Allied Telesis AT-S63 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582

Ir para a página of

Bom manual de uso

As regras impõem ao revendedor a obrigação de fornecer ao comprador o manual com o produto Allied Telesis AT-S63. A falta de manual ou informações incorretas fornecidas ao consumidor são a base de uma queixa por não conformidade do produto com o contrato. De acordo com a lei, pode anexar o manual em uma outra forma de que em papel, o que é frequentemente utilizado, anexando uma forma gráfica ou manual electrónicoAllied Telesis AT-S63 vídeos instrutivos para os usuários. A condição é uma forma legível e compreensível.

O que é a instrução?

A palavra vem do latim "Instructio" ou instruir. Portanto, no manual Allied Telesis AT-S63 você pode encontrar uma descrição das fases do processo. O objetivo do manual é instruir, facilitar o arranque, a utilização do equipamento ou a execução de determinadas tarefas. O manual é uma coleção de informações sobre o objeto / serviço, um guia.

Infelizmente, pequenos usuários tomam o tempo para ler o manual Allied Telesis AT-S63, e um bom manual não só permite conhecer uma série de funcionalidades adicionais do dispositivo, mas evita a formação da maioria das falhas.

Então, o que deve conter o manual perfeito?

Primeiro, o manual Allied Telesis AT-S63 deve conte:
- dados técnicos do dispositivo Allied Telesis AT-S63
- nome do fabricante e ano de fabricação do dispositivo Allied Telesis AT-S63
- instruções de utilização, regulação e manutenção do dispositivo Allied Telesis AT-S63
- sinais de segurança e certificados que comprovam a conformidade com as normas pertinentes

Por que você não ler manuais?

Normalmente, isso é devido à falta de tempo e à certeza quanto à funcionalidade específica do dispositivo adquirido. Infelizmente, a mesma ligação e o arranque Allied Telesis AT-S63 não são suficientes. O manual contém uma série de orientações sobre funcionalidades específicas, a segurança, os métodos de manutenção (mesmo sobre produtos que devem ser usados), possíveis defeitos Allied Telesis AT-S63 e formas de resolver problemas comuns durante o uso. No final, no manual podemos encontrar as coordenadas do serviço Allied Telesis na ausência da eficácia das soluções propostas. Atualmente, muito apreciados são manuais na forma de animações interessantes e vídeos de instrução que de uma forma melhor do que o o folheto falam ao usuário. Este tipo de manual é a chance que o usuário percorrer todo o vídeo instrutivo, sem ignorar especificações e descrições técnicas complicadas Allied Telesis AT-S63, como para a versão papel.

Por que ler manuais?

Primeiro de tudo, contem a resposta sobre a construção, as possibilidades do dispositivo Allied Telesis AT-S63, uso dos acessórios individuais e uma gama de informações para desfrutar plenamente todos os recursos e facilidades.

Após a compra bem sucedida de um equipamento / dispositivo, é bom ter um momento para se familiarizar com cada parte do manual Allied Telesis AT-S63. Atualmente, são cuidadosamente preparados e traduzidos para sejam não só compreensíveis para os usuários, mas para cumprir a sua função básica de informação

Índice do manual

  • Página 1

    613-001022 Rev. C Management Software AT-S63 ◆ Features Guide For Stand-alone AT-9400 Switches and AT-9400Ts Stacks AT-S63 Version 2.2.0 for AT -9400 Layer 2+ Switches AT-S63 Version 4.1.0 for AT-9 400 Basic Layer 3 Switches[...]

  • Página 2

    Copyright  2009 Allied Telesis, Inc. All rights reserved. No part o f this pub lication may be repro duced without prior wr itten permission from Al lied Telesis, Inc. Allied Telesis and the Allied Telesis logo are trad emarks of Allied Telesis, Incorporated . Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation. Al[...]

  • Página 3

    3 Preface ........ ............. ................ ............. ............. ................ ............. ................ ............. ...... ....................... ...... 21 How This Guide is Organized .............. ................ ................ ............. ................ ................ ......... .... ............. ...... 22 Produ[...]

  • Página 4

    Contents 4 Chapter 2: AT-9400Ts Stac ks ................ ............. ................ ............. ............. ................ ............. ................ ... 63 Supported Platform s ..... ................ ............. ............. ................ ............. ................ ............. ... ....................... ...... 64 Introdu[...]

  • Página 5

    AT-S63 Management Software Features Guide 5 Load Distribution Methods ......... ... .... ............. ... ... ... ... .... ... ... ... .... ... ... ... .... ... ............. ... ... ... .... .. ....... ................ . 112 Guidelines ............ ................ ............. ................ ............. ................ ............. ......[...]

  • Página 6

    Contents 6 Replacing Priorities ................ .... ............. ... ... ... .... ... ... ... ............. ... .... ... ... ... .... ... ............. ... ...... ................ ........ 176 VLAN Tag User Priorities ........... ... ... ... .... ... ... ... .... ... ............. ... ... ... .... ... ... ... .... ... ... ............. ... .. ..[...]

  • Página 7

    AT-S63 Management Software Features Guide 7 Chapter 23: Et hernet Pr otection Switch ing Ring Snoopin g ............. ................ ............. ................ .......... 243 Supported Platform s ............ ................ ............. ................ ............. ................ ............. ......... ................. .......... 244[...]

  • Página 8

    Contents 8 Associating VLANs to MSTIs ........ ... ............. ... .... ... ... ... ... .... ... ... ... .... ... ... ... .... ............ .... ... ... ... ... ....... ............. . 305 Connecting VLANs Across Different Regions ............................ ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ...... .......... . [...]

  • Página 9

    AT-S63 Management Software Features Guide 9 Section VII: Internet Protoc ol Routing .......... ........................................ ............... 361 Chapter 32: Internet Protoc ol Version 4 Packet Routing ........... ................ ............. ................ ............. .... 363 Supported Platform s ............ ................ ....[...]

  • Página 10

    Contents 10 Section VIII: Port Security ................... .............................................. .................... 413 Chapter 35: MAC Address-ba sed Port Security ......... ............. ................. ............ ............. ................ ........ 415 Supported Platform s ..... ................ ............. ............. ..[...]

  • Página 11

    AT-S63 Management Software Features Guide 11 Chapter 39: PKI Certific ates and SSL ............. ................ ............. ................ ............. ................ ............. .... 463 Supported Platform s ............ ................ ............. ................ ............. ................ ............. ......... ..............[...]

  • Página 12

    Contents 12 Internet Protocol Version 4 Pack et Routing ......... ... ... ... ............. ... .... ... ... ............. ... ... .... ... ............. .. ....... ........ 519 Link-flap Protection .......... ... ... .... ............. ... ... ... .... ... ... ... ... .... ... ............. ... ... .... ... ... ... ... .... ... ...... ............[...]

  • Página 13

    AT-S63 Management Software Features Guide 13 Appendix D: MIB Objects .............. ............. ................ ............. ................ ................ ............. ................ ....... 557 Access Control Lists ............... ............. ................ ................ ............. ................ ................ .. ........[...]

  • Página 14

    Contents 14[...]

  • Página 15

    15 Figure 1: AT-StackXG Stacking Modul e . ............ .......................................... .................................... ... ............ .............. ....... 67 Figure 2: Duplex-chain Topology .................. .............. ............ .............. .............. .............. .......... ....................... ............[...]

  • Página 16

    Figures 16 Figure 51: Example of a Tagged VLAN ............. .............. .............. ........... .............. .............. ............ ........................ ..........323 Figure 52: GVRP Example..... .............. ........... .............. ........... .............. ........... ........... ............. ..................... .......[...]

  • Página 17

    17 Table 1: Basic Operations ................ ........... .............. .............. ............ .............. ........... ......... ..... ........... ........... .............. .....34 Table 2: Advanced Operations .... .............. ........ ........... ........... ............ ........... .............. ........... .. .... ........... .....[...]

  • Página 18

    Tables 18 Table 50: Default Mappings of IEEE 802.1p Priority Levels to Priority Queues ............ ............................ .......... ............. 160 Table 51: Customized Mappings of IEEE 802.1 p Pri ority Leve ls to Priority Queues ......................... ........... ........... ...... ... 160 Table 52: Example of Weighted Round Robin Pr[...]

  • Página 19

    AT-S63 Management Software Features Guide 19 Table 110: Support for 802.1x Port-based Network Access Control ...................... ........... ............ .............. .... ............. .....422 Table 111: Management Interfaces for 802.1x Port-based Ne twork Access Contro l ........... ............................ .......... .. .....422 Table [...]

  • Página 20

    Tables 20[...]

  • Página 21

    21 Pr eface This guide describes the feature s of the AT-9400 Layer 2+ and Basic Layer 3 Gigabit Ethernet Switches and the AT-S63 Management Software. This preface contains the f ollowing sections:  “How This Guide is Organized” on p age 22  “Product Documenta tion” on p age 25  “Where to Go First” on p age 26  “S tarting [...]

  • Página 22

    Preface 22 How This Guide is Organized This guide has the followi ng sections and chapters:  Section I: Basic Operations Chapter 1, “Overview” on p age 33 Chapter 2, “A T-9400T s S tacks” on p age 63 Chapter 3, “Enhanced S tacking” on p age 81 Chapter 4, “SNMPv1 and SNMPv2c” on p age 91 Chapter 5, “MAC Address T able” on p ag[...]

  • Página 23

    AT-S63 Management Software Features Guide 23 Chapter 23, “Ethernet Protection Switching Ring Sno oping” on p age 243  Section IV : SNMPv3 Chapter 24, “SNMPv3” on pa ge 253  Section V : S panning T ree Protoco ls Chapter 25, “S panning T ree and Rapid S p anning T ree Protocols” on page 269 Chapter 26, “Multiple S panning T ree P[...]

  • Página 24

    Preface 24 Appendix B, “SNMPv3 Configurat ion Examples” on p age 543 Appendix C, “Features and S tandards” o n page 549 Appendix D, “MIB Objects” on p age 557[...]

  • Página 25

    AT-S63 Management Software Features Guide 25 Product Documentation For overview information on the fe atures of the AT-9400 Switches and th e AT-S63 Management Software, refer to:  A T -S63 Management Software Features Guide (PN 613-001022) For instructions on how to start a local or remote manage men t session on stand-alone AT-9400 Switches or[...]

  • Página 26

    Preface 26 Where to Go First Allied Telesis recommends that you read Chapter 1, “Ove rview” on page 33 in this guide before you begin to m ana ge the switch for the first time. There you will find a variety of basic information about the u nit and the management software, like the two levels of ma nager access levels and the different types of [...]

  • Página 27

    AT-S63 Management Software Features Guide 27 Starting a Management Session For instructions on how to start a local or remote manage men t session on the AT-9400 Switch, refer to the Startin g an AT-S63 Management Session Guide .[...]

  • Página 28

    Preface 28 Document Conventions This document uses the following conventions: Note Notes provide additional informatio n. Caution Cautions inform you t hat performing or omitting a specific action may result in equipment damage or loss of data. Warning Warnings inform you that performing or omitting a sp ecific action may result in bodily injury.[...]

  • Página 29

    AT-S63 Management Software Features Guide 29 Contacting Allied Telesis This section provides Allied Telesis contact information for technica l support and for sales and corporate information. Online Support You can request technical support onli ne by accessing the Allied Telesis Knowledge Base: www.alliedtel esis.com/support/kb.aspx . You can use [...]

  • Página 30

    Preface 30[...]

  • Página 31

    Section I: Basic Operations 31 Section I Basic Operations The chapters in this section contain backg round information on basic switch features. The chapters include:  Chapter 1, “Overview” on p age 33  Chapter 2, “A T-9400T s S tacks” on page 6 3  Chapter 3, ”Enhanced S tacking” on p age 81  Chapter 4, ”SNMPv1 and SNMPv2c[...]

  • Página 32

    32 Section I: Basic Op erations[...]

  • Página 33

    33 Chapter 1 Overview This chapter has the following sections:  “Layer 2+ and Basic Layer 3 Switches” on p age 34  “A T-S63 Management Software” on p age 40  “Management Interfaces” on p age 41  “Management Access Methods” o n page 47  “Manager Access Levels” o n page 49  “Installation and Management Configu [...]

  • Página 34

    Chapter 1: Ove rview 34 Layer 2+ and Basic Layer 3 Switches The switches in the AT-9400 Gigabit Ethernet Series a re divided into two groups:  Layer 2+ Switches — AT-9408LC/SP — AT-9424T/GB — AT-9424T/SP  Basic Layer 3 Switches — AT-9424T — AT-9424T/POE — AT-9424Ts — AT-9424Ts/XP — AT-9448T/SP — AT-9448Ts/XP Although the swi[...]

  • Página 35

    AT-S63 Management Software Features Guide 35 Multiple manager sessions YYYYYY Y T C P / I P p i n g s YYYYYYYYY Y Enhanced stacking YYYYYYYYY Simple Network T ime Protocol (SNTP) YYYYYYYYY SNMPv1 and SNMPv2 YYYYYYYYY Y P a c k e t f i l t e r i n g YYYYYYYYY Y P a c k e t r a t e l i m i t i n g YYYYYYYYY Y P o r t s t a t i s t i c s YYYYYYYYY Y S[...]

  • Página 36

    Chapter 1: Ove rview 36 C l a s s o f S e r v i c e YYYYYYYYY Y Q u a l i t y o f S e r v i c e YYYYYYYYY Y G r o u p l i n k c o n t r o l YYYYYY Y Denial of service defenses YYYYYYYYY Power over Ethernet Y 1. The only accessible file system in a st ack is the one on the master switch. 2. The only active event logs in a stack are the ones on the m[...]

  • Página 37

    AT-S63 Management Software Features Guide 37 T able 4. SNMPv3 Layer 2+ Switches Basic Layer 3 Switches 08LC 24GB 24SP 24T 24T POE 24T s 24XP 48SP 48XP S tack S N M P v 3 YYYYYYYYY Y T able 5. S panning T ree Protoco ls Layer 2+ Switches Basic Layer 3 Switches 08LC 24GB 24SP 24T 24T POE 24T s 24XP 48SP 48XP S tack S panning T ree Protocol (STP) YYYY[...]

  • Página 38

    Chapter 1: Ove rview 38 GARP VLAN Registration Protocol YYYYYYYYY Protected ports VLANs YYYYYYYYY MAC address-based VLANs YYYYYY T able 6. V irtual LANs Layer 2+ Switches Basic Layer 3 Switches 08LC 24GB 24SP 24T 24T POE 24T s 24XP 48SP 48XP S tack T able 7. Internet Protocol Routing Layer 2+ Switches Basic Layer 3 Switches 08LC 24GB 24SP 24T 24T P[...]

  • Página 39

    AT-S63 Management Software Features Guide 39 T able 8. Port Security Layer 2+ Switches Basic Layer 3 Switches 08LC 24GB 24SP 24T 24T POE 24T s 24XP 48SP 48XP S tack MAC address-based port security YYYYYYYYY Y 802.1x port-based network access control us ing RADIUS protocol YYYYYYYYY Y T able 9. Management Security Layer 2+ Switches Basic Layer 3 Swi[...]

  • Página 40

    Chapter 1: Ove rview 40 AT-S63 Management Software The AT-9400 Switch is managed with the AT-S63 Management So ftware. The software comes preinstalled on the u nit with default settings for all the operating parameters of the switch. If th e default settings are ad equate for your network, you can use t he switch as an unmanaged unit. Note The defa[...]

  • Página 41

    AT-S63 Management Software Features Guide 41 Management Interfaces The AT-S63 Management Software has four manageme nt interfaces:  S tandard command line  AlliedW are Plus comma nd line  Menus  Web browser windo ws As shown in Table 10, the standard command line and the web browse r windows are supported on all of th e possible platfor[...]

  • Página 42

    Chapter 1: Ove rview 42 In other cases, a management interface might support only part of a function. For example, you can set a switch or stack’s name, contact or location with any of the manage ment interfaces, except for the AlliedWare Plus commands, which only lets you set the name. The following tables list the features you ca n configure fr[...]

