement access to a switch by creating a management ac cess control list (management ACL). This feature controls which management sta tions can remotely manage the device using the Telnet applicat ion protocol or[...]
-
Página 500
Chapter 42: Manage ment Access Control Li st 500 Section IX: Management Security Parts of a Management ACE An ACE has the following three p arts: IP address Subnet mask Application IP Address You can specify the IP address of a specific management station or a subnet. Mask The mask indicates the parts of the IP add ress the switch shoul[...]
-
Página 501
AT-S63 Management Software Features Guide Section IX: Management Securi ty 501 Guidelines Below are guidelines for the management ACL: The default setting for this feature is disab led. A switch can have only one management ACL. A management ACL can have up to 256 ACEs. An ACE must have an IP address and mask. All management ACE[...]
-
Página 502
Chapter 42: Manage ment Access Control Li st 502 Section IX: Management Security Examples Following are several examples of ACEs. This ACE allows the management sta tion with the IP address 149.11.11.11 to remotely manage the switch using either the Telnet application protocol or a web browser, and to ping the device: IP Address: 149.11.11 .11 Mask[...]
-
Página 503
AT-S63 Management Software Features Guide Section IX: Management Securi ty 503 The two ACEs in this management ACL permit remote management from the management station with the IP addr ess 149.11.11.11 and all management stations in the subnet 14 9.22.22.0: ACE #1 IP Address: 149.11.11.11 Mask: 255.255.255.255 Application Type: All ACE #2 IP Addres[...]
-
Página 504
Chapter 42: Manage ment Access Control Li st 504 Section IX: Management Security[...]
-
Página 505
505 Appendix A A T-S63 Management Softwar e Default Settings This appendix lists the factory default settings for the AT-S63 Management Software. The features are listed in alph abetical order: “Address Resolution Pr otocol Cache” on p age 507 “Boot Configuration File” on page 508 “BOOTP Relay Agent” on p age 509 “Clas[...]
-
Página 506
Appendix A: AT-S63 Manage ment Software Default Settings 506 “System Name, Administrator , and Comments Settings” on p age 537 “T elnet Server” on page 538 “Virtual Route r Redundancy Protocol” on p age 539 “VLANs” on page 540 “Web Se rver” on p age 541[...]
-
Página 507
AT-S63 Management Software Features Guide 507 Address Resolution Protocol Cache The following table lists the ARP cache default setting. ARP Cache Setting Default ARP Cache T imeout 150 seconds[...]
-
Página 508
Appendix A: AT-S63 Manage ment Software Default Settings 508 Boot Configuration File The following table lists the names of the default configuration files. Boot Configuration File Default S tand-alone Switch boot.cfg S tack of A T-9400 Basic Layer 3 Switches and the A T-S t ackXG S tacking Modu le stack.cfg[...]
-
Página 509
AT-S63 Management Software Features Guide 509 BOOTP Relay Agent The following table lists the defaul t setting for the BOOT P relay agent. BOOTP Relay Agent Setting Default S tatus Disabled Hop Count 1 1. Hop count is no t adjustable. 4[...]
-
Página 510
Appendix A: AT-S63 Manage ment Software Default Settings 510 Class of Service The following table lists the default mappings of IEEE 80 2.1p priority levels to egress port priority queues. IEEE 802.1p Priority Level Port Priority Queue 0Q 1 1 Q0 (lowest) 2Q 2 3Q 3 4Q 4 5Q 5 6Q 6 7 Q7 (highest)[...]
-
Página 511
AT-S63 Management Software Features Guide 511 Denial of Service Defenses The following table lists the default se ttings for the Denial of Service prevention feature. Denial of Service Prevention Setting Default IP Address 0.0.0.0 Subnet Mask 0.0.0.0 Uplink Port Highest numbered existing port SYN Flood Defense Disabled Smurf Defense Disabled Land D[...]