  • Página 43

    AT-S63 Management Software Features Guide 43 Baud rate of the T erminal Po rt Y Y Y Y Y Management console timer Y Y Y Y Y T e l n e t s e r v e r YYY YY Console startup mode Y Y Y 1. Y ou can use the AlliedWare Plus command line to set the name of the switch or stack, but not the contact or location. T able 1 1. Management Interfaces for Basic Ope[...]

  • Página 44

    Chapter 1: Ove rview 44 4. Y ou cannot uplo ad or download files to a compact flash card with the web browser windows. Also, that interface does not support switch-to-switch uploa ds. 5. Y ou cannot uplo ad or download files to a compact flash card with the web browser interface . 6. Y ou can not modify the event lo g full action from the web brows[...]

  • Página 45

    AT-S63 Management Software Features Guide 45 Multiple S panning T ree Protocol (MSTP) YYYY T able 15. Management Interfaces for S panning T ree Protocols S tand-alone Switches S tacks SCL ACL M WB SCL ACL WB T able 16. Management Interfaces for Virtua l LANs S tand-alone Switches S tacks SCL ACL M WB SCL ACL WB Port-based and t agged VLANs YYYYYYY [...]

  • Página 46

    Chapter 1: Ove rview 46 T able 18. Management Interfaces for Po rt Security S tand-alone Switches S tacks SCL ACL M WB SCL ACL WB M A C a d d r e s s - b a s e d p o r t s e c u r i t y YYYYYY 802.1x port-based network access control YYYYYYY T able 19. Management Interfaces for Management Security S tand-alone Switches S tacks SCL ACL M WB SCL ACL [...]

  • Página 47

    AT-S63 Management Software Features Guide 47 Management Access Methods You can access the AT-S63 Manageme nt Software on a switch several ways:  Local session  Remote T elnet session  Remote Secure Shell (SSH) session  Remote web browser (HTTP or HTTPS) sessio n  Remote SNMP session Local Management Sessions To establish a local mana[...]

  • Página 48

    Chapter 1: Ove rview 48 Remote Secure Shell (SSH) Sessions The AT-S63 Management Softwa re also has a Secure Shell (SSH) se rver for remote management from SSH clients o n your network. An SSH management session is similar to a Telnet management sessio n except it uses encryption to protect the session from snoopin g. Here are the management interf[...]

  • Página 49

    AT-S63 Management Software Features Guide 49 Manager Access Levels The AT-S63 Management Software has two manager access levels of manager and operator. The manager access level lets you view and configure the operating parame ters, while the ope rator access level lets you only view the parameters settings. You log in by entering the appropri ate [...]

  • Página 50

    Chapter 1: Ove rview 50 Installation and Management Configurations The AT-9400 Switches can be installed in three con figurations. Stand-alone Switches All the A T-9400 Switches can be inst alled as managed or unmanaged, stand-alone Gig abit Eth ernet switches. AT-9400Ts Stacks The AT-9424Ts, AT-9424Ts/XP and AT-9448T s/XP Switches can be installed[...]

  • Página 51

    AT-S63 Management Software Features Guide 51 IP Configuration Do you intend to remotely manage the switch with a Telnet or Secure Shell client, or a web browser? Or, will the management software be accessing application servers on your netwo rk, like a Simple Network Network Time Protocol server for setting its date and time, or a TF TP server for [...]

  • Página 52

    Chapter 1: Ove rview 52 Configuration Files Stand-alone switches and stacks store their paramet er settings in configuration files in their file systems. The devices use these files to configure their parameter settings whenever they initialize their management software, such as when you power on or reset the units. The switches do not update the f[...]

  • Página 53

    AT-S63 Management Software Features Guide 53 Redundant Twisted Pair Ports Several AT-9400 Switches have twisted pair ports and GBIC or SFP slots that are paired together. The twisted pair ports are identified with the letter “R” for “Redundant” as part of their n umber on the front facep late of the unit. The switch models with paired ports[...]

  • Página 54

    Chapter 1: Ove rview 54 Note These guidelines do not apply to the SFP slots on the AT-9408LC/SP Switch and the XFP slots on the A T-9424T s/XP and AT-9448Ts/XP Switches.[...]

  • Página 55

    AT-S63 Management Software Features Guide 55 History of New Features The following sections outline the history of new features in the AT-S63 Management Software. Version 4.1.0  AlliedWare Plus™ Command Line: This version includes new AlliedW are Plus comma nds.  Group Link Control: This featu re is used to group the lin k states of ports o[...]

  • Página 56

    Chapter 1: Ove rview 56 already familiar with the commands in the Allied W are Plus operating system, you may find this new interface more convenient to use than the standard command line . Some of the manageme nt functions you can perform with this new interface are: — Configure port parameters, such as Auto-Negotiation, speed, and duplex mode ?[...]

  • Página 57

    AT-S63 Management Software Features Guide 57 Note The new MODULE parameter can only be used on stacks that already have Version 4.0.0 or later. To update member switches th at have versions earlier than 4.0.0, you have to disconnect them from the stack and update them as stand-alone un its.  The 802.1x port-based network access control featur e [...]

  • Página 58

    Chapter 1: Ove rview 58 Version 3.0.0 Table 21 lists the new features in version 3.0.0 of the AT-S63 Management Software. T able 21. New Features in A T-S63 V ersion 3.0.0 Feature Change S tacking with the A T-S t ackXG S tacking Module New feature. For information, refer to Chapter 1, Overview in the AT-S63 Stack Command Line Interface User’s Gu[...]

  • Página 59

    AT-S63 Management Software Features Guide 59 Version 2.1.0 Table 22 lists the new features in version 2.1.0. Version 2.0.0 Table 23 lists the new feature in version 2.0.0 of the AT-S63 Manageme nt Software. T able 22. New Features in A T-S63 V ersion 2.1.0 Feature Change Internet Protocol version 4 p acket routing Added the following new features: [...]

  • Página 60

    Chapter 1: Ove rview 60 Version 1.3.0 Table 24 lists the new features in version 1.3.0 of the AT-S63 Management Software. T able 24. New Features in A T-S63 V ersion 1.3.0 Feature Change 802.1x Port-based Network Access Control Added the following new features:  Guest VLAN. For background information, see “Guest VLAN” on page 438.  VLAN A[...]

  • Página 61

    AT-S63 Management Software Features Guide 61 Version 1.2.0 Table 25 lists the new features in version 1.2.0. T able 25. New Features in A T-S63 V ersion 1.2.0 Feature Change MAC Address T able Added the following new parameters to the CL I commands for displaying and deleting specific types of MAC addresses in the MAC address table :  ST A TIC, [...]

  • Página 62

    Chapter 1: Ove rview 62 802.1x Port-based Network Access Control Added a new parameter to authenticator ports:  Supplicant Mode for supporting multiple supplican t accounts on an authenticator port. For background information, see “Authenticator Ports with Single and Mult iple Supplicants” on p age 429. T able 25. New Features in A T-S63 V e[...]

  • Página 63

    63 Chapter 2 A T-9400T s S tacks This chapter has the following sections:  “Supported Platforms” on p age 64  “Introduction” on p age 65  “A T-S63 Management Software” on p age 66  “Supported Models” on p age 66  “A T-S t ackXG S tacking Module” o n page 67  “Maximum Number of Switches in a S tack” on p age[...]

  • Página 64

    Chapter 2: AT-9400 Ts Stacks 64 Section I: Basic Op erations Supported Platforms Table 26 and Table 27 list the AT-9400 Switches and the management interfaces that support AT-9400Ts Sta cks. T able 26. Support for AT-9400Ts Stacks Switch Supported Layer 2+ Models A T-9408LC/SP A T-9424T/GB A T-9424T/SP Basic Layer 3 Models A T-9424T A T-9424T/POE A[...]

  • Página 65

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 65 Introduction The switches in the AT-9400 Series are d ivided into the Layer 2+ group and the Basic Layer 3 group. The two groups share many of the same features, but there are a number of sig nificant differences. For instance , the Internet Protocol version 4 packet routing [...]

  • Página 66

    Chapter 2: AT-9400 Ts Stacks 66 Section I: Basic Op erations AT-S63 Management Software Stacking requires Version 3.0.0 or later of the AT -S63 Management Software. Note Version 3.0.0 is only supported on the AT-9424T, AT-9424T/POE, AT-9424Ts, AT-9424Ts/XP, AT-9448T/SP, and AT-944 8Ts/XP Basic Layer 3 Switches. Do not install it on the AT-94 08LC/S[...]

  • Página 67

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 67 AT-StackXG Stacking Module To be part of a stack, the AT-9400Ts Switch mu st have the AT-StackXG Stacking Module, shown in Figure 1. You install the module in the switch’s expansion slot on the back panel. The installation instructio ns are provided in the AT-9400Ts Stack I[...]

  • Página 68

    Chapter 2: AT-9400 Ts Stacks 68 Section I: Basic Op erations Maximum Number of Switches in a Stack Stacks of the 24-port AT-9424Ts Switch or the AT-9424Ts/ XP Switch can have up to eight units. A stack can have both models and either model can be the master switch of the stack. Allied Telesis does not recomm end using the 4 8-port AT-9448Ts/XP Swit[...]

  • Página 69

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 69 Enhanced Stacking If you have prior experience with Allied Tele sis products, you might already be familiar with a feature that happens to have a similar name to the feature discussed in this chapter. The feature is enhanced stacking and what it allows you to do is mana ge th[...]

  • Página 70

    Chapter 2: AT-9400 Ts Stacks 70 Section I: Basic Op erations Stack Topology The switches of an AT-9400Ts Sta ck are cabled with the AT-StackXG Stacking Module and its two full-duplex, 12-Gbps stacking ports. There are two supported topologies. The first to pology is the duplex-chain topology, where a port on one stacking module is connected to a po[...]

  • Página 71

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 71 Figure 3. Duplex-ring Topology Both topologies offer the same in terms of network sp eed and performance. But the duplex-ring t opology adds redundanc y by providing a secondary path through the stacking mod ules. This can protect a stack against the failure of a stacking por[...]

  • Página 72

    Chapter 2: AT-9400 Ts Stacks 72 Section I: Basic Op erations Discovery Process When the switches of a stack are powered on or reset, they synchronize their operating software in a two phase process before they begin to forward network traffic through their ports. In the first phase the switches init ialize their AT-S63 Management Software. It takes[...]

  • Página 73

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 73 Master and Member Switches The activities of the de vices of a stack are coord inated by a master switch. There can be only one master switch, but it can be any unit in a stack. The master switch is assigned module ID 1, as explained in “Module ID Numbers” on page 74. Thi[...]

  • Página 74

    Chapter 2: AT-9400 Ts Stacks 74 Section I: Basic Op erations Module ID Numbers The switches of a stack are identified by module ID number s. Each switch must have it own unique number. The ra nge is 1 to 8. The switches assigned the module ID numbers 1 and 2 be come the master switch and the backup master switch of a stack, re spectively. The comma[...]

  • Página 75

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 75 Stack Configuration Files The parameter settings of a stack are stored in the a ctive configuration file in the master switch’s file system. The ma ster switch restores the parameter settings in the file to the switches whenever the stack perfo rms the discovery process, su[...]

  • Página 76

    Chapter 2: AT-9400 Ts Stacks 76 Section I: Basic Op erations  If the switch determines that it s ID numb er is set to ST A TIC with the value 1, then it knows that it’ s the master switch of the st ack and th at it is responsible for maint aining the ST ACK.CFG file for the entire st ack.  If the switch determines that it s ID numb er is se[...]

  • Página 77

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 77 MAC Address Tables The MAC address tables of the switches in a stack are a ll the same. This is because the switches share their MAC addresse s as they learn them. When a switch learns a new address on a po rt, it stores the address in its MAC address table and sends the addr[...]

  • Página 78

    Chapter 2: AT-9400 Ts Stacks 78 Section I: Basic Op erations Stack IP Address If you do not intend to use the pa cket routing feature, you must still a ssign one routing interface to the stack if it will be performing any of the following management functions:  Remote T elnet or web browser management  Sending event messages to a syslog serve[...]

  • Página 79

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 79 Upgrading the AT-S63 Management Software The AT-9400 Switch must have Version 3.0.0 or later of the AT-S63 Management Software to be a memb er of a stack. To update the management software on an existing stack for versions after Version 3.0.0, you must di sconnect the stackin[...]

  • Página 80

    Chapter 2: AT-9400 Ts Stacks 80 Section I: Basic Op erations[...]

  • Página 81

    Section I: Basic Operations 81 Chapter 3 Enhanced S tacking This chapter contains the following sections:  “Supported Platforms” on p age 82  “Overview” on page 83  “Master and Slave Switches” on p age 84  “Common VLAN” on p age 85  “Master Switch and the Local Interface ” on page 86  “Slave Switches” on pa[...]

  • Página 82

    Chapter 3: En hanced Stacking 82 Section I: Basic Op erations Supported Platforms Table 29 and Table 30 list the AT-9400 Switches and the management interfaces that support enhance d stacking. T able 29. Support for Enhanced Stacking Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer 3 Models A T-942[...]

  • Página 83

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 83 Overview Having to manage a large numb er of network devices typically involves starting a separate management session o n each devic e. This usually means having to end one management session in order to start a new session on another unit. The enhanced stacking f eature can[...]

  • Página 84

    Chapter 3: En hanced Stacking 84 Section I: Basic Op erations Master and Slave Switches An enhanced stack must have at least one master switch. This switch is your management access point to the switches of a stack. After you have started a local or remote management session on a ma ster switch, you can redirect the session to any o f the other swi[...]

  • Página 85

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 85 Common VLAN A master switch searches for the oth er switches in an enhanced stack by sending out a broadcast packet out a local subnet. (The designation of this subnet is explained in “Master Switch and t he Local Interface,” next.) Since a broadcast packet cannot cross a[...]

  • Página 86

    Chapter 3: En hanced Stacking 86 Section I: Basic Op erations Master Switch and the Local Interface Before a switch can function a s the master switch of an enhanced stack, it needs to know which subnet is acti ng as the common subnet among the switches in the stack. It uses that in formation to know which subn et to send out its broadcast packets [...]

  • Página 87

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 87 Slave Switches The slave switches of an enhanced stac k must be connected to the master switch through a common VLAN. A slave switch ca n be connected indirectly to the master switch so long as the re is an uninterrupted path of the common VLAN from the slave switch to the ma[...]

  • Página 88

    Chapter 3: En hanced Stacking 88 Section I: Basic Op erations Enhanced Stacking Compatibility This version of enhanced stacking is compatible with earlier AT-S63 versions and the enhanced stacking feature in the AT-8400 Series and AT-8500 Series Switches. As such, an enhanced stack can consist of various switch models, though the fo llowing issues [...]

  • Página 89

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 89 Enhanced Stacking Guidelines Here are the guidelines to using the enhanced stacking featu re:  There can be up to 24 switches in an enhanced st ack.  The switches in an enhanced sta ck must be connected with a common port-based or t agged VLAN. The VLAN must have the sa[...]

  • Página 90

    Chapter 3: En hanced Stacking 90 Section I: Basic Op erations General Steps Here are the basic steps to imp lementing the enhanced stacking feature on the AT-9400 Switches in your network: 1. Select a switch to act as the master switch of the enhanced stack. This can be any Allied Telesis switch that supports th is feature. In a stack with differen[...]

  • Página 91

    Section I: Basic Operations 91 Chapter 4 SNMPv1 and SNMPv2c This chapter describes SNMPv1 and SNMPv2c community strings for SNMP management of the switch. Sections in the chapter include:  “Supported Platforms” on p age 92  “Overview” on page 93  “Community S tring Attributes” on page 94  “Default SNMP Community S trings?[...]

  • Página 92

    Chapter 4: SNMPv1 a nd SNMPv2c 92 Section I: Basic Op erations Supported Platforms Refer to Table 31 and Table 32 for the AT-9400 Switches and the management interfaces that support SNMPv1 an d SNMPv2c community strings. T able 31. Support for SNMPv1 and SNMPv2c Community Strings Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es[...]

  • Página 93

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 93 Overview You can manage a switch by viewing and chan ging the management information base (MIB) ob jects on the device with the Simple Network Management Program (SNMP). The AT-S63 Man agement Software supports SNMPv1, SNMPv2c, and SNMPv3. This chapter explains SNMPv1 and SNM[...]