-
Página 512
Appendix A: AT-S63 Manage ment Software Default Settings 512 802.1x Port-Based Network Access Control The following table describes the 802.1x Port-based Netwo rk Access Control default settings. The following table lists the defa ult settings for RADIUS accounting. The following table lists the defa ult settings for an authenticator port. 802.1x P[...]
-
Página 513
AT-S63 Management Software Features Guide 513 The following table lists the defaul t settings for a supp licant port. VLAN Assignment Enabled Secure VLAN On Control Direction Both Piggyback Mode Disabled Guest VLAN None Supplicant Port Setting Default Auth Period 30 seconds Held Period 60 seconds Max S tart 3 S tart Period 30 seconds User Name (non[...]
-
Página 514
Appendix A: AT-S63 Manage ment Software Default Settings 514 Enhanced Stacking The following table lists the enhanced stacking default settin g. Enhanced St acking Setting Default Switch S t ate Slave[...]
-
Página 515
AT-S63 Management Software Features Guide 515 Ethernet Protection Switch ing Ring (EPSR) Snooping The following table lists the EPSR default setting. EPSR Setting Default EPSR S tate Disabled[...]
-
Página 516
Appendix A: AT-S63 Manage ment Software Default Settings 516 Event Logs The following table lists the defa ult settings for both the permane nt and temporary event logs. Event Log Setting Default S tatus Enabled Full Log Action Wrap[...]
-
Página 517
AT-S63 Management Software Features Guide 517 GVRP This section provides the default settings f or GVRP. GVRP Setting Default S tatus Disabled GIP S tatus Enabled Join T imer 20 centiseconds Leave T imer 60 centiseconds Leave All T imer 1000 centiseconds Port Mode Normal[...]
-
Página 518
Appendix A: AT-S63 Manage ment Software Default Settings 518 IGMP Snooping The following table lists the IG MP Snooping default settings. IGMP Snooping Setting Default IGMP Snooping S tatus Disabled Multicast Host T opology Single Host/ Port (Edge) Host/Router T imeout Interval 260 seconds Maximum IGMP Mul ticast Groups 64 Multicast Router Ports Mo[...]
-
Página 519
AT-S63 Management Software Features Guide 519 Internet Protocol Version 4 Packet Routing The following table lists the IPv4 packet routing default settings. Note The update and invalid timers ar e not adjustable. The switch does not support the IPv4 routing holddown and flush timers. Packet Routing Setting Defau lt Equal Cost Multi-path (ECMP) Enab[...]
-
Página 520
Appendix A: AT-S63 Manage ment Software Default Settings 520 Link-flap Protection The following table lists the defa ult settings for link-flap protection. Link-flap Protection Setting Default S tatus Disabled Rate 10 link state ch anges Duration 60 seconds[...]
-
Página 521
AT-S63 Management Software Features Guide 521 MAC Address-based Port Security The following table lists the MAC ad dress-based port security default settings. MAC Address-based Port Security Setting Default Security Mode Automatic (no security) Intrusion Action Discard Participating No MAC Limit No Limit[...]
-
Página 522
Appendix A: AT-S63 Manage ment Software Default Settings 522 MAC Address Table The following table lists the defa ult setting for the MAC address table. MAC Address T able Setting Default MAC Address Aging T ime 300 seconds[...]
-
Página 523
AT-S63 Management Software Features Guide 523 Management Access Control List The following table lists the default setting for the manageme nt access control list. Management ACL Setting Default S tatus Disabled[...]
-
Página 524
Appendix A: AT-S63 Manage ment Software Default Settings 524 Manager and Operator Account The following table lists the manager and operator account default settings. Note Login names and passwords are case sensitive . Manager Account Setting Default Manager Login Name mana ger Manager Password friend Operator Login Name o perator Operator Password[...]
-
Página 525
AT-S63 Management Software Features Guide 525 Multicast Listener Discovery Snooping The following table lists the ML D Snooping default settings. MLD Snooping Setting Default MLD Snooping S tatus Disabled Multicast Host T opology Single Host/ Port (Edge) Host/Router T imeo ut Interval 260 seconds Maximum MLD Multicast Groups 6 4 Multicast Router Po[...]
-
Página 526
Appendix A: AT-S63 Manage ment Software Default Settings 526 Public Key Infrastructure The following table lists the PKI defaul t settings, includ ing the generate enrollment request settings. PKI Setting Default Switch Distinguished Name None Maximum Number of Certificates 256 Request Name None Key Pair ID 0 Format PEM T ype PKCS10[...]
-
Página 527
AT-S63 Management Software Features Guide 527 Port Settings The following table lists the por t configuration default settings . Port Configuration Setting Default S tatus Enabled 10/100/1000Base-T S peed Auto-Negotiation Duplex Mode Auto-Negotiation MDI/MDI-X Auto-MDI/MDIX Packet Filtering Disabled Packet Rate Limiting Disabled Override Priority N[...]
-
Página 528
Appendix A: AT-S63 Manage ment Software Default Settings 528 RJ-45 Serial Terminal Port The following table lists the RJ-45 seri al terminal port default settings. The baud rate is the only adjustable parameter o n the port. RJ-45 Serial T erminal Port Setting Default Data B its 8 St o p B i t s 1 Parity None Flow Control None Baud Rate 9600 bp s[...]
-
Página 529
AT-S63 Management Software Features Guide 529 Router Redundancy Protocol Snooping The following table lists the RRP Snooping default setting. RRP Snooping Setting Default RRP Snooping S tatus Disabled[...]
-
Página 530
Appendix A: AT-S63 Manage ment Software Default Settings 530 Server-based Authenticati on (RADIUS and TACACS+) This section describes the server-ba sed authentication , RADIUS, and TACACS+ client default settings. Server-based Authentication The following table describes the serv er-based authenticatio n default settings. RADIUS Client The followin[...]
-
Página 531
AT-S63 Management Software Features Guide 531 Simple Network Management Protocol The following table describes the SNMP default settings. SNMP Communities Setting Default SNMP S tatus Disabled Authentication Failure T rap S t atus Disabled Community Name public (Read only) Community Name private (Read|W rite) S tatus (public) Enabled S tatus (priva[...]
-
Página 532
Appendix A: AT-S63 Manage ment Software Default Settings 532 Simple Network Time Protocol The following table lists t he SNTP default settings. SNTP Setting Default System T i me 00:00:00 on January 1, 1980 SNTP S tatus Disabled SNTP Server 0.0.0.0 UTC Of fset +0 Daylight Savings T ime (DST) Enabled Poll Interval 600 seconds[...]
-
Página 533
AT-S63 Management Software Features Guide 533 Spanning Tree Protocols (STP, RSTP, and MSTP) This section provides the spanning tree, STP RSTP, and MSTP, default settings. Spanning Tree Switch Settings The following table describes the S panning Tree Protocol default settings for the switch. Spanning Tree Protocol The following table describes the S[...]
-
Página 534
Appendix A: AT-S63 Manage ment Software Default Settings 534 Multiple Spanning Tree Protocol The following table lists the MSTP default settings. Loop Guard Disabled BPDU Guard Disabled RSTP Setting Default MSTP Setting Default S tatus Disabled Force V ersion MSTP Bridge Hello T ime 2 Bridge Forwarding Delay 15 Bridge Max Age 20 Maximum Hop s 20 Co[...]
-
Página 535
AT-S63 Management Software Features Guide 535 Secure Shell Server The following table lists the SSH default settings. The SSH port number is not adjustable. SSH Setting Default S tatus Disabled Host Key ID Not Defined Server Key ID Not Defined Server Key Expiry T ime 0 hours Login T imeout 180 seconds SSH Port Number 22[...]
-
Página 536
Appendix A: AT-S63 Manage ment Software Default Settings 536 Secure Sockets Layer The following table lists the SSL default settings. SSL Setting Default Maximum Number of Sessions 50 Session Cache T imeout 300 seconds[...]
-
Página 537
AT-S63 Management Software Features Guide 537 System Name, Administrator, and Comments Settings The following table describes the IP default settings . IP Setting Default System Name None Administrator None Comments None[...]