  • Página 94

    Chapter 4: SNMPv1 a nd SNMPv2c 94 Section I: Basic Op erations Community String Attributes A community string has attributes fo r controlling who can use the string and what the string will allow a network management to do on the switch. The community string attributes are defined below: Community String Name A community string must have a name of [...]

  • Página 95

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 95 the community strings. Each community string can have up to eight trap IP addresses. It does not matter which community stri ngs you assign your trap receivers. When the switch sends a trap, it looks at all the community strings and sends the trap to all trap receivers on all[...]

  • Página 96

    Chapter 4: SNMPv1 a nd SNMPv2c 96 Section I: Basic Op erations Default SNMP Community Strings The AT-S63 Management Software prov ides two defau lt community strings: public and private. The public string h as an access mode of just Read and the private string ha s an access mode of Read/Write . If you activate SNMP management on the switch, you sh[...]

  • Página 97

    Section I: Basic Operations 97 Chapter 5 MAC Addr ess T able This chapter contains background in formation about the MAC a ddress table.This chapter contains the following section:  “Overview” on page 98[...]

  • Página 98

    Chapter 5: MAC Address Table 98 Section I: Basic Op erations Overview The AT-9400 Switch has a MAC address table with a st orage capacity of 16,000 entries. The table stores the MAC addresses of the network nodes connected to its ports and the p ort numbers where the addresses were learned. A switch learns the MAC addresses of the end nodes by exam[...]

  • Página 99

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 99 no longer active. The period of time a switch waits before pu rging inactive dynamic MAC addresses is called the aging time . This valu e is adjustable on the AT-9400 Switch. The default value is 300 se conds (5 minutes). The MAC address table can also store st atic MAC addre[...]

  • Página 100

    Chapter 5: MAC Address Table 100 Section I: Basic Operati ons[...]

  • Página 101

    Section I: Basic Operations 101 Chapter 6 S tatic Port T runks This chapter describes static port trunk s. Sections in the chapter include:  “Supported Platforms” on p age 102  “Overview” on page 103  “Load Distribution Methods” on p age 104  “Guidelines” on p age 106[...]

  • Página 102

    Chapter 6: St atic Port Trunks 102 Section I: Basic Operati ons Supported Platforms Refer to Table 33 and Table 34 for the AT-9400 Switches and the management interfaces that support static po rt trunks. T able 33. Support for S tatic Port T runks Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer 3 [...]

  • Página 103

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 103 Overview A static port trunk is a group of two to e ight ports that function as a single virtual link between the switch and anot her device. Traff ic is distributed across the ports to improve perfo rmance an d enhance reliability by reducing the reliance on a single physic[...]

  • Página 104

    Chapter 6: St atic Port Trunks 104 Section I: Basic Operati ons Load Distribution Methods This section discusses the load distribut ion methods of static port trunks and LACP port trunks, described in Chapter 7, “L ACP Port Trunks” on page 107. When you create a static or LACP port trunk, you h ave to select a load distribution method. This con[...]

  • Página 105

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 105 A similar method is used for the two load distribution methods that employ both the source and destination addresses. Only here the last three bits of both addresses are combine d by an XOR process to de rive a single valu e which is then compared against the mappings o f th[...]

  • Página 106

    Chapter 6: St atic Port Trunks 106 Section I: Basic Operati ons Guidelines Here are the guidelines to static trunks:  Allied T elesis recommends limiting st atic port trunks to Allie d T elesis network devices to ensure comp atibility .  A static trunk ca n have up to eight port s.  S tand-alone switches and A T-9400T s S tacks can support[...]

  • Página 107

    Section I: Basic Operations 107 Chapter 7 LACP Port T runks This chapter explains Link Aggregati on Control Protocol (LACP) port trunks. Sections in the chapter include:  “Supported Platforms” on p age 108  “Overview” on page 109  “LACP System Priority” on page 1 10  “Adminkey Parameter” on p age 1 1 1  “LACP Port P[...]

  • Página 108

    Chapter 7: LACP Port Trunks 108 Section I: Basic Operati ons Supported Platforms Refer to Table 35 and Table 36 for the AT-9400 Switches and the management interfaces that support L ACP port trunks. T able 35. Support for LACP Po rt T runks Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer 3 Models [...]

  • Página 109

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 109 Overview LACP (Link Aggregation Control Protocol) port trunks p erform the same function as static trunks. They increase the bandwidth between netwo rk devices by distributing the traffic lo ad over multiple physical links. The advantage of an LACP trunk over a static port t[...]

  • Página 110

    Chapter 7: LACP Port Trunks 110 Section I: Basic Operati ons LACP System Priority It is possible for two devices interc onnected by an a ggregate trunk to encounter a conflict when they f orm the trunk. For example, the two devices might not support the same nu mber of active ports in an aggregate trunk or might not a gree on which ports are to be [...]

  • Página 111

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 111 Adminkey Parameter The adminkey is a hexadecimal value from 1 to FFFF that ide ntifies an aggregator. Each aggregator on a switch must have a unique a dminkey. The adminkey is restricted to a switch. Two aggregators on different switches can have the same adminkey without ge[...]

  • Página 112

    Chapter 7: LACP Port Trunks 112 Section I: Basic Operati ons Load Distribution Methods The load distribution method determines the manner in which t he switch distributes the traffic across the active ports o f an aggregate trunk. The method is assigned to an aggregator and applies to all aggregate trun ks within it. If you want to assign different[...]

  • Página 113

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 113 Guidelines The following guidelines apply to cr eating aggregators:  LACP must be activated on both the switch and the other device.  The other device must be 802.3ad-comp liant.  An aggregator can consist of a ny number of port s.  The A T-S63 Management Softwar[...]

  • Página 114

    Chapter 7: LACP Port Trunks 114 Section I: Basic Operati ons  When creating a new aggregator , you can specify either a name for the aggregator or an admin key , but not both. If you specify a name, the adminkey is based on the operator key of the lowe st numbered port in the aggregator . If you specify an adminkey , the default name is DEF AUL [...]

  • Página 115

    Section I: Basic Operations 115 Chapter 8 Port Mirr or This chapter explains the port mirror f eature. Sections in the chapter include:  “Supported Platforms” on p age 1 16  “Overview” on page 1 17  “Guidelines” on p age 1 17[...]

  • Página 116

    Chapter 8: Po rt Mirror 116 Section I: Basic Operati ons Supported Platforms Refer to Table 37 and Table 38 for the AT-9400 Switches and the management interfaces that support t he port mirror. T able 37. Support for the Port Mirror Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer 3 Models A T-9424[...]

  • Página 117

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 117 Overview The port mirror feature allows for th e unobtrusive monitoring of ingress or egress traffic on one or more ports on a switch, without impacting network performance or speed. It copies th e tr affic from specified ports to another switch port where the traffic can b [...]

  • Página 118

    Chapter 8: Po rt Mirror 118 Section I: Basic Operati ons[...]

  • Página 119

    Section I: Basic Operations 119 Chapter 9 Link-flap Pr otection This chapter explains link-flap p rotec tion. The sections in this chapt er include:  “Supported Platforms” on p age 120  “Overview” on page 121  “Guidelines” on p age 122  “Configuring the Feature” on p age 123[...]

  • Página 120

    Chapter 9: Link-flap Protection 120 Section I: Basic Operati ons Supported Platforms Refer to Table 39 and Table 40 for the AT-9400 Switches and the management interfaces that support link-flap protection. T able 39. Support for Link-flap Protection Switch Supported Layer 2+ Models A T-9408LC/SP A T-9424T/GB A T-9424T/SP Basic Layer 3 Models A T-94[...]

  • Página 121

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 121 Overview A port that is unable to maintain a re liable connection to a network node may experience a condition referred to as link-flapping. This prob lem, which is usually caused by intermittent problems with network cab les or network nodes, causes the state of a link on a[...]

  • Página 122

    Chapter 9: Link-flap Protection 122 Section I: Basic Operati ons Guidelines Here are the guidelines to link-flap protect ion:  The rate and duration are set at the switch or the stack le vel and apply to all of the ports.  Y ou can enable this feature on a per- port basis.  The performance of the switch is not af fected if you enable it on[...]

  • Página 123

    AT-S63 Management Software Features Guide Section I: Basic Operat ions 123 Configuring the Feature Here are the commands that are used to con figure the link-flap protection feature. The first example uses the st andard commands and the second example uses the AlliedWare Plus co mmands. T hey co nfigu re th e fe ature such that link-flap events are[...]

  • Página 124

    Chapter 9: Link-flap Protection 124 Section I: Basic Operati ons[...]

  • Página 125

    Section II: Advanced Operations 125 Section II Advanced Operations This section contains t he following chapters:  Chapter 10, ”File System” on page 127  Chapter 1 1, ”Event Logs and the Syslog Client” on p age 131  Chapter 12, ”Classifiers” on p age 135  Chapter 13, ”Access Control List s” on p age 145  Chapter 14, ?[...]

  • Página 126

    126 Section II: Advanced Operations[...]

  • Página 127

    Section II: Advanced Operations 127 Chapter 10 File System The chapter explains the switch’s file system and contains the following sections:  “Overview” on page 128  “File Naming Conventions” on p age 129  “Using Wildcards to S pecify Groups of Files” on p age 130[...]

  • Página 128

    Chapter 10: File Sys tem 128 Section II: Advanced Operations Overview The AT-9400 Switch has a file system in flash memory for storing system files. You can view a list of the files a s well as copy, rename, and delete files. For those AT-9400 Switches tha t support a compact flash memory card, you can perform the same functions on t he files store[...]

  • Página 129

    AT-S63 Management Software Features Guide Section II: Advance d Operations 129 File Naming Conventions The flash memory file system is a flat file system—directories are no t supported. However, directories are supported on compact flash cards. In both types of storage, files are un iquely identified by a file name in the following format: filena[...]

  • Página 130

    Chapter 10: File Sys tem 130 Section II: Advanced Operations Using Wildcards to Specify Groups of Files You can use the asterisk character (* ) as a wildcard character in some fields to identify groups of files. In addition, a wildcard can be combined with other characters. The following are examples of valid wildcard expressions: *.cfg *.key 28*.c[...]

  • Página 131

    Section II: Advanced Operations 131 Chapter 11 Event Logs and the Syslog Client This chapter describes how to mo nitor t he activity of a switch by viewing the event messages in the event logs an d sending the messages to a syslog server. Sections in the chapter include:  “Supported Platforms” on p age 132  “Overview” on page 133  [...]

  • Página 132

    Chapter 11: Event Lo gs and the Sysl og Client 132 Section II: Advanced Operations Supported Platforms Refer to Table 42 and Table 43 for the AT-9400 Switches and the management interfaces that support t he event logs and the syslog client. T able 42. Support for the Event Logs and the Syslog Client Switch Supported Layer 2+ Models A T-9408LC/SP Y [...]

  • Página 133

    AT-S63 Management Software Features Guide Section II: Advance d Operations 133 Overview A managed switch is a complex piece of computer equipment that includes both hardware and software. Multiple software feat ures operate simultaneously, interoperating with e ach other and processing large amounts of network traffic. It is often difficu lt to det[...]

  • Página 134

    Chapter 11: Event Lo gs and the Sysl og Client 134 Section II: Advanced Operations Syslog Client The management software features a syslog client to send event messages to a syslog server on your network. A syslog server can function as a central repository fo r events from many different net work devices. In order for the switch to send eve nts to[...]

  • Página 135

    Section II: Advanced Operations 135 Chapter 12 Classifiers This chapter explains classifiers for access control lists and Quality of Service policies. The sections in this chapter include :  “Supported Platforms” on p age 136  “Overview” on page 137  “Classifier Criteria” on page 139  “Guidelines” on p age 144[...]

  • Página 136

    Chapter 12: Cl assifiers 136 Section II: Advanced Operations Supported Platforms Refer to Table 44 and Table 45 for the AT-9400 Switches and the management interfaces that support classifiers. T able 44. Support for Classifiers Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer 3 Models A T-9424T Y e[...]

  • Página 137

    AT-S63 Management Software Features Guide Section II: Advance d Operations 137 Overview A classifier defines a traffic flow . A traffic flow consists of packets that share one or more characteristics. A traffic flow can range from being very broad to very specific. An example of the former might b e all IP traffic while an example of the latter cou[...]

  • Página 138

    Chapter 12: Cl assifiers 138 Section II: Advanced Operations is dictated by the QoS p olicy, as explained in Chapter 15, “Quality of Service” on page 165. In summary, a class ifier is a list of variables that define a traffic flow. You apply a classifier to an ACL or a QoS policy t o define the traffic flow you want the ACL or Qo S policy to af[...]

  • Página 139

    AT-S63 Management Software Features Guide Section II: Advance d Operations 139 Classifier Criteria The components of a classifier are defin ed in the following subsections. Destination MAC Address (Layer 2) Source MAC Address (Layer 2) You can identify a traffic flow by s pecifying a source and/or destin ation MAC address. For instance, you might c[...]

  • Página 140

    Chapter 12: Cl assifiers 140 Section II: Advanced Operations Figure 5. User Priority and VLAN Fields within an Etherne t Frame You can identify a traf fic flow of tagged packets using the user priority value. A classifier for such a traffic flow would instruct a port to watch for tagged packets containing the specif ied user priority level. The pri[...]

  • Página 141

    AT-S63 Management Software Features Guide Section II: Advance d Operations 141 Observe the following guidelines when using this variable:  When selecting a Layer 3 or Layer 4 variable, this variable must be lef t blank or set to IP .  If you choose to specify a protocol by its number , you can enter the value in decimal or hexadecimal format.[...]

  • Página 142

    Chapter 12: Cl assifiers 142 Section II: Advanced Operations Observe these guidelines when using this criterion:  The Protocol variable must be lef t blank or set to IP .  Y ou cannot specify both an IP T oS value and an IP DSCP value in the same classifier . IP Protocol (Layer 3) You can define a traffic flow by the following Layer 3 protoco[...]

  • Página 143

    AT-S63 Management Software Features Guide Section II: Advance d Operations 143 Observe this guideline wh en using these criteria:  The Protocol variable must be lef t blank or set to IP . TCP Source Ports (Layer 4) TCP Destination Ports (Layer 4) A traffic flow can be identified by a source and/or destin ation TCP port number contained within th[...]

  • Página 144

    Chapter 12: Cl assifiers 144 Section II: Advanced Operations Guidelines Follow these guidelines wh en creating a classifier:  Each classifier represent s a separate t raffic flow .  The variables within a classifier ar e linked by AND. The more variables you define within a classifier , the more specific it becomes in terms of the flow it def[...]

  • Página 145

    Section II: Advanced Operations 145 Chapter 13 Access Contr ol Lists This chapter describes access cont rol lists (ACL) and how they can improve network security and performan ce. This chapter co ntains the following sections:  “Supported Platforms” on p age 146  “Overview” on page 147  “Parts of an ACL” on page 149  “Guid[...]

  • Página 146

    Chapter 13: Access Control Lists 146 Section II: Advanced Operations Supported Platforms Refer to Table 46 and Table 47 for the AT-9400 Switches and the management interfaces that support t he access control lists. T able 46. Support for the Access Co ntrol Lists Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y e[...]

  • Página 147

    AT-S63 Management Software Features Guide Section II: Advance d Operations 147 Overview An access control list is a filte r that controls the ingress traffic o n a port. It defines a category of traffic and the action of the p ort when it receives packets of the category. The action c an be to accept the defined packets or discard them. You can use[...]

  • Página 148

    Chapter 13: Access Control Lists 148 Section II: Advanced Operations 4. Finally, if a packet does not meet the criteria of any ACLs on a port, it is accepted by the port.[...]

  • Página 149

    AT-S63 Management Software Features Guide Section II: Advance d Operations 149 Parts of an ACL An ACL must have the following informat ion:  Name - An ACL must have a name. The name of an ACL should indicate the type of traf fic flow being filtered and, perhap s, also the action. An example might be “HTTPS flow - permit.” The more specific t[...]