-
Página 538
Appendix A: AT-S63 Manage ment Software Default Settings 538 Telnet Server The following table lists the Te lnet server default settings. The Telnet port number is not adjustable. T elnet Server Setting Default T elnet Server Enabled T elnet Port Number 23 NULL Character Off[...]
-
Página 539
AT-S63 Management Software Features Guide 539 Virtual Router Redundancy Protocol The following table lists the VRRP default setting. VRRP Setting Default S tatus Disabled[...]
-
Página 540
Appendix A: AT-S63 Manage ment Software Default Settings 540 VLANs This section provides the VLAN default sett ings. VLAN Setting Default Default VLAN Name Default_VLAN (all p orts) Management VLAN ID 1 (Default_VLAN) VLAN Mode User Configured Uplink Port None Ingress Filtering Disabled[...]
-
Página 541
AT-S63 Management Software Features Guide 541 Web Server The following table lists the web server default settings. Web Serve r Configuration Setting Default S tatus Enabled Operating Mode HTTP HTTP Port Number 80 HTTPS Port Number 443[...]
-
Página 542
Appendix A: AT-S63 Manage ment Software Default Settings 542[...]
-
Página 543
543 Appendix B SNMPv3 Configuration Examples This appendix provides two example s of SNMPv3 configuration using the SNMPv3 Table menus and a worksheet to use as an aid whe n configuring the SNMPv3 protocol. It incl udes the following sections: “SNMPv3 Manager Configuration” on p age 544 “SNMPv3 Operator Configuration” on p age 545 ?[...]
-
Página 544
Appendix B: SNMPv3 Configura tion Examples 544 SNMPv3 Configuration Examples This appendix provides SNMPv3 configuration e xamples for the following types of users: Manager Operator In addition an SNMPv3 Configuration Table is provid ed to record your SNMPv3 configuration. For more information about the SNMPv3 protocol, see Chapter 24, [...]
-
Página 545
AT-S63 Management Software Features Guide 545 Configure SNMPv3 SecurityToGroup Table User Name:s ystemadmi n24 Security Mode l: v3 Group Name: Man ag ers Storage Typ e: NonVol atile Configure SNMPv3 Notify Table Notify Name : sysadmi nTrap Notify Tag: sysadmin Tag Notify Type : Trap Storage Typ e: NonVol atile Configure SNMPv3 Target Address Table [...]
-
Página 546
Appendix B: SNMPv3 Configura tion Examples 546 Configure SNMPv3 View Table Menu View Name : intern et View Subtr ee OID: 1 .3.6.1 (or internet) Subtree Mas k: View Type : Includ ed Storage Ty pe: NonVo latile Configure SNMPv3 Access Table Group Name : Operato rs Security Mo del: SNMP v3 Security Le vel: Auth enticati on Read View Name : int er ne t[...]
-
Página 547
AT-S63 Management Software Features Guide 547 Security Model Security Level Read View Name Wri te Vi ew N am e Notify View Name S torage T ype SNMPv3 SecurityT oGroup T able User Name Security Model Group Name S torage T ype SNMPv3 Notify T able Notify Name Notify T ag Notify T ype S torage T ype SNMPv3 T arget Address T able T arget Address Name T[...]
-
Página 548
Appendix B: SNMPv3 Configura tion Examples 548 Security Model Security Level S torage T ype SNMPv3 Parameters (Continued)[...]
-
Página 549
549 Appendix C Featur es and S tandards This appendix lists the features an d standards of the AT-9400 Switch. Section include: ”10/100/1000Base-T T wisted Pair Ports” on page 550 ”Denial of Service Defenses” on p age 550 ”Fiber Optic Ports (A T-9408LC/SP Switch)” on page 551 ”File System” on page 551 ”Ethernet[...]
-
Página 550
Appendix C: Features an d Standards 550 10/100/1000Base-T Twisted Pair Ports IEEE 802.1d Bridging IEEE 802.3 10Base-T IEEE 802.3u 100Base-TX IEEE 802.3ab 1000Base-T IEEE 802.3u Auto-Negotiation IEEE 802.3x 10/100 Mbps Flow Control / Backpressure IEEE 802.3z 1000 Mbps Flow Control — Auto-MDI/MDIX — Head of Line Blocking — Eight Egress Queues P[...]
-
Página 551
AT-S63 Management Software Features Guide 551 Fiber Optic Ports (AT-9408LC/SP Switch) IEEE 802.1d Bridging IEEE 802.3z 1000Base-SX — Head of Line Blocking — Eight Egress Queues Per Port File System — 8 megabyte storage capacity DHCP and BOOTP Clients RFC 2131 DHCP client RFC 951, 1542 BOOTP client Internet Protocol Multicasting RFC 1112 IGMP [...]
-
Página 552
Appendix C: Features an d Standards 552 RFC 826 Address Resolution Protocol — Equal Cost Multi-path — Split Horizon and Split Horizon with Poison Reverse — Autosummarization of Routes RFC 1542 BOOTP Relay MAC Address Table — Storage capacity of 16K entries Management Access and Security RFC 1157 SNMPv1 RFC 1901 SNMPv2 RFC 3411 SNMPv3 RFC 14[...]
-
Página 553
AT-S63 Management Software Features Guide 553 Management Access Methods Enhanced Stacking Out-of-band management (serial port) In-band management (over the network) using Telne t, SSH, web browser, and SNMP Management Interfaces Menus Command Line Web Browser SNMP v1, v2, & v3 Management MIBs RFC 1213 MIB-II RFC 1215 TRAP MIB RFC 1493 Bridg[...]
-
Página 554
Appendix C: Features an d Standards 554 Port Security IEEE 802.1x Port-based Netw ork Access Control: Su pports multiple supplicants per port and th e following authentication methods: EAP-MD5 EAP-TLS EAP-TTLS PEAP RFC 2865 RADIUS Client RFC 2866 RADIUS Accounting — MAC Address-based security Port Trunking and Mirroring IEEE 802.3ad Link Aggregat[...]
-
Página 555
AT-S63 Management Software Features Guide 555 RFC 1757 RMON Groups 1, 2, 3, and 9 Traffic Control RFC 2386 Quality of Service featuring: — Layer 2, 3, and 4 criteria — Flow Groups, Traffic Classes, and Policies — DSCP Replacement — 802.1q Priority Replaceme nt — Type of Service Replacement — Type of Service to 802.1q Priority Replacemen[...]
-
Página 556
Appendix C: Features an d Standards 556 — MAC Address-based VLANs (Not supported on the AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP switches.) IEEE 802.3ac VLAN Ta g Frame Extension IEEE 802.1P GARP VLAN Reg istration Protocol Virtual Router Redundancy Protocol RFC 3768 Virtual Router Redundancy Protocol[...]
-
Página 557
557 Appendix D MIB Objects This appendix lists the SNMP MIB objects in the p rivate Allied Telesis MIBs that apply to the AT-S63 Management Software a nd the AT-9400 Switch. Sections in the appendix include: ”Access Control Lists” on page 558 ”Class of Service” on p age 559 ”Date, T ime, and SNTP Client” on page 560 ”D[...]
-
Página 558
Appendix D: MIB Objects 558 Access Control Li sts T able 31. Access Control Lists (AtiStackSwitch MIB) Object Name OID atiStkSwACLConfigTable 1.3.6.1.4.1.2 07.8.17.9.1 atiStkSwACLConfigEntry 1.3.6.1.4.1.207.8.17.9.1.1 atiStkSwACLModuleId 1.3.6.1.4.1.207.8.1 7.9.1.1.1 atiStkSwACLId 1.3.6.1.4.1.207.8.17.9.1.1 .2 atiStkSwACLDescription 1.3.6.1.4.1.207[...]