  • Página 150

    Chapter 13: Access Control Lists 150 Section II: Advanced Operations Guidelines Here are the rules to creating ACLs:  Ports can have mu ltiple permit and de ny ACLs.  ACLs must have at least on e classifier .  ACLs can have up to sixteen classifiers.  ACLs can be assigned to more than one switch port.  ACLs filter ingress traffic, bu[...]

  • Página 151

    AT-S63 Management Software Features Guide Section II: Advance d Operations 151 Examples This section contains seve ral examples of ACLs. In this example, port 4 has been assigne d one ACL, a deny ACL for the subnet 149.11.11.0. This ACL preve nts the port from acceptin g any traffic originating from that subnet. Since th is is the only ACL o n the [...]

  • Página 152

    Chapter 13: Access Control Lists 152 Section II: Advanced Operations To deny traffic from several subne ts on the same port, you can create multiple classifiers and apply them to the same ACL , as illustrated in the next example. Three subnets a re denied access to port 4. The three classifiers defining the subne ts are applied to the same ACL. Fig[...]

  • Página 153

    AT-S63 Management Software Features Guide Section II: Advance d Operations 153 The same result can be achieved by assigning t he classifiers to different ACLs and assigning the ACLs to the sa me port, as in this example, a gain for port 4. Figure 9. ACL Example 3 Create Access Control Lists (A CL) 1 - A CL ID ................. 22 2 - Description ..[...]

  • Página 154

    Chapter 13: Access Control Lists 154 Section II: Advanced Operations In this example, the traffic on ports 14 a nd 15 is restrict ed to packets from the source subnet 149.44.44.0. All other IP traffic is denied. Classifier ID 11, which specifies the traffic flow to be permitted by the ports, is assigned to an ACL with an action of permit. Classifie[...]

  • Página 155

    AT-S63 Management Software Features Guide Section II: Advance d Operations 155 The next example limits the ingress tr affic on p ort 17 to IP packets from the subnet 149.22.11.0 an d a Type of Service settin g of 6, destined to the end node with the IP address 149.22.22.22. All other IP tra ffic and ARP packets are prohibited. Figure 12. ACL Exampl[...]

  • Página 156

    Chapter 13: Access Control Lists 156 Section II: Advanced Operations[...]

  • Página 157

    Section II: Advanced Operations 157 Chapter 14 Class of Service This chapter describes the Class of Se rv ice (CoS) feature. Sections in the chapter include:  “Supported Platforms” on p age 158  “Overview” on page 159  “Scheduling” on p age 162[...]

  • Página 158

    Chapter 14: Class of Service 158 Section II: Advanced Operations Supported Platforms Refer to Table 48 and Table 49 for the AT-9400 Switches and the management interfaces that support t he Class of Service feature. T able 48. Support for the Class of Service Fe ature Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP[...]

  • Página 159

    AT-S63 Management Software Features Guide Section II: Advance d Operations 159 Overview When a port on an Ethernet switch becomes oversubscribe d—its egress queues contain more packets than the port can handle in a time ly manner—the port may be forced to delay the transmission of some packets, resulting in the dela y of packets reaching their [...]

  • Página 160

    Chapter 14: Class of Service 160 Section II: Advanced Operations For example, when a tagged packe t with a priority level of 3 enters a por t on the switch, the packet is stored in Q3 queue on the egre ss port. Note that priority 0 is mapp ed to CoS queue 1 instead of CoS queu e 0 because tagged traffic that has neve r been prioritized has a VLAN t[...]

  • Página 161

    AT-S63 Management Software Features Guide Section II: Advance d Operations 161 Note that because all ports must use the same priority-to-eg ress queue mappings, these mappings are app lied at the switch level. They cannot be set on a per-port basis. You can configure a port to completely ignor e the priority levels in its tagged packets and instead[...]

  • Página 162

    Chapter 14: Class of Service 162 Section II: Advanced Operations Scheduling A switch port needs a mechanism that specifies the order of transmittal of the packets from its eight egress queu es. For example, should a port that has packets in all its queues transmit all the packe ts from Q7, the highest priority queue, before moving on to th e oth er[...]

  • Página 163

    AT-S63 Management Software Features Guide Section II: Advance d Operations 163 Table 52 shows an example. In this example, the port transmits a maximum n umber of 15 pa cke ts from Q7 before moving to Q6, from where it transmits up to 10 packets, and so forth. For Q0 to Q6, the range o f the maximum number of transmitted packets is 1 to 15. The ran[...]

  • Página 164

    Chapter 14: Class of Service 164 Section II: Advanced Operations Q6 15 Q7 0 T able 53. Example of a W eight of Zero for Priority Qu eue 7 (Continued) Port Egress Queue Maximum Number of Packet s[...]

  • Página 165

    Section II: Advanced Operations 165 Chapter 15 Quality of Service This chapter describes Quality of Serv ice ( QoS). Sections in the chapter include:  “Supported Platforms” on p age 166  “Overview” on page 167  “Classifiers” on page 169  “Flow Groups” on p age 170  “T raf fic Classes” on p age 171  “Policies?[...]

  • Página 166

    Chapter 15: Quali ty of Service 166 Section II: Advanced Operations Supported Platforms Refer to Table 54 and Table 55 for the AT-9400 Switches and the management interfaces that support Quality of Service . T able 54. Support for Qualit y of Service Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer[...]

  • Página 167

    AT-S63 Management Software Features Guide Section II: Advance d Operations 167 Overview Quality of Service allows you to prioritize traffic and/o r limit the bandwidth available to it. The concept of QoS is a departure from the original networking protocols, which tre ated all traffic on the Internet or within a LAN in the same manner. Without QoS,[...]

  • Página 168

    Chapter 15: Quali ty of Service 168 Section II: Advanced Operations The QoS functionality described in this chapter sorts packets in to various flows, according to the QoS policy that applies to the port the traffic is received on. The switch then allocates resources to direct this traffic according to bandwidth or priority settings in the policy. [...]

  • Página 169

    AT-S63 Management Software Features Guide Section II: Advance d Operations 169 Classifiers Classifiers identify a particular traffic flow, and rang e from general to specific. (See Chapter 12, “Classifiers” on page 135 for more information.) Note that a single classifier should not be used in different flows that will end up, through traffic cl[...]

  • Página 170

    Chapter 15: Quali ty of Service 170 Section II: Advanced Operations Flow Groups Flow groups group similar traffic flows together, a nd allow more specific QoS controls to be used, in preference to those specified by the traffic class. Flow groups consist of a sma ll set of QoS parameters a nd a group of classifiers. After a flow group has been adde[...]

  • Página 171

    AT-S63 Management Software Features Guide Section II: Advance d Operations 171 Traffic Classes Traffic classes are the central component of the QoS solution . They provide most of the QoS controls that allow a QoS solution to be deployed. A traffic class can be a ssigned to only one policy. Traffic classes co nsist of a set of QoS parameters and a [...]

  • Página 172

    Chapter 15: Quali ty of Service 172 Section II: Advanced Operations Policies QoS policies consist of a collection of user defined traffic classes. A policy can be assigned to more than o ne port, but a port may only have one policy. Note that the switch can only perfor m error checking of parameters and parameter values for the policy and its traff[...]

  • Página 173

    AT-S63 Management Software Features Guide Section II: Advance d Operations 173 QoS Policy Guidelines Following is a list of QoS policy guidelines:  A classifier may be assigned to many flow groups. However , assigning a classifier more than once within the same policy may lead t o undesirable result s. A classifier may be used su ccessfully in m[...]

  • Página 174

    Chapter 15: Quali ty of Service 174 Section II: Advanced Operations Packet Processing You can use the switch’s QoS to ols to perform any combination of the following functions on a packet flow:  Limiting bandwid th  Prioritizing p ackets to determine the leve l of precedence the switch will give to the packet for p rocessing  Replacing t[...]

  • Página 175

    AT-S63 Management Software Features Guide Section II: Advance d Operations 175 Both the VLAN tag User Priority and th e traffic class / flow group priority setting allow eight different priorit y values (0-7). These eight priorities are mapped to the switch’s eight CoS queue s. The switch’s default mapping is shown in Table 50 on page 160. Note[...]

  • Página 176

    Chapter 15: Quali ty of Service 176 Section II: Advanced Operations Replacing Priorities The traffic class or flow group priority (if set) determines the egress que ue a packet is sent to when it egresse s the switch, but by d efault has no effect on how the rest of the network processes the pa cket. To permanently change the packet’s priority, y[...]

  • Página 177

    AT-S63 Management Software Features Guide Section II: Advance d Operations 177 DiffServ Domains Differentiated Services (DiffServ) is a metho d of dividing IP traffic into classes of service, without requiring that every router in a network remember detailed information abo ut traf fic flows. DiffServ operates within a DiffServ domain , a network o[...]

  • Página 178

    Chapter 15: Quali ty of Service 178 Section II: Advanced Operations To use the QoS tool set to configure a DiffServ doma in: 1. As packets come into the domai n at edge swit ches, replace their DSCP value, if required.  Classify the packets according to the required characteristics. Fo r available options, see Chapter 12, “Cla ssifiers” on p[...]

  • Página 179

    AT-S63 Management Software Features Guide Section II: Advance d Operations 179 Examples The following examples demonstrate how to implement QoS in three situations:  “V oice Applications,” next  “Video Applicatio ns” on pa ge 181  “Critical Database” on p age 183 Voice Applications Voice applications typically require a small b[...]

  • Página 180

    Chapter 15: Quali ty of Service 180 Section II: Advanced Operations Figure 14. QoS Voice Application Example The parts of the policies are:  Classifier - Defines the traf fic flow by specifying the I P address of the node with the voice application. The cl assifier for Policy 6 specifies the address as a source address because this classifie r i[...]

  • Página 181

    AT-S63 Management Software Features Guide Section II: Advance d Operations 181  T raf fic Class - No action is taken by the traffic class, o ther than to specify the flow group. T raffic class has a priority setting you can use to override the priority level of p acket s, just as in a flow group. If you enter a priority value in both places, the[...]

  • Página 182

    Chapter 15: Quali ty of Service 182 Section II: Advanced Operations Figure 15. QoS Video Application Example The parts of the policies are:  Classifier - S pecifies the IP address of the node with a video application. The classifier for Polic y 17 spe cifies the address as a source address since this classifi er is pa rt of a policy concerning p[...]

  • Página 183

    AT-S63 Management Software Features Guide Section II: Advance d Operations 183 packet s so they leave containing the new leve l, you would change option 5, Remark Priority , to Y es.  T raf fic Class - The packet stream is assigned a maximu m bandwidth of 5 Mbps. Bandwid th assignment can onl y be made at the traf fic class level.  Policy - S[...]

  • Página 184

    Chapter 15: Quali ty of Service 184 Section II: Advanced Operations Policy Component Hierarchy The purpose of this example is to illustrate the hierarchy of the components of a QoS policy and how that hierarchy needs to be taken into account when assigning new priority a nd DSCP values. A new priority can be set at the flow group and traffic class [...]

  • Página 185

    AT-S63 Management Software Features Guide Section II: Advance d Operations 185 Figure 17. Policy Component Hierarchy Example Create Classifier 01 - Classifier ID: ..... 1 . 14 - Dst IP Addr ..... 149.11.11.0 15 - Dst IP Mask ..... 255.255.255.0 Create Flow Group 1 - Flow Group ID ......... 1 . 3 - DSCP V alue ............. 10 . 9 - Classifier List [...]

  • Página 186

    Chapter 15: Quali ty of Service 186 Section II: Advanced Operations[...]

  • Página 187

    Section II: Advanced Operations 187 Chapter 16 Gr oup Link Contr ol This chapter explains group link contro l. The sections in this chapter include:  “Supported Platforms” on p age 188  “Overview” on page 189  “Guidelines” on p age 197  “Configuring the Feature” on p age 198[...]

  • Página 188

    Chapter 16: Group L ink Control 188 Section II: Advanced Operations Supported Platforms Refer to Table 56 and Table 57 for the AT-9400 Switches and the management interfaces that support g roup link control. T able 56. Support for Group Link Contr ol Switch Supported Layer 2+ Models A T-9408LC/SP A T-9424T/GB A T-9424T/SP Basic Layer 3 Models A T-9[...]

  • Página 189

    AT-S63 Management Software Features Guide Section II: Advance d Operations 189 Overview Group link control is designed to imp rove the effectiveness of the redundant systems in a network. It enables the switch to alert network devices about problems they might not otherwise detect o r respond to, so that they can implement their redundan t systems,[...]

  • Página 190

    Chapter 16: Group L ink Control 190 Section II: Advanced Operations In the first diagram a server with two teamed network ad apter cards is connected to different AT-9 400 Switches, with the active link to switch 3. If there was a failure on the active link, the server would be ab le to detect it directly and would respond by automatic ally transfe[...]

  • Página 191

    AT-S63 Management Software Features Guide Section II: Advance d Operations 191 But if the failure occurred further upst ream between switches 1 and 3, the server would not detect the problem. Unaware of the problem, it would lose connectivity to the network because it would contin ue to transmit packets to switch 3, which would disc ard the packets[...]

  • Página 192

    Chapter 16: Group L ink Control 192 Section II: Advanced Operations Figure 20. Group Link Control Example 3 When a link on an upstream port is reestablished, the switch automatically reactivates the downstream counterpar t. Referring to the example, when the link on port 17 is reestablished, the switch enable s port 24 again. A link control group c[...]

  • Página 193

    AT-S63 Management Software Features Guide Section II: Advance d Operations 193 Figure 21. Group Link Contro l Example 4 Switch 1 Network Switch 3 Switch 2 Switch 4 Upstream ports 17, 20 Downstream ports 24, 25 Primary trunk Secondary trunk[...]

  • Página 194

    Chapter 16: Group L ink Control 194 Section II: Advanced Operations If connectivity is lost on both ports 17 an d 20, the downstream ports 24 and 25 are disabled. Figure 22. Group Link Control Example 5 In the previous examples the ports of the group s on the switch are connected to different devices, making it possible for do wnstream devices to k[...]

  • Página 195

    AT-S63 Management Software Features Guide Section II: Advance d Operations 195 This is illustrated in this figure. Switch 1 and switch 3 are connect ed with a static or LACP trunk of three links. A backup trunk from switch 2 to switch 3 is placed in the blocking state by the spanning tree protocol to prevent a network loop. Figure 23. Group Link Co[...]

  • Página 196

    Chapter 16: Group L ink Control 196 Section II: Advanced Operations In this example the primary and backup trunks have four links each. Figure 24. Group Link Control Example 7 If you wanted switch 3 to shutdo wn the primary trunk if any two links were lost, you would need to create six g roups to cover all of the possible combinations. The groups a[...]

  • Página 197

    AT-S63 Management Software Features Guide Section II: Advance d Operations 197 Guidelines Here are the guidelines to group link control:  The switch or stack can support up to eight group s.  A group can have any numb er of port s, up to the tot al number of port s on the switch.  Ports can be members of more tha n one group. Port s can al[...]

  • Página 198

    Chapter 16: Group L ink Control 198 Section II: Advanced Operations Configuring the Feature Here are a few examples on how to configure the feature. The first example configures the g roup in Figure 20 on page 192 in which port 17 is the upstream port and port 24 is th e downstream port. To create the group, to enable group link control, a nd to ve[...]

  • Página 199

    AT-S63 Management Software Features Guide Section II: Advance d Operations 199 awplus(confi g-if)# inter fa ce 8 awplus(confi g-if)# gr oup link con trol upstr eam 2 awplus(confi g-if)# gr oup link con trol downs tream 1 awplus(confi g-if)# gr oup link con trol downs tream 3 awplus(confi g-if)# inter fa ce 9 awplus(confi g-if)# gr oup link con trol[...]

  • Página 200

    Chapter 16: Group L ink Control 200 Section II: Advanced Operations[...]

  • Página 201

    Section II: Advanced Operations 201 Chapter 17 Denial of Service Defenses This chapter explains the defen se mechanisms in the management software that can protect your netwo rk against denial of service (DoS) attacks. Sections in the chapter include :  “Supported Platforms” on p age 202  “Overview” on page 203  “SYN Flood Attack[...]