-
Página 559
AT-S63 Management Software Features Guide 559 Class of Service T able 32. CoS Schedulin g (AtiStackSwitch MIB) Object Name OID atiSwQoSGroup 1.3.6.1.4.1.207.8.17.7 atiS tkSwQoSGroupNumberOfQueues 1.3.6.1.4.1.207.8.17.7.1 atiS tkSwQoSGroupSchedulingMode 1.3. 6.1.4.1.207.8.17.7.2 T able 33. CoS Priority to Egress Queue Mappings (AtiStackSwitch MIB) O[...]
-
Página 560
Appendix D: MIB Objects 560 Date, Time, and SNTP Client T able 36. Date, Time, and SNTP Client (AtiStackSwitch MIB) Object Name OID atiStkSysSystemTimeConfig 1.3.6.1.4.1.2 07.8.17.1.5 atiStkSwSysCurrentTime 1.3.6.1.4.1.207.8.17.1.5.1 atiStkSwSysCurrentDate 1.3.6.1.4.1.207.8.1 7.1.5.2 atiStkSwSysSNTPStatus 1.3.6.1.4.1.207.8.1 7.1.5.3 atiStkSwSysSNTP[...]
-
Página 561
AT-S63 Management Software Features Guide 561 Denial of Service Defenses T able 37. LAN Address and Su bnet Mask (AtiStackSwitch MIB) Object Name OID atiStkDOSConfig 1.3.6.1.4.1.207.8.17.2.6 atiStkDOSConfigLANIpAddress 1.3.6.1.4.1.207.8 .17.2.6.1 atiStkDOSConfigLANSubnetMask 1.3.6.1.4.1.207.8.17.2.6 .2 T able 38. Denial of Service Defense s (AtiSta[...]
-
Página 562
Appendix D: MIB Objects 562 Enhanced Stacking T able 39. Switch Mode and Discovery (AtiStackInfo MIB) Object Name OID atiswitchEnhancedStackingInfo 1.3.6.1.4.1.207.8.16.1 atiswitchEnhStackMode 1.3.6.1.4.1.207.8.16.1.1 atiswitchEnhStackDiscover 1.3.6 .1.4.1.207.8.16.1.2 atiswitchEnhStackRemoteNumber 1.3.6.1.4.1.207.8.16.1.3 T able 40. Switches of an[...]
-
Página 563
AT-S63 Management Software Features Guide 563 GVRP T able 41. GVFP Switch Configuration (AtiStackSwitch MIB) Object Name OID atiStkSwGVRPConfig 1.3.6.1.4.1.207.8.17.3.6 atiStkSwGVRPStatus 1.3.6.1.4.1.207.8.17.3.6.1 atiStkSwGVRPGIPStatus 1.3.6.1.4.1.207.8.17.3.6.2 atiStkSwGVRPJoinTimer 1.3.6.1.4.1.207.8 .17.3.6.3 atiStkSwGVRPLeaveTimer 1.3.6.1.4.1.2[...]
-
Página 564
Appendix D: MIB Objects 564 atiStkSwGVRPCountersPortNotListening 1.3.6.1.4.1.207.8.1 7.3.8.1.8 atiStkSwGVRPCountersInvalidPort 1.3.6.1.4.1.207.8.17.3.8.1 .9 atiStkSwGVRPCountersInvalidProtocol 1.3.6.1.4.1.207.8.17.3.8.1 .10 atiStkSwGVRPCountersInvalidFormat 1.3.6.1.4.1.207.8.17.3.8.1 .1 1 atiStkSwGVRPCountersDatabaseFull 1.3.6.1.4.1.2 07.8.17.3.8.1[...]
-
Página 565
AT-S63 Management Software Features Guide 565 MAC Address Table T able 44. MAC Address T a ble (AtiStackSwitch MIB) Object Name OID atiStkSwMacAddr2VlanTable 1.3.6.1.4.1.207.8 .17.3.3 atiStkSwMacAddr2VlanEntry 1.3.6.1.4.1.207.8.17.3.3.1 atiStkSwMacAddress 1.3.6.1.4.1 .207.8.17.3.3.1.1 atiStkSwMacAddrVlanId 1.3.6.1.4.1.207.8 .17.3.3.1.2 atiStkSwMacA[...]