  • Página 202

    Chapter 17: Denia l of Service Defens es 202 Section II: Advanced Operations Supported Platforms Refer to Table 60 and Table 61 for the AT-9400 Switches and the management interfaces that support t he denial of service de fenses. T able 60. Support for the Denial of Service Defenses Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y[...]

  • Página 203

    AT-S63 Management Software Features Guide Section II: Advance d Operations 203 Overview The AT-S63 Management Software can help protect your netwo rk against the following types of denial of service attacks.  SYN Flood Attack  Smurf Attack  Land Attack  T eardrop Att ack  Ping of Death Atta ck  IP Options Attack The following sect[...]

  • Página 204

    Chapter 17: Denia l of Service Defens es 204 Section II: Advanced Operations SYN Flood Attack In this type of attack, an attacker sends to a victim a la rge number of TCP connection requests (TCP SYN packe ts) with bogus source add resses. The victim responds with acknow ledgements (SYN ACK packet s), but because the original source addresses are b[...]

  • Página 205

    AT-S63 Management Software Features Guide Section II: Advance d Operations 205 Smurf Attack This DoS attack is instigated by an at tacker se nding a ICMP Echo (Ping) request that has the network’s I P broadcast address as the dest ination address and the address of the victim as the source of th e ICMP Echo (Ping) request. This overwhe lms the vi[...]

  • Página 206

    Chapter 17: Denia l of Service Defens es 206 Section II: Advanced Operations Land Attack In this attack, an attacker sends a bogus IP pa cket where the source and destination IP addresses are the same. This leaves the victim thinking that it is sending a message to itself. The most direct approach for defendin g against this form of attack wo uld b[...]

  • Página 207

    AT-S63 Management Software Features Guide Section II: Advance d Operations 207 2. If the source IP address is no t local to the network, it discards th e packet because it assumes that a packe t with an IP address that is not local to the network should not be a ppearing on a port that is not an uplink port. This protects against the possib ility o[...]

  • Página 208

    Chapter 17: Denia l of Service Defens es 208 Section II: Advanced Operations Teardrop Attack An attacker sends an IP packet in se veral fragments with a bogus offset value, used to reconstruct the packet, in one of the fragments to a victim. Because of the bogus o ffset value, th e victim is unable to reassemble the packet, possibly causing it to f[...]

  • Página 209

    AT-S63 Management Software Features Guide Section II: Advance d Operations 209 Ping of Death Attack The attacker sends an oversized, fragmented ICMP Echo (Pin g) request (greater than 65,535 bits) to the victim, which, if lacking a policy for handling oversized packets, may freeze. To defend against this form o f attack, a switch port searches for [...]

  • Página 210

    Chapter 17: Denia l of Service Defens es 210 Section II: Advanced Operations IP Options Attack In the basic scenario of an IP attack, an attacker sends packets containing bad IP options. There are several types of IP option attacks and the AT-S63 Management Sof tware does not distingu ish between them. Rather, the defense mechanism counts the numbe[...]

  • Página 211

    AT-S63 Management Software Features Guide Section II: Advance d Operations 211 Mirroring Traffic The Land, Teardrop, Ping of Death, and IP Options defense mechanisms allow you to copy the examined traffi c to a mirror port for furthe r analysis with a data sniffer or analyzer. This featu re differs slightly from port mirroring in that prior to an a[...]

  • Página 212

    Chapter 17: Denia l of Service Defens es 212 Section II: Advanced Operations Denial of Service Defense Guidelines Below are guidelines to observe when using this feature :  A switch port can support more than one DoS defense at a time.  The T eardrop and the Ping of Death defenses are CPU intensive. Use these defenses with caution.[...]

  • Página 213

    Section II: Advanced Operations 213 Chapter 18 Power Over Ethernet This chapter contains background info rmation on Power over Ethe rnet (PoE) for the AT-9424T/POE Switch. Sections in the chapt er include:  “Supported Platforms” on p age 214  “Overview” on page 215  “Power Budgeting” on p age 216  “Port Prioritization” o[...]

  • Página 214

    Chapter 18: Power Over Etherne t 214 Section II: Advanced Operations Supported Platforms Refer to Table 62 and Table 63 for the AT-9400 Switch and the management interfaces that support t he Power over Ethernet feature. T able 62. Support for the Power Over Ethernet Featu re Switch Supported Layer 2+ Models A T-9408LC/SP A T-9424T/GB A T-9424T/SP B[...]

  • Página 215

    AT-S63 Management So ftware Menus User’s Gui de Section II: Advance d Operations 215 Overview Power over Ethernet (PoE) is a mechan ism for supplying power to network devices over the same twisted pair cabl es that carry the network traffic. This feature, defined in the IEEE 802.3af standard, can make the installation and maintenance of a network[...]

  • Página 216

    Chapter 18: Power Over Etherne t 216 Section II: Advanced Operations Power Budgeting The AT-9424T/POE Switch has a maximu m power budget of 38 0 watts. The maximum possible load on the swit ch from the powered devices is 360W. The latter number assumes that all of the twenty four ports are connected to powered devices t hat are drawing the maximum [...]

  • Página 217

    AT-S63 Management So ftware Menus User’s Gui de Section II: Advance d Operations 217 Port Prioritization Port prioritization is used to control which ports on the switch are to receive PoE in the event the power requiremen ts of the devices exceed the switch’s power budget. Port priorit ization should be unnecessary on the AT-9424T/POE Switch s[...]

  • Página 218

    Chapter 18: Power Over Etherne t 218 Section II: Advanced Operations PoE Device Classes The IEEE 802.3af standard specifies four levels of classes for powered devices that are defined by power usa ge. The classes are:  0 - 0.44 W to 12.95 W  1 - 0.44 W to 3.84 W  2 - 3.84 W to 6.49 W  3 - 6.49 W to 12.95 W (The standard actually specifi[...]

  • Página 219

    Section III: Snooping Protocols 219 Section III Snooping Pr otocols The chapters in this section contai n overview informat ion on the snooping protocols. The chapters include:  Chapter 19, ”Internet Group Management Protocol Snooping” on p age 221  Chapter 20, ”Internet Group Man agement Protocol Snooping Querier” on page 225  Cha[...]

  • Página 220

    220 Section III: Snooping Protocols[...]

  • Página 221

    Section III: Snooping Protocols 221 Chapter 19 Internet Gr oup Management Pr otocol Snooping This chapter explains the Intern et Group Management Protoco l (IGMP) snooping feature in the following sections:  “Supported Platforms” on p age 222  “Overview” on page 223[...]

  • Página 222

    Chapter 19: Internet Group Management Proto col Snooping 222 Section III: Snooping Protocols Supported Platforms Refer to Table 64 and Table 65 for the AT-9400 Switches and the management interfaces that support t he Internet Group Management Protocol (IGMP) snooping feature. T able 64. Support for Internet Group Manageme nt Protocol Snooping Switc[...]

  • Página 223

    AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 223 Overview IPv4 routers use IGMP to create lists of nodes tha t are members of multicast groups. (A multicast group is a group of end node s that want to receive multicast packets from a mult icast application.) The router crea tes a multicast membership list by periodica [...]

  • Página 224

    Chapter 19: Internet Group Management Proto col Snooping 224 Section III: Snooping Protocols Without IGMP snooping a switch would have to flood multicast packets out all of its ports, except the port on which it received the packet. Such flooding of packets can negative ly impact network p erformance. The AT-9400 Switch maintains its list of multic[...]

  • Página 225

    Section III: Snooping Protocols 225 Chapter 20 Internet Gr oup Management Pr otocol Snooping Querier This chapter explains IGMP snooping querier and contains th e following sections:  “Supported Platforms” on p age 226  “Overview” on page 227  “Guidelines” on p age 230  “Configuring the Feature” on p age 231[...]

  • Página 226

    Chapter 20: Internet Group Management Proto col Snooping Querier 226 Section III: Snooping Protocols Supported Platforms Refer to Table 66 and Table 67 for the AT-9400 Switches and the management interfaces that support I GMP snooping querie r. T able 66. Support for IGMP Snoopin g Querier Switch Supported Layer 2+ Models A T-9408LC/SP A T-9424T/GB[...]

  • Página 227

    AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 227 Overview Multicast routers are essential for IP multicasting. They send out the queries to the network nodes to determine g roup memberships, route the multicast packets across networks, an d maintain lists of the multicast groups and the ports where the members of the g[...]

  • Página 228

    Chapter 20: Internet Group Management Proto col Snooping Querier 228 Section III: Snooping Protocols Figure 25. IGMP Snooping Querier Exa mple 1 The next example adds a second switch that has t he same VLAN, the Default VLAN. IGMP snooping is enabled on the switch so that it can build its list of nodes for the multicast group. Sin ce a LAN can have[...]

  • Página 229

    AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 229 Figure 26. IGMP Snooping Querier Examp le 2 Multicast source: IP address: 149.123.48.1 Switch 1: VLAN: Default_VLAN VID: 1 IGMP snooping: Enabled IGMP snooping querier : Enabled Routing inte rface addr ess: 149.123.48 .2 Host nodes: IP addresses: 149.44.44.3 to 149.123.4[...]

  • Página 230

    Chapter 20: Internet Group Management Proto col Snooping Querier 230 Section III: Snooping Protocols Guidelines The guidelines for IGMP snooping querier are liste d here:  The network can have only one LAN.  There cannot be any multicast routers.  IGMP snooping must be enabled on the switch.  IGMP snooping querier should be ena bled on [...]

  • Página 231

    AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 231 Configuring the Feature The procedures in this section illustrate how to use the standard commands and the AlliedWare Plus comman ds to configu re the switch for IGMP snooping querier. The procedures c onfigure the settings for switch 1 in Figure 25 on page 228. To confi[...]

  • Página 232

    Chapter 20: Internet Group Management Proto col Snooping Querier 232 Section III: Snooping Protocols 5. To confirm that IGMP snooping and IGMP snooping querier are enabled on the switch and that the interfa ce is functioning as the querier: show igmpsnoopi ng Figure 28. SHOW IGMPSNOOPING Command 6. To save the configur ation: save configurat ion To[...]

  • Página 233

    AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 233 2. To enable IGMP snooping: awplus(conf ig)# ip ig mp snooping 3. To enable IGMP snooping querier and apply it to th e VLAN: awplus(conf ig)# ip ig mp querier-l ist 1 awplus(conf ig)# exit 4. To confirm the routing interface: awplus# sho w ip inter face 5. To confirm tha[...]

  • Página 234

    Chapter 20: Internet Group Management Proto col Snooping Querier 234 Section III: Snooping Protocols[...]

  • Página 235

    Section III: Snooping Protocols 235 Chapter 21 Multicast Listener Discovery Snooping This chapter explains Multicast Li stener Discover y (MLD) snooping:  “Supported Platforms” on p age 236  “Overview” on page 237[...]

  • Página 236

    Chapter 21: Mult icast Listener Di scovery Snooping 236 Section III: Snooping Protocols Supported Platforms Refer to Table 68 and Table 69 for the AT-9400 Switches and the management interfaces that support Mult icast Listener Discovery snooping. T able 68. Support for Multicast Listener Discovery Snoo ping Switch Supported Layer 2+ Models A T-9408[...]

  • Página 237

    AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 237 Overview MLD snooping performs the same fun ction as IGMP snooping. The switch uses the feature to build multicast membership lists. It uses the lists to forward multicast packets only to switch ports where there are host nodes that are members of the multicast groups. T[...]

  • Página 238

    Chapter 21: Mult icast Listener Di scovery Snooping 238 Section III: Snooping Protocols[...]

  • Página 239

    Section III: Snooping Protocols 239 Chapter 22 Router Redundancy Pr otocol Snooping This chapter explains Router Redundancy Protocol (RRP) sno oping and contains the following sections:  “Supported Platforms” on p age 240  “Overview” on page 241  “Guidelines” on p age 242[...]

  • Página 240

    Chapter 22: Ro uter Redundancy Pro tocol Snooping 240 Section III: Snooping Protocols Supported Platforms Refer to Table 70 and Table 71 for the AT-9400 Switches and the management interfaces that support Rou ter Redundancy Protocol Snooping. T able 70. Support for Router Redundancy Protocol Sno oping Switch Supported Layer 2+ Models A T-9408LC/SP [...]

  • Página 241

    AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 241 Overview The Router Redundancy Protocol (RRP) a llows multiple routers to share the same virtual IP address and MAC address. In network topologies where redundant router paths or links e xist, the protocol enables routers, through an election process, to desig nate one a[...]

  • Página 242

    Chapter 22: Ro uter Redundancy Pro tocol Snooping 242 Section III: Snooping Protocols Guidelines The following guidelines apply to the RRP snooping feature:  The default setting for this feature is disable d.  Activating the feature flushes all dynamic MAC addresses from th e MAC address table.  RRP snooping is supported on ports oper atin[...]

  • Página 243

    Section III: Snooping Protocols 243 Chapter 23 Ethernet Pr otection Switching Ring Snooping This chapter has the following sections:  “Supported Platforms” on p age 244  “Overview” on page 245  “Restrictions” on page 247  “Guidelines” on p age 249[...]

  • Página 244

    Chapter 23: Ethern et Protection Swit ching Ring Snoopin g 244 Section III: Snooping Protocols Supported Platforms Refer to Table 72 and Table 73 for the AT-9400 Switches and the management interfaces that support Eth ernet Protection Switching Ring Snooping. T able 72. Support for Ethernet Protectio n Switching Ring Snooping Switch Supported Layer[...]

  • Página 245

    AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 245 Overview Ethernet Protection Switching Ring is a feature fou nd on selected Allied Telesis products, such as the AT-x 900 Advance d Layer 3 Switches. It offers an effective alternative to span ning tree based optio ns when using ring based topologies to create high speed[...]

  • Página 246

    Chapter 23: Ethern et Protection Swit ching Ring Snoopin g 246 Section III: Snooping Protocols After creating the VLANs, you activa te EPSR snooping by specifyin g the control VLAN with the ENABLE EPSRSNOOPING command. The switch immediately begins to monitor the VLAN for control me ssages from the master switch and reacts accordingl y should it re[...]

  • Página 247

    AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 247 Restrictions EPSR snooping has three important restrictions. All the restrictions are related to control EPSR messages and the fact that EPSR snooping can not generate these messages. The AT-9400 Switch cannot fulfill the role o f master node of a ring because EPSR snoop[...]

  • Página 248

    Chapter 23: Ethern et Protection Swit ching Ring Snoopin g 248 Section III: Snooping Protocols Figure 29. Double Fault C ondition in EPSR Snooping Now assume the lin k is reestablished between the switch and transit node. At that point, the port on the transit node enters a preforwarding state in which it forwards EPSR packets over the control VLAN[...]

  • Página 249

    AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 249 Guidelines The guidelines to EPSR snooping are:  The A T-9400 Switch can support up to sixteen control VLANs and so up to sixteen EPSR instances.  The A T-9400 Switch cannot be the master node of a ring.  EPSR snooping does not support t he transit node unso lic[...]

  • Página 250

    Chapter 23: Ethern et Protection Swit ching Ring Snoopin g 250 Section III: Snooping Protocols[...]

  • Página 251

    Section IV: SNMPv3 251 Section IV SNMPv3 The chapter in this section con tains overview information on SNMPv3. The chapter is:  Chapter 24, ”SNMPv3” on pa ge 253[...]

  • Página 252

    252 Section IV: SNMPv3[...]

  • Página 253

    Section IV: SNMPv3 253 Chapter 24 SNMPv3 This chapter provides a description of the AT-S63 implemen tation of the SNMPv3 protocol. The following sections are provided:  “Supported Platforms” on p age 254  “Overview” on page 255  “SNMPv3 Authentication Protoco ls” on p age 256  “SNMPv3 Privacy Protocol” on pa ge 257  ?[...]

  • Página 254

    Chapter 24: SNMP v3 254 Section IV: SNMPv3 Supported Platforms Refer to Table 74 and Table 75 for the AT-9400 Switches and the management interfaces that support SNMPv3. T able 74. Support for SNMPv3 Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer 3 Models A T-9424T Y es A T-9424T/POE Y es A T-942[...]

  • Página 255

    AT-S63 Management Software Features Guide Section IV: SNMPv3 255 Overview The SNMPv3 protocol builds on the exist ing SNMPv1 and SNMPv2c protocol implementation which is de scribed in Cha pter 4, “SNMPv1 and SNMPv2c” on page 91. In SNMPv3, User-based Security Model (USM) authentication is implemented along with encryption, allowing yo u to conf[...]

  • Página 256

    Chapter 24: SNMP v3 256 Section IV: SNMPv3 SNMPv3 Authentication Protocols The SNMPv3 protocol supports two authe ntication protocols—HMAC- MD5-96 (MD5) and HMAC-SHA-96 (SHA). Bo th MD5 and SHA use an algorithm to generate a message digest. Each authentica tion protocol authenticates a user by checking the message digest. In addition , both proto[...]

  • Página 257

    AT-S63 Management Software Features Guide Section IV: SNMPv3 257 SNMPv3 Privacy Protocol After you have configured an authentic ation protocol, you have the option of assigning a privacy protocol if yo u have the encrypted version of the AT-S63 software. In SNMPv3 protocol te rminology, privacy is equivalent to encryption. Currently, the DES pro to[...]

  • Página 258

    Chapter 24: SNMP v3 258 Section IV: SNMPv3 SNMPv3 MIB Views The SNMPv3 protocol allows you to configure MIB views for users and groups. The MIB tree is defined by RFC 1155 (Structure of Management Information). See Figure 30. Figure 30. MIB Tree The AT-S63 software supports the MIB tree, startin g with the Internet MIBs, as defined by 1.3.6.1. Ther[...]

  • Página 259

    AT-S63 Management Software Features Guide Section IV: SNMPv3 259 After you specify a MIB subtree view you have the option of further restricting a view by defining a subtree ma sk. The relationship between a MIB subtree view and a subtree mask is analogous to th e relationship between an IP address a nd a subnet mask. The switch uses the subne t ma[...]

  • Página 260

    Chapter 24: SNMP v3 260 Section IV: SNMPv3 SNMPv3 Storage Types Each SNMPv3 table entry has its own storag e type. You can choose between nonvolatile storage which allows you to save the table entry or volatile storage which does not allow you to save an e ntry. If you select the volatile storage type, when you power off the switch your SNMPv3 conf[...]

  • Página 261

    AT-S63 Management Software Features Guide Section IV: SNMPv3 261 SNMPv3 Message Notification When you generate an SNMPv3 message from the switch, there are three basic pieces of information included in the message:  The type of message  The destination of the message  SNMP security information To configure the type of message, yo u need to[...]

  • Página 262

    Chapter 24: SNMP v3 262 Section IV: SNMPv3 SNMPv3 Tables The SNMPv3 configuration is neatly divided into configuring SNMPv3 user information and configuring the messag e notificatio n. You must configure all seven tables to successfully configure the SNMPv3 protocol. You use the following tables for user configuration:  Configure SNMPv3 User T a[...]

  • Página 263

    AT-S63 Management Software Features Guide Section IV: SNMPv3 263  Configure SNMPv3 Notify T able  Configure SNMPv3 T arget Address T able  Configure SNMPv3 T arget Parameters T able You start the message notification configu ration by defining the typ e of message you want to send with the SNMPv3 Notify Table. Then yo u define a IP address[...]

  • Página 264

    Chapter 24: SNMP v3 264 Section IV: SNMPv3  “SNMPv3 T arget Parameters T able” on page 265  “SNMPv3 Community T able” on page 265 SNMPv3 User Table The Configure SNMPv3 User Table menu allows you to crea te an SNMPv3 user and provides the options o f configuring authentication and privacy protocols. With the SNMPv3 protocol, users are[...]

  • Página 265

    AT-S63 Management Software Features Guide Section IV: SNMPv3 265 SNMPv3 Notify Table The Configure SNMPv3 Notify Table menu allows you to define the type of message that is sent from the switch to the SNMP host. In addition, you have the option of def ining the message typ e as either an Inform or a Trap message. The difference between these two ty[...]

  • Página 266

    Chapter 24: SNMP v3 266 Section IV: SNMPv3 SNMPv3 Configuration Example You may want to have two classes of SNMPv3 users—Managers and Operators. In this scenario, you would configure on e group, called Managers, with full access privileges. Then you would configure a second group, called Operators, with monitoring privilege s only. For a detailed[...]

  • Página 267

    Section V: Spanning Tree Protocols 267 Section V Spanning T r ee Protocols The section has the following chapters:  Chapter 25, “S panning T ree and Rapid S p anning T ree Protocols” on page 269  Chapter 26, “Multiple S panning T ree Protocol” on p age 289[...]

  • Página 268

    268 Section V: Spanning Tree Pro tocols[...]

  • Página 269

    Section V: Spanning Tree Protocols 269 Chapter 25 Spanning T r ee and Rapid Spanning T r ee Pr otocols This chapter provides background information on the Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). Th e sections in this chapter include:  “Supported Platforms” on p age 270  “Overview” on page 271  “Bridg[...]

  • Página 270

    Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 270 Section V: Spanning Tree Pro tocols Supported Platforms Refer to Table 76 and Table 77 for the AT-9400 Switches and the management interfaces that support t he Spanning Tree and Rapid Spanning Tree Protocols. T able 76. Support for the Spann ing Tree and Rapid Spannin g Tree Protocol[...]

  • Página 271

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 271 Overview The performance of a Ethernet network can be negatively impacted by the formation of a data loop in the netwo rk topology. A data loop exists when two or more nodes on a network can transmit data to each other over more than one data path. The problem that dat[...]

  • Página 272

    Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 272 Section V: Spanning Tree Pro tocols Bridge Priority and the Root Bridge The first task that bridges perform when a sp anning tree protocol is activated on a network is the selection of a ro ot bridge . A root bridge distributes network topology information to the other network bridge[...]

  • Página 273

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 273 Path Costs and Port Costs After the root bridge has been selecte d, the bridges determine if the network contains redundant path s and, if one is found, select a pref erred path while placing the redunda nt paths in a backup or blocking state . Where there is only one [...]

  • Página 274

    Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 274 Section V: Spanning Tree Pro tocols Table 80 lists the STP port costs with Au to-Detect when a port is part of a port trunk. Table 81 lists the RSTP port costs with Auto-Detect. Table 82 lists the RSTP port costs with Auto-Detect when the port is part of a port trunk. You can overrid[...]

  • Página 275

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 275 T able 83. Port Priority V alue Increments Increment Bridge Priority Increment Bridge Priority 0081 2 8 1 16 9 144 2 3 21 01 6 0 3 48 1 1 176 4 6 41 21 9 2 5 8 01 32 0 8 6 9 61 42 2 4 7 1 12 15 240[...]

  • Página 276

    Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 276 Section V: Spanning Tree Pro tocols Forwarding Delay and Topology Changes If there is a change in the network topology due to a failure, removal, o r addition of any active components, the active topology also changes. This may trigger a change in the state of some blo cked ports. Ho[...]

  • Página 277

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 277 seconds and the default is two second s. Consequently, if the AT-9400 Switch is selected as the root bridge of a spa nning tree domain, it transmits a BPDU every two seconds. Point-to-Point and Edge Ports Note This section applies only to RSTP. Part of the task of conf[...]

  • Página 278

    Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 278 Section V: Spanning Tree Pro tocols Figure 34. Edge Port A port can be both a point-to-point and an edge port at the same time. It operates in full-duplex and has no ST P or RSTP devices co nnected to it. Figure 35 illustrates a port functioning a s both a point-to-point and e dge po[...]

  • Página 279

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 279 Mixed STP and RSTP Networks RSTP IEEE 802.1w is fully compliant with STP IEEE 802.1d. A network can have both protocols. If both RSTP and ST P are present in a network, they operate together to cre ate a single spanning tr ee domain. Given this, if you decide to activa[...]

  • Página 280

    Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 280 Section V: Spanning Tree Pro tocols Spanning Tree and VLANs The STP and RSTP implementations in th e AT-S63 Management Software support a single-instance spa nning tree that encompasses all the ports on the switch. If the ports are divid ed into different VLANs, the spanning tree cro[...]

  • Página 281

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 281 RSTP BPDU Guard This feature monitors RSTP edge por ts on stand -alone switches or AT-9400Ts stacks and disables the p o rts if they receive BPDU packets. The benefit of this feature is that it prevents the u se of edge ports by RSTP devices and so reduces the possibil[...]

  • Página 282

    Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 282 Section V: Spanning Tree Pro tocols  BPDU guard is supported only on RSTP . It is not supporte d on STP or MSTP .  This feature is supported on the base ports of the switch and any expansion modu les and fiber optic transceivers insta lled in the unit. Note A port that the BPDU[...]

  • Página 283

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 283 RSTP Loop Guard Although RSTP is intended to detect an d prevent the forma tion of loo ps in a network topology, it is possible th at the protocol might inadvertently create a loop. This can happen in the unlikely situation where a link between two RSTP devices remains[...]

  • Página 284

    Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 284 Section V: Spanning Tree Pro tocols This feature is supported on th e base ports of t he switch as well as on any expansion modules and fiber optic transceivers insta lled in the unit. This feature is not supported in STP or MSTP. It is also not supported on RSTP edge ports. The foll[...]

  • Página 285

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 285 Figure 38. Loop Guard Example 2 But if loop guard is enabled on port 14 on switch 3, the port, instead of changing to the forwarding state, stays in the blocking state, preventing the formation of the loop. Figure 39. Loop Guard Example 3 The previous example illustrat[...]

  • Página 286

    Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 286 Section V: Spanning Tree Pro tocols In the first example the root bridge stops transmitting BPDUs. If switch 3 is not using loop guard, it continues to forward traffic on port 4, but since no BPDUs are received on the port, it assu mes that the device connected to the port is not an [...]

  • Página 287

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 287 Figure 41. Loop Guard Example 5 Switch 3 Switch 1 Old root bridge RSTP stops operating Port 4 Loop guard changes the port to the blocking state from the forwarding state Switch 2 New root bridge Port 14 Transitions from the blocking st ate to the forwarding state[...]

  • Página 288

    Chapter 25: Spannin g Tree and Rapid Span ning Tree Protocols 288 Section V: Spanning Tree Pro tocols[...]

  • Página 289

    Section V: Spanning Tree Protocols 289 Chapter 26 Multiple Spanning T r ee Protocol This chapter provides background information on the Multiple Spanning Tree Protocol (MSTP). The sections in this chap ter include:  “Supported Platforms” on p age 290  “Overview” on page 291  “Multiple S panning T ree Instance (MSTI)” on page 29[...]

  • Página 290

    Chapter 26: Multipl e Spanning Tree Protocol 290 Section V: Spanning Tree Pro tocols Supported Platforms Refer to Table 84 and Table 85 for the AT-9400 Switches and the management interfaces that support t he Multiple Spanning Tree Protocol. T able 84. Support for the Multiple Spanning Tree Protocol Switch Supported Layer 2+ Models A T-9408LC/SP Y [...]

  • Página 291

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 291 Overview As mentioned in Chapter 25, ”Spanning Tree and Rapid Spanning Tree Protocols” on page 269, STP and RSTP are referred to as single-instance spanning trees that search for physi cal loops across all VLANs in a bridged network. When loops are detecte d , the [...]

  • Página 292

    Chapter 26: Multipl e Spanning Tree Protocol 292 Section V: Spanning Tree Pro tocols Multiple Spanning Tree Instance (MSTI) The individual spanning trees in MSTP are referred to as Multiple Spanning Tree Instances (MST Is). A MSTI can span any number of AT-9400 Switches. The switch can su pport up to 16 MSTIs at a time . To create a MSTI, you first[...]

  • Página 293

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 293 Figure 42. VLAN Fragmentatio n with STP or RSTP Blocke d Port FAULT RPS MASTER POWER CLASS 1 LASER PRODUCT STA TUS TERMINAL PORT 13579 1 1 2 4 6 8 10 12 13 15 17 19 21 23R 14 16 18 20 22 24R A T -9424T/SP Gigabit Ethernet Switch 1 3 5 7 9 11 13 15 17 19 21 23R 2 4 6 8 [...]

  • Página 294

    Chapter 26: Multipl e Spanning Tree Protocol 294 Section V: Spanning Tree Pro tocols Figure 43 illustrates the same two AT-9400 Switches and the same two virtual LANs. But in this example, the two switches are running MSTP a nd the two VLANs have been assigned different spann ing tree instances. Now that they reside in different MSTIs, both links r[...]

  • Página 295

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 295 A MSTI can contain more than one VLAN. This is illustrated in Figure 44 where there are two AT-9400 Switches wit h four VLANs. There are two MSTIs, each containing two VLANs. MSTI 1 contains t he Sales and Presales VLANs and MSTI 2 contains the Design and Engineering V[...]

  • Página 296

    Chapter 26: Multipl e Spanning Tree Protocol 296 Section V: Spanning Tree Pro tocols MSTI Guidelines The following are several guideline s to keep in mind about MSTIs:  The AT-9400 Switch can support up to 16 spanning tree instances, including the CIST .  A MSTI can contain a ny number of VLANs.  A VLAN can belong to only o ne MSTI at a ti[...]

  • Página 297

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 297 VLAN and MSTI Associations Part of the task to configu ring MSTP involves assigning VLANs to spanning tree instances. The mapping of VLANs to MSTIs is ca lled associations . A VLAN, either port-based or tagged, can belong to only one instance at a time, but an insta nc[...]

  • Página 298

    Chapter 26: Multipl e Spanning Tree Protocol 298 Section V: Spanning Tree Pro tocols Ports in Multiple MSTIs A port can be a member of mo re than one MSTI at a time if it is a tagg ed member of one or more VLANs assign ed to different MSTI’s. I n this circumstance, a port might be have to operate in differen t spanning tree states simultaneously,[...]

  • Página 299

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 299 Multiple Spanning Tree Regions Another important concept of MSTP is re gions . A MSTP region is defin ed as a group of bridges that sha re exactly the same MSTI char acteristics. Those characteristics are:  Configuration name  Revision number  VLANs  VLAN t[...]

  • Página 300

    Chapter 26: Multipl e Spanning Tree Protocol 300 Section V: Spanning Tree Pro tocols Figure 45 illustrates the concept of regions. It shows one MSTP region consisting of two AT-9400 Switches. Each switch in the region has the same configuration name and revisio n level. The switches also have the same five VLANs and the VLANs are associa ted with t[...]

  • Página 301

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 301 The same is true for any ports connected to bridge s running the single- instance spanning tree ST P or RSTP. Th ose ports are also considered as part of another region. Each MSTI functions as an independ ent spanning tree within a region. Consequently, each MSTI must [...]

  • Página 302

    Chapter 26: Multipl e Spanning Tree Protocol 302 Section V: Spanning Tree Pro tocols Common and Internal Spanning Tree (CIST) MSTP has a default spanning tree insta nce called the Common and Internal Spanning Tree (CIST). This insta nce has an MSTI ID of 0. This instance has unique features and funct ions that make it different from the MSTIs that [...]

  • Página 303

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 303 Summary of Guidelines Careful planning is essential for the successful implementation of MSTP. This section reviews all the rules and guidelines mentioned in earlier sections, and contains a few new ones:  The AT-9400 Switch can support up to 16 sp anning tree insta[...]

  • Página 304

    Chapter 26: Multipl e Spanning Tree Protocol 304 Section V: Spanning Tree Pro tocols Note The AT-S63 MSTP implementation comp lies fully with the new IEEE 802.1s standard. Any other vendor’s fully compliant 802.1s implementation is interoperable with the AT-S63 implementa tion.[...]

  • Página 305

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 305 Associating VLANs to MSTIs Allied Telesis recommends that you assign all VLANs on a switch to an MSTI. You should not leave a VLAN as signed to just the CIST, including the Default_VLAN. This is to pre vent the blocking of a port that should be in the forwarding state [...]

  • Página 306

    Chapter 26: Multipl e Spanning Tree Protocol 306 Section V: Spanning Tree Pro tocols Figure 47. CIST and VLAN Guideline - Example 2 When port 4 on switch B receives a BPDU, the swit ch notes the port sending the packet belongs only to CIST. Therefore, switch B uses CIST in determining whether a loop exists. The result would be that the switch detec[...]