-
Página 566
Appendix D: MIB Objects 566 Management Access Control List T able 46. Management Access Control List S tatus (AtiStackSwitch MIB) Object Name OID atiStkSwSysMgmtACLGroup 1.3.6.1.4.1.207.8.17.1.7 atiStkSwSysMgmtACLStatus 1.3.6.1.4.1.207.8.17.1.7.1 T able 47. Management Access Control List Entries (AtiStackSwitch MIB) Object Name OID atiStkSwSysMgmtA[...]
-
Página 567
AT-S63 Management Software Features Guide 567 Miscellaneous T able 48. System Reset (AtiStackSwitch MIB) Object Name OID atiStkSwSysGroup 1.3.6.1.4.1.207.8.17.1 atiStkSwSysConfig 1.3.6.1.4.1.207.8.17.1.1 atiStkSwSysReset 1.3.6.1.4.1.207.8.17.1.1 .1 T able 49. Local Interface (AtiStackSwitch MIB) Object Name OID atiStkSwSysGroup 1.3.6.1.4.1.207.8.17[...]
-
Página 568
Appendix D: MIB Objects 568 Port Mirroring T able 51. Port Mirroring (At iStackSwitch MIB) Object Name OID atiStkSwPortMirroringConfig 1.3.6.1.4.1.2 07.8.17.2.2 atiStkSwPortMirroringState 1.3.6 .1.4.1.207.8.17.2.2.1 atiStkSwPortMirroringDestination ModuleId 1.3.6.1.4.1.207.8.17.2.2.4 atiStkSwPortMirroringDestination PortId 1.3.6.1.4.1.207.8.17.2.2.[...]
-
Página 569
AT-S63 Management Software Features Guide 569 Quality of Service T able 52. Flow Groups (AtiS tackSwitch MIB) Object Name OID atiStkSwQosFlowGrpTable 1.3.6.1.4.1.207.8 .17.7.5 atiStkSwQosFlowGrpEntry 1.3.6.1.4.1.207.8.17.7.5 .1 atiStkSwQosFlowGrpModuleId 1.3.6.1.4.1.207.8.17.7.5 .1.1 atiStkSwQosFlowGrpId 1.3.6.1.4.1.207.8.17.7.5 .1.2 atiStkSwQosFlo[...]
-
Página 570
Appendix D: MIB Objects 570 atiStkSwQosTrafficClassClassPriority 1.3.6.1.4.1.2 07.8.17.7.6.1.9 atiStkSwQosTrafficClassRemarkPriority 1.3.6.1.4.1.207.8.1 7.7.6.1.10 atiStkSwQosTrafficClassToS 1.3.6.1.4.1.2 07.8.17.7.6.1.1 1 atiStkSwQosTrafficClassMoveToSToPriority 1.3.6.1.4.1.2 07.8.17.7.6.1.12 atiStkSwQosTrafficClassMovePriorityToToS 1.3.6.1.4.1.2 [...]
-
Página 571
AT-S63 Management Software Features Guide 571 Port Configuration and Status T able 55. Port Configuration and S tatus (AtiStackSwitch MIB) Object Name OID atiStkSwPortConfigTable 1.3.6.1.4.1.207.8.17.2.1 atiStkPortConfigEntry 1.3. 6.1.4.1.207.8.17.2.1.1 atiStkSwModuleId 1.3.6.1.4.1.207.8.17.2.1.1.1 atiStkSwPortId 1.3.6.1.4.1.207.8.17.2.1 .1.2 atiSt[...]
-
Página 572
Appendix D: MIB Objects 572 Spanning Tree T able 56. S panning T ree (AtiStackSwitch MIB) Object Name OID atiStkSwSysConfig 1.3.6.1.4.1.207.8.1 7.1.1 atiStkSwSysSpanningTreeStatus 1.3.6.1.4.1.2 07.8.17.1.1.9 atiStkSwSysSpanningTreeVersion 1.3.6.1.4.1.207.8.1 7.1.1.10[...]