  • Página 307

    AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 307 Connecting VLANs Acro ss Different Regions Special consideration needs to be taken into account when you connect different MSTP regions or an MSTP region and a single-instance STP or RSTP region. Unless planned proper ly, VLAN fragmentation can occu r between the VL AN[...]

  • Página 308

    Chapter 26: Multipl e Spanning Tree Protocol 308 Section V: Spanning Tree Pro tocols Another approach is to group those VLANs that need to span regions into the same MSTI. Those VLANs that d o not span regions can be assigne d to other MSTIs. Here is an example. Assume that yo u have two regions that contain the following VLANS: Region 1 VLANs Regi[...]

  • Página 309

    Section VI: Virtual LANs 309 Section VI V irtual LANs The chapters in this section d iscuss the various types of virtual LANs supported by the AT-9400 Switch. The chapters include:  Chapter 27, “Port-based and T agged VLANs” on page 31 1  Chapter 28, “GARP VLAN Registration Protocol” on p age 325  Chapter 29, “Multiple VLAN Mode [...]

  • Página 310

    310 Section VI: Virtual LANs[...]

  • Página 311

    Section VI: Virtual LANs 311 Chapter 27 Port-based and T agged VLANs This chapter contains overview information about port-base d and tagged virtual LANs (VLANs). This chapter contains the following section s:  “Supported Platforms” on p age 312  “Overview” on page 313  “Port-base d VLAN Overvi ew” on page 315  “T agged VL[...]

  • Página 312

    Chapter 27: Port-based and Tagged VLANs 312 Section VI: Virtual LANs Supported Platforms Refer to Table 86 and Table 87 for the AT-9400 Switches and the management interfaces that support t he port-based and tagged VLANs. T able 86. Support for Port-based and Tagged VLANs Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-942[...]

  • Página 313

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 313 Overview A VLAN is a group of ports on an Ethernet switch that form a logical Ethernet segment. The ports of a VLAN form an indep endent traffic domain where the traffic generated by the nodes of a VLAN remains within the VLAN. With VLANs, you can segment your network through th[...]

  • Página 314

    Chapter 27: Port-based and Tagged VLANs 314 Section VI: Virtual LANs Management Sof tware. Y ou can change the VLAN memberships through the management sof tware without moving the workst ations physically , or changing group memberships by moving cables from one switch port to another . In addition, a virtual LAN can sp an more than one swit ch. Th[...]

  • Página 315

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 315 Port-based VLAN Overview As explained in “Overview” on page 313, a VLAN consists of a group of ports on one or more Et hernet switches that form an independen t traffic domain. Traffic generated by the end nodes of a VLAN remains within the VLAN and does not cross over to th[...]

  • Página 316

    Chapter 27: Port-based and Tagged VLANs 316 Section VI: Virtual LANs three AT-9400 Switches, you would assign the Ma rketing VLAN on each switch the same VID. You can assign this number manually or allow the AT-S6 3 Management Software to do it automatically. If you a llow the management software to do it automatically, it selects the next availab [...]

  • Página 317

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 317 Guidelines to Creating a Port- based VLAN Below are the guidelin es to creating a port-based VLAN.  Each port-based VLAN must be assigned a unique VID. If a particular VLAN spans multiples switch es, each p art of the VLAN on the dif ferent switches should be assigned the sam[...]

  • Página 318

    Chapter 27: Port-based and Tagged VLANs 318 Section VI: Virtual LANs Port-based Example 1 Figure 49 illustrates an example of one AT-9424T/SP Gigabit Eth ernet Switch with three port-based VLANs. (For p urposes of the following examples, the Default_VLAN is not shown.) Figure 49. Port-based VLAN - Example 1 The table below lists t he port assignmen[...]

  • Página 319

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 319 In the example, each VLAN has one port connected to the router. T he router interconnects the various VL ANs and functions as a gate way t o the WAN. Port-based Example 2 Figure 50 illustrates more port-based VL ANs. In this example, two VLANs, Sales and Engineering, span two AT[...]

  • Página 320

    Chapter 27: Port-based and Tagged VLANs 320 Section VI: Virtual LANs The table below lists t he port assignmen ts for the Sa les, Engineering, and Production VLANs on the switches:  Sales VLAN - This VLAN sp ans both switches. It has a VID value o f 2 and consists of six untagged ports o n the top switch and five untagge d ports on the bo ttom s[...]

  • Página 321

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 321 Tagged VLAN Overview The second type of VLAN supported b y the AT-S63 Management Software is the tagged VLAN . VLAN membership in a tagged VLAN is determined by information within the frames that are received on a port. This differs from a port-based VLAN, where the PVIDs assign[...]

  • Página 322

    Chapter 27: Port-based and Tagged VLANs 322 Section VI: Virtual LANs  Port VLAN Identifier Note For explanations of VLAN n ame and VLAN identifier, refer back to “VLAN Name” on page 315 and “VLAN Identifier” on page 315. Tagged and Untagged Ports You need to specify which ports will b e members of the VLAN. In the case of a tagged VLAN, [...]

  • Página 323

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 323 Tagged VLAN Example Figure 51 illustrates how tagged ports ca n be used to intercon nect IEEE 802.1Q-based products. Figure 51. Example of a Tagged VLAN WA N 2 3 4 5 6 79 1 9 12 1 2 3 17 15 11 13 8 10 12 14 18 20 22 24 16 2 3 4 5 6 79 1 9 12 1 2 3 17 15 11 13 8 10 12 14 18 20 22[...]

  • Página 324

    Chapter 27: Port-based and Tagged VLANs 324 Section VI: Virtual LANs The port assignments for the VLANs ar e as follows: This example is nearly identical to the “Port-based Example 2” on page 319. Tagged ports have been added to simplify network implementation and management. One of the tagged ports is port 2 on the top switch. This port has be[...]

  • Página 325

    Section VI: Virtual LANs 325 Chapter 28 GARP VLAN Registration Pr otocol This chapter describes the GARP VLAN Registration Protocol (GVRP) and contains the following sections:  “Supported Platforms” on p age 326  “Overview” on page 327  “Guidelines” on p age 330  “GVRP and Network Security” on p age 331  “GVRP-inact[...]

  • Página 326

    Chapter 28: GARP VLAN Registrat ion Protocol 326 Section VI: Virtual LANs Supported Platforms Refer to Table 88 and Table 89 for the AT-9400 Switches and the management interfaces that support t he GARP VLAN Registration Protocol. T able 88. Support for the GARP VLAN Registration Protocol Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424[...]

  • Página 327

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 327 Overview The GARP VLAN Registration Protocol (GVRP) allows network devices to share VLAN information. The main purpose of GVRP is to allow switches to automatically discover some of the VLAN information that would otherwise need to be manua lly configured in each switch. This is[...]

  • Página 328

    Chapter 28: GARP VLAN Registrat ion Protocol 328 Section VI: Virtual LANs Figure 52 provides an example of how GVRP works. Figure 52. GVRP Example Switches #1 and #3 contain t he Sales VLAN, but switch #2 does not. Consequently, the end nodes of the two parts of the Sales VLANs are unable to communicate with each other. Without GVRP, you would need[...]

  • Página 329

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 329 as an tagged dynamic GVRP port. If t he port is already a me mber of the VLAN, then no change is made. 5. Switch #3 sends a PDU out port 4 to switch #2. 6. Switch #2 receives the PDU on port 3 and then adds the port as a tagged dynamic GVRP port to t he dynamic GVRP_VLAN_11 VLAN[...]

  • Página 330

    Chapter 28: GARP VLAN Registrat ion Protocol 330 Section VI: Virtual LANs Guidelines Following are guidelines to obser ve when using this feature:  GVRP is supported with STP and RSTP , or without spannin g tree. GVRP is not supported with MSTP .  GVRP is supported when the switch is operating in the t agged VLAN mode, which is the VLAN mode [...]

  • Página 331

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 331 GVRP and Network Security GVRP should be used with caution b eca use it can expose your network to unauthorized access. A network intruder can access to rest ricted parts of the network by connecting to a swit ch port running GVRP and transmitting a bogus GVRP PDU containing VID[...]

  • Página 332

    Chapter 28: GARP VLAN Registrat ion Protocol 332 Section VI: Virtual LANs GVRP-inactive Intermediate Switches If two GVRP-active devices are separat ed by a GVRP-inactive switch, the GVRP-active devices may not be able to share VL AN information. There are two issues involved. The first is whether the intermediate switch forwards the GVRP PDUs th a[...]

  • Página 333

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 333 Generic Attribute Registration Protocol (GARP) Overview The following is a technical overview of GARP. An understanding of GARP may prove helpful when you u se GVRP. The purpose of the Generic Attribute Registration Protocol (GARP) is to provide a generic framework where by devi[...]

  • Página 334

    Chapter 28: GARP VLAN Registrat ion Protocol 334 Section VI: Virtual LANs GARP architecture is shown in Figure 53. Figure 53. GARP Architecture The GARP application component of the GARP participa nt is responsible for defining the semantics associated with the parameter values and operators received in GARP PDUs, and for generating GARP PDUs for t[...]

  • Página 335

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 335 Figure 54. GID Architecture GARP registers and deregisters attribute values through GARP messages sent at the GID level. A GARP participant that wishes to make a declaration (an applicant registering an attribute value) sends a JoinIn or JoinEmpty message. An applicant that wish[...]

  • Página 336

    Chapter 28: GARP VLAN Registrat ion Protocol 336 Section VI: Virtual LANs To control the applicant state machine, an applicant admin istrative control parameter is provided. This parameter dete rmines whether or not the applicant state machine participates in GARP protocol exchanges. The default value has the applicant pa rticipating in the exchang[...]

  • Página 337

    Section VI: Virtual LANs 337 Chapter 29 Multiple VLAN Modes This chapter describes the multiple VLAN mo des. This chapter contains the following sections:  “Supported Platforms” on p age 338  “Overview” on page 339  “802.1Q- Compliant Multiple VLAN Mode” on p age 340  “Non-802.1Q Compliant Multiple VLAN Mode” on p age 34[...]

  • Página 338

    Chapter 29: Multipl e VLAN Modes 338 Section VI: Virtual LANs Supported Platforms Refer to Table 90 and Table 91 for the AT-9400 Switches and the management interfaces that support t he multiple VLAN modes. T able 90. Support for the Mu ltiple VLAN Modes Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic L[...]

  • Página 339

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 339 Overview The multiple VLAN modes are designed to simplify the task of configuring the switch in network environments that require a high deg ree of network segmentation. In a multiple VLAN mode, the ports on a switch are prohibited from forwarding traffic to each other and are o[...]

  • Página 340

    Chapter 29: Multipl e VLAN Modes 340 Section VI: Virtual LANs 802.1Q- Compliant Multiple VLAN Mode In this mode, each port is placed into a sep arate VLAN as an untagged port. The VLAN names and VID numbers are based on the port numb ers. For example, the VLAN for port 4 is named Client_VLAN_4 a nd is given the VID of 4, the VLAN for port 5 is name[...]

  • Página 341

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 341 This highly segmented confi guration is useful in situations where traffic generated by each end no de or network segment connected to a port on the switch needs to be kept separate from all other n etwork traffic, while still allowing access to an uplink to a WAN. Unicast traff[...]

  • Página 342

    Chapter 29: Multipl e VLAN Modes 342 Section VI: Virtual LANs Non-802.1Q Compliant Multiple VLAN Mode Unlike the 802.1Q-compliant VL AN mode, which isolates port traffic by placing each port in a separate VLAN, this mode forms o ne VLAN with a VID of 1 that encompasses all po rts. To establish traffic iso lation, it uses port mapping. The result, h[...]

  • Página 343

    Section VI: Virtual LANs 343 Chapter 30 Pr otected Ports VLANs This chapter explains protecte d ports VLANs. It contains the following sections:  “Supported Platforms” on p age 344  “Overview” on page 345  “Guidelines” on p age 347[...]

  • Página 344

    Chapter 30: Protected Ports VLANs 344 Section VI: Virtual LANs Supported Platforms Refer to Table 93 and Table 94 for the AT-9400 Switches and the management interfaces that support t he protected ports VLANs. T able 93. Support for Protected Ports VLANs Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic L[...]

  • Página 345

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 345 Overview The purpose of a protected ports VL AN is to allow multiple ports on the switch to share the same uplink port but not share traffic with each other. This feature has some of the same ch aracteristics as the multiple VLAN modes described in the previous chapter , but it [...]

  • Página 346

    Chapter 30: Protected Ports VLANs 346 Section VI: Virtual LANs To create a protected ports VLAN, you perform many of the same steps that you do when you create a new port-b ased or tagged VLAN. You give it a name and a unique VID, and you indicate which of the ports will be tagged and untagged. What makes creating this type of VLAN different is tha[...]

  • Página 347

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 347 Guidelines Following are the guidelines for im plementing p rotected ports VLANS:  A protected port s VLAN should contain a minimum of two group s. A protected port s VLAN of only one group can be replaced with a p ort- based or tagged VLAN instea d.  A protected port s VL[...]

  • Página 348

    Chapter 30: Protected Ports VLANs 348 Section VI: Virtual LANs[...]

  • Página 349

    Section VI: Virtual LANs 349 Chapter 31 MAC Addr ess-based VLANs This chapter contains overview information about MAC address-based VLANs. Sections in the chapter includ e:  “Supported Platforms” on p age 350  “Overview” on page 351  “Egress Ports” on p age 352  “VLANs That S pan Switches” on p age 355  “VLAN Hierar[...]

  • Página 350

    Chapter 31: MAC Address-b ased VLANs 350 Section VI: Virtual LANs Supported Platforms Refer to Table 95 and Table 96 for the AT-9400 Switches and the management interfaces that support MAC address-b ased VLANs. T able 95. Support for MAC Ad dress-based VLANs Switch Supported Layer 2+ Models A T-9408LC/SP A T-9424T/GB A T-9424T/SP Basic Layer 3 Mode[...]

  • Página 351

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 351 Overview As explained in “Overview” on page 313, VLANs are a means for creating independent LAN segments within a network and are typically employed to improve network performance a nd security. The AT-S63 Management Software offers several different types of VLANs, includin[...]

  • Página 352

    Chapter 31: MAC Address-b ased VLANs 352 Section VI: Virtual LANs Egress Ports Implementing a MAC address-based VLAN involves more than entering the MAC addresses of the end nodes that are members of the VLAN. You must also designate the egress ports o n the switch for the packets from the nodes. The egress ports d efine the limits of flooding of p[...]

  • Página 353

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 353 The community characteristic of egress po rts relieves you from having to map each address to its corresponding egress port. You only need to be sure that all the egress ports in a MAC address-based VL AN are assigned to at least one address. It is also important to note that a [...]

  • Página 354

    Chapter 31: MAC Address-b ased VLANs 354 Section VI: Virtual LANs If security is a major concern for your network, yo u might not want to assign a port as an egress port to more tha n one VLAN when pla nning your MAC address-based VLANs. When a packet whose source MAC address is part of a MAC address- based VLAN arrives on a port, the switch perfor[...]

  • Página 355

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 355 VLANs That Span Switches To create a MAC address-based VLAN that spa ns switches, you must replicate the MAC addresses of the VLAN nodes on all the switches where the VLAN exists. The same MAC addre ss-based VLAN on different switches must have the same list of MAC a ddresses. F[...]

  • Página 356

    Chapter 31: MAC Address-b ased VLANs 356 Section VI: Virtual LANs T able 99. Example of a MAC Address-based VLAN S panning Switches Switch A Switch B VLAN Name: Sales VLAN Name: Sales MAC Address Egress Port s MAC Address Egress Port s Address_1 1,3,4,5 Address_1 1 1,12,14,16 Address_2 1 Address_2 1 1 Address_3 1 Address_3 1 1 Address_4 1 Address_4[...]

  • Página 357

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 357 VLAN Hierarchy The switch’s management software employs a VLAN hierarchy when handling untagged packets that arrive on a port that is an egre ss port of a MAC address-based VLAN as well as an untagged port of a port-based VLAN. (A port can be a member of both types of VLANs at[...]