-
Página 573
AT-S63 Management Software Features Guide 573 Static Port Trunk T able 57. S tatic Port T runks (AtiStackSwitch MIB) Object Name OID atiStkSwStaticTrunkTable 1.3.6.1.4.1.207.8.17.8.1 atiStkSwStaticTrunkEntry 1.3.6.1.4.1.207.8 .17.8.1.1 atiStkSwStaticTrunkModuleId 1.3.6.1.4.1.207.8.17.8.1 .1.1 atiStkSwStaticTrunkIndex 1.3.6.1.4.1 .207.8.17.8.1.1.2 a[...]
-
Página 574
Appendix D: MIB Objects 574 VLANs The objects in Table 58 display the specifications of the Defa ult_VLAN. The objects in Table 59 display the names and VIDs of all the VLANs on a switch, but not the VLAN ports. T able 58. VLAN T able (AtiStackSwitch MIB) Object Name OID atiStkSwVlanConfigTable 1.3.6.1.4.1.207.8.1 7.3.1 atiStkSwVlanConfigEntry 1.3.[...]
-
Página 575
AT-S63 Management Software Features Guide 575 T able 61. PVID T able (AtiStackSwitch MIB) Object Name OID atiStkSwPort2VlanTable 1.3.6.1.4.1.207.8.17.3.2 atiStkSwPort2VlanEntry 1.3.6.1.4.1.207.8.17.3.2 .1 atiStkSwPortVlanId 1.3.6.1.4.1.207.8.17.3.2.1.1 atiStkSwPortVlanName 1.3.6.1.4.1.207.8.17.3.2 .1.2[...]
-
Página 576
Appendix D: MIB Objects 576[...]
-
Página 577
577 Index Numerics 802.1p priority level in classifiers 139 802.1Q-compliant VLAN mode 340 802.1x Port-based Network Access Control authentication process 425 authenticator port role 423 default settings 512 described 423 guidelines 441 port roles 426 supplicant port role 423 supported platforms 422 A access control entries (ACE) described 499 exam[...]
-
Página 578
Index 578 protocols 1 40 source MAC addresses 139 TCP flags 143 TCP source and destination ports 143 UDP source and destination ports 143 VLAN ID 140 Common and Internal Spanning Tree (CIST) defined 30 2 priority 302 common VLAN 85 community names SNMPv1 and SNMPv2c 94 configuration file described 75 configuration name 299 control messages, Ethern [...]
-
Página 579
AT-S63 Management Software Features Guide 579 H hello time 276 history of new features 55 HMAC authentication algorithm 461 HMAC-MD5-96 (MD5) authentication protocol 256 HMAC-SHA-96 (SHA) auth entication protocol 256 HTTP 449 HTTPS 449 I IEEE 802.1D standard 269 IGMP snooping querier. See Internet Group Mana gement Protocol (IGMP) snooping querier [...]
-
Página 580
Index 580 module ID numbers described 74 MSTI priority 301 MSTI. See Multiple Spanning Tree Instances (MSTI) MSTP. See Multiple Spanning Tree Protocol (MST P) Multicast Listener Di scovery (MLD) snooping default settings 525 described 237 supported platforms 236 Multiple Spanning Tree Instances (MSTI) 292 guideli n es 29 6 ports in multiple instanc[...]
-
Página 581
AT-S63 Management Software Features Guide 581 loop guard 283 supported platforms 270 redundant twisted pair ports 53 regional root 30 1 regions 299 revision number 299 RJ-45 serial terminal port, defa ult settings 528 root bridge 272 Router Redundancy Protocol (RRP) snooping default setting 529 described 241 guidelines 242 supported platforms 240 R[...]
-
Página 582
Index 582 static module ID numbers described 74 static port trunks described guideli n es 10 6 load distributi on method s 104 supported platforms 102 static routes 372 strict priority scheduling 162 subtree mask, related to MIB subtree view 259 supplicant port role 423, 428 supported features 34 SYN flood attack 204 syslog client 134 system priori[...]