  • Página 358

    Chapter 31: MAC Address-b ased VLANs 358 Section VI: Virtual LANs Steps to Creating a MAC Address-based VLAN Here are the three main steps to creating a MAC address-based VLAN: 1. Assign the VLAN a name and a VID. You must also se t the VLAN type to MAC Based. 2. Assign the MAC addresses to the VLAN. 3. Add the egress ports to the MAC ad dresses. T[...]

  • Página 359

    AT-S63 Management Software Features Guide Section VI: Virtual LANs 359 Guidelines Follow these guidelines when imp lementing a MAC address-based VLAN:  MAC address-based VLANs are not supported on the A T-9408LC/SP, A T-9424T/GB and A T-9424T/SP Switches.  The switch can support up to a tot al of 4094 p ort-based, tagged, protected port s, an[...]

  • Página 360

    Chapter 31: MAC Address-b ased VLANs 360 Section VI: Virtual LANs  Egress ports canno t be part o f a static or LACP trunk.  Since this type of VLAN does not sup port tagge d packet s, it is not suitable in environment s where a ne twork device, such as a network server , needs to be shared between multiple VLANs.  Ports 49 and 50 on the A[...]

  • Página 361

    Section VII: Internet Proto col Routing 361 Section VII Internet Pr otocol Routing This section has the following chapters:  Chapter 32, “Internet Protoco l V ersion 4 Packet Routing” on page 363  Chapter 33, “BOOTP Relay Agent” on page 397  Chapter 34, “V irtual Router Redundancy Pro tocol” on p age 403[...]

  • Página 362

    362 Section VII: Internet Pro tocol Routing[...]

  • Página 363

    363 Chapter 32 Internet Pr otocol V ersion 4 Packet Routing This chapter describes Internet Protocol version 4 (IPv4) packet routing on the AT-9400 Basic Layer 3 Switc hes. The chapt er covers routing interfaces, static routes, and the Routing Information Protocol (RIP) versions 1 and 2. The sections in the ch apter include:  “Supported Platfo[...]

  • Página 364

    Chapter 32: Internet Protocol Version 4 Packet Routing 364 Section VII: Routing Supported Platforms Refer to Table 100 and Table 101 for the AT-9400 Switches and the management interfaces that support t he IPv4 packet routing feature . Here are a few things you need to know ab out the supported platfo rms and the management interfaces for the IP pa[...]

  • Página 365

    AT-S63 Management Software Features Guide Section VII: Routin g 365 Features” on page 384 and “A T-9408LC/SP A T-9424T/GB, and A T-9424T/SP Switches” on page 388.  A T-9400T s S tacks support static routes bu t not RIP .  Y ou can use the menus on a stand-alon e switch to configure the routing interfaces, but not st atic routes or RIP .[...]

  • Página 366

    Chapter 32: Internet Protocol Version 4 Packet Routing 366 Section VII: Routing Overview This section contains an overview of the IPv4 routing fea ture on the AT-9400 Switch. It begins with an e xplanation of the following ava ilable routing methods:  Routing interfaces  S tatic routes  RIP version 1 and 2 A routing interface is a log ical[...]

  • Página 367

    AT-S63 Management Software Features Guide Section VII: Routin g 367 At the end of this overview are two examples that illustra te the sequence of commands to implementing the f eat ures described in this chapter. You can refer there to see how the comman ds are used in practice. The sections are “Routing Command Example” on page 390 and “Non-[...]

  • Página 368

    Chapter 32: Internet Protocol Version 4 Packet Routing 368 Section VII: Routing Routing Interfaces The IPv4 packet routing feature on the switch is bu ilt on the foundation of the routing interface. An interf ace functions as a logical connection to a subnet that allows the egress and ing ress of IPv4 packets to the subnet from other local and remo[...]

  • Página 369

    AT-S63 Management Software Features Guide Section VII: Routin g 369 Note Routing interfaces can be config ured from eit her the command line interface or the menus interface. The following subsecti ons describe the three main componen ts of a routing interface:  VLAN ID (VID)  Interface number  IP address and subnet mask VLAN ID (VID) An i[...]

  • Página 370

    Chapter 32: Internet Protocol Version 4 Packet Routing 370 Section VII: Routing the other interfaces in the same VLAN must be assigned manually. Fo r example, if there are four interfaces and ea ch of their respective subnets resided in a separate VLAN, then each in terface can obtain it s IP address and subnet mask from a DHCP or BOOTP server. How[...]

  • Página 371

    AT-S63 Management Software Features Guide Section VII: Routin g 371 Interface Names Many of the IPv4 routing commands have a parameter for an interface name. An interface name consists of a VLAN and an inte rface number, separated by a dash. The VLAN is de signated by “vlan” followed by the VLAN identification number (VID) or the VLAN na me. He[...]

  • Página 372

    Chapter 32: Internet Protocol Version 4 Packet Routing 372 Section VII: Routing Static Routes In order for the switch to route an IPv4 p acket to a remote network or subnet, there must be a route to the destination in the routing table of the switch. The route must consist of the IP addre ss of the remote de stinatio n and the IP address of the nex[...]

  • Página 373

    AT-S63 Management Software Features Guide Section VII: Routin g 373 The commands for managin g static routes are ADD IP ROUTE, DELETE IP ROUTE, and SET IP ROUTE.[...]

  • Página 374

    Chapter 32: Internet Protocol Version 4 Packet Routing 374 Section VII: Routing Routing Information Protocol (RIP) A switch can automatically learn routes to remote destinations by sharing the contents of its routing table with its n eighboring routers in the ne twork with the Routing Information Pr otocol (RIP) versions 1 and 2. RIP is a fairly si[...]

  • Página 375

    AT-S63 Management Software Features Guide Section VII: Routin g 375 Note A RIP version 2 password is sent in plaintext. The AT-S63 Management Software does no t support encrypted RIP password s. The switch transmits its routin g tabl e every thirty seconds from those interfaces that have RIP. This in terval is not adjustable on the switch. The enti[...]

  • Página 376

    Chapter 32: Internet Protocol Version 4 Packet Routing 376 Section VII: Routing Default Routes A default route is a “match all” d esti nation entry in the routing table. The switch uses it to route packets whose remote destinations a re not in the routing table. Rather than discard th e packet s, the switch sends them to the next hop specified [...]

  • Página 377

    AT-S63 Management Software Features Guide Section VII: Routin g 377 Equal-cost Multi-pa th (ECMP) Routing When there are multiple routes in the routing tab le to the same remote destinations, ECMP enables the switch to u se the different routes to forward traffic. This can improve network performa nce by increasing the available bandwidth for the t[...]

  • Página 378

    Chapter 32: Internet Protocol Version 4 Packet Routing 378 Section VII: Routing ECMP also applies to default routes. Th is enables the switch to store up to 32 default routes with up to eight of the rou tes active at one time. The ECMP feature can be enabled and disabled on the switch. The operating status of ECMP does not affect the switch’s abi[...]

  • Página 379

    AT-S63 Management Software Features Guide Section VII: Routin g 379 Routing Table The switch maintains its routing informat ion in a table of routes that tells the switch how to find a local or remot e destination. Each route is uniquely identified in the table by its I P address, network mask, next hop, protocol, and routing interface. When the sw[...]

  • Página 380

    Chapter 32: Internet Protocol Version 4 Packet Routing 380 Section VII: Routing Route Selection Process Here is the route selection process the switch goes throug h when routing packets to a destination:  If there is only one route to a destination, forward the p ackets using the route.  If there is more than one route to a destination, selec[...]

  • Página 381

    AT-S63 Management Software Features Guide Section VII: Routin g 381 Address Resolution Protocol (ARP) Table The switch maintains an ARP table of IP addresses and the ma tching Ethernet MAC addresses. It refers to the tab le when routing packets to determine the destination MAC addres ses of the nodes, as well as interfaces and ports from where the [...]

  • Página 382

    Chapter 32: Internet Protocol Version 4 Packet Routing 382 Section VII: Routing Internet Control Message Protocol (ICMP) ICMP allows routers to send error and control messa ges to other routers or hosts. It provides the comm unication between IP software on one system and IP software on another. The switch impleme nts the ICMP functions listed in T[...]

  • Página 383

    AT-S63 Management Software Features Guide Section VII: Routin g 383 T ime to Live Excee ded (1 1) If the TTL field in a p acket falls to zero the switch wil l send a “T ime to live exceeded” packet. This could occur if a route was excessively long or if too many hop s were in the path. T able 102. ICMP Messages Implemented on the A T-9400 Switc[...]

  • Página 384

    Chapter 32: Internet Protocol Version 4 Packet Routing 384 Section VII: Routing Routing Interfaces and Management Features Routing interfaces are primary intende d for the IPv4 packet routing feature. There are, however, a number of management functions that rely on the presence of at least one routing inte rface on the switch to operate properly. [...]

  • Página 385

    AT-S63 Management Software Features Guide Section VII: Routin g 385 As an example, assume you decided not to implement t he IPv4 routing feature on a switch that had four local su bnets, but you wanted the switch to send its events to a syslog se rver and have access to a RADIUS authentication server. Assume also that you wan ted t o use a TFTP ser[...]

  • Página 386

    Chapter 32: Internet Protocol Version 4 Packet Routing 386 Section VII: Routing Pinging a Remote Device This function is used to valid ate the existence of an active path between the switch and another network node. T he switch can ping a device if it has a routing interface on the local subn et from where the device is reached. In previous version[...]

  • Página 387

    AT-S63 Management Software Features Guide Section VII: Routin g 387 Local Interface The local interface is used with the enhanced stacking feature . It is also used with remote management of a switch with a Telnet or SSH client, or a web browser. The local interface d oes the following:  With an enhanced stack, it designates on the master switch[...]

  • Página 388

    Chapter 32: Internet Protocol Version 4 Packet Routing 388 Section VII: Routing AT-9408LC/SP AT-9424T/GB, and AT-9424T/SP Switches The AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP Switches d o not support the IPv4 packet routing fe ature. T hey do, however, support a limited version of some of the fe atures. Local Interface You can create one routing[...]

  • Página 389

    AT-S63 Management Software Features Guide Section VII: Routin g 389 Note The AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP Switches do not use the ARP table to move packets through the switching matrix. They refer to the table only when they perform a management function requiring them to communicate with ano ther network node. Default Gateway The def[...]

  • Página 390

    Chapter 32: Internet Protocol Version 4 Packet Routing 390 Section VII: Routing Routing Command Example This section contains an example of the IPv4 routing feature. It illustrates the sequence of commands to implementing the feature. To make the example easier to explain, some of the co mmand options are not mentioned and the default valu es are u[...]

  • Página 391

    AT-S63 Management Software Features Guide Section VII: Routin g 391 Creating the VLANs The first step is to create the VLANs for the lo cal subnets on the switch. The VLANs must be created be fore the routing interfaces. The following command creates a VLAN for the Sales department with a VID of 4 a nd the appropriate ports: create vlan =Sales vi d[...]

  • Página 392

    Chapter 32: Internet Protocol Version 4 Packet Routing 392 Section VII: Routing command. Adding a Static Route and Default Route Building on our example, assume you d ecided to manually enter a route to a remote subnet as a static route. The command for creating a stat ic route is ADD IP ROUTE. Here is the basic information for defining a static ro[...]

  • Página 393

    AT-S63 Management Software Features Guide Section VII: Routin g 393 Adding RIP Rather than adding the static routes to remote destinations, or perhaps to augment them, you decide that the switch should learn routes by exchanging its route table with its rou ting neighbors usin g RIP. To implement RIP, you add it to the routing interfaces where rout[...]

  • Página 394

    Chapter 32: Internet Protocol Version 4 Packet Routing 394 Section VII: Routing Non-routing Command Example This example illustrates how to assign an IP address to a switch by creating just one interface. This example is appropriate in ca ses where you want to implement the managem en t functions described in “Routing Interfaces and Management Fe[...]

  • Página 395

    AT-S63 Management Software Features Guide Section VII: Routin g 395 The following command creates a defau lt route for the example and specifies the next hop as 149.44.55.6: add ip rout e=0.0.0.0 nexthop=14 9.44.55.6[...]

  • Página 396

    Chapter 32: Internet Protocol Version 4 Packet Routing 396 Section VII: Routing Upgrading from AT-S63 Version 1.3.0 or Earlier When the AT-9400 Switch running AT-S63 version 1.3.0 or earlier is upgraded to the latest version of the manag ement software, the switch automatically creates a routing interface that preserves the previous IP configuratio[...]

  • Página 397

    397 Chapter 33 BOOTP Relay Agent This chapter has the following sections:  “Supported Platforms” on p age 398  “Overview” on page 399  “Guidelines” on p age 401[...]

  • Página 398

    Chapter 33: BOOTP Relay Age nt 398 Section VII: Routing Supported Platforms Refer to Table 104 and Table 105 for the AT-9400 Switches and the management interfaces that support t he BOOTP relay agent. T able 104. Support for the BOOTP Relay Agent Switch Supported Layer 2+ Models A T-9408LC/SP A T-9424T/GB A T-9424T/SP Basic Layer 3 Models A T-9424T[...]

  • Página 399

    AT-S63 Management Software Features Guide Section VII: Routin g 399 Overview The AT-S63 Management Software comes with a BOOTP relay age nt for relaying BOOTP messages between clients and DHCP or BOOTP servers. When a client sends a BOOTP reques t to a DHCP or BOOTP server for an IP configuration, it transmits the request as a broadcast packet beca[...]

  • Página 400

    Chapter 33: BOOTP Relay Age nt 400 Section VII: Routing A routing interface that receives a BOOTP reply from a server inspects the broadcast flag field in the packet to det ermine whether the client, in its original request to the server, set this flag to signal that the re sponse must be sent as a broadcast datagram. Some olde r nodes have this de[...]

  • Página 401

    AT-S63 Management Software Features Guide Section VII: Routin g 401 Guidelines These guidelines apply to the BOOTP relay agent:  A routing interface functions as th e BOOTP relay agent for the local clients in it s subnet.  Y ou can specify up to eight DHCP or BOOTP servers.  The TTL for BOOTP request relay p ackets is preset on the A T -9[...]

  • Página 402

    Chapter 33: BOOTP Relay Age nt 402 Section VII: Routing[...]

  • Página 403

    403 Chapter 34 V irtual Router Redundancy Pr otocol The chapter has the following sections:  “Supported Platforms” on p age 404  “Overview” on page 405  “Master Switch” on page 406  “Backup Switches” on pag e 407  “Interface Monitoring” on p age 408  “Port Monitoring” on page 409  “VRRP on the Switch?[...]

  • Página 404

    Chapter 34: Virtual Rout er Redundancy Protocol 404 Section VII: Routing Supported Platforms Refer to Table 106 and Table 107 for the AT-9400 Switches and the management interfaces that support t he Virtual Router Redundancy Protocol. T able 106. Support for the Virtual Rou ter Redundancy Protocol Switch Supported Layer 2+ Models A T-9408LC/SP A T-[...]

  • Página 405

    AT-S63 Management Software Features Guide Section VII: Routin g 405 Overview This chapter describes the Virtual Router Redundan cy Protocol (VRRP) of the AT-9400 Basic Layer 3 Switches. One of the functions that switche s provide to the hosts of a LAN is to act as gateways. The local hosts use the gateways to communica te with the hosts on the WAN.[...]

  • Página 406

    Chapter 34: Virtual Rout er Redundancy Protocol 406 Section VII: Routing Master Switch The virtual router has a virtual MAC address known by all th e switches that participate in the virtual rout er. The virtual MAC add ress is derived from the virtual router identifier, which is a user-defined value from 1 to 255. All the hosts on the LAN are conf[...]

  • Página 407

    AT-S63 Management Software Features Guide Section VII: Routin g 407 Backup Switches All the other switches participating in the virtua l router are designated as backup switches. A switch can be part of several diffe rent virtual routers on one LAN, provided that all the virtual routers have different virtual router identifiers. When a switch funct[...]

  • Página 408

    Chapter 34: Virtual Rout er Redundancy Protocol 408 Section VII: Routing Interface Monitoring The virtual router can monitor certain inte rfaces to change the priority o f switches if the master switch loses its connection to th e outside world. This is known as interface monitoring . Interface monitoring reduces the priority of the switch when an [...]

  • Página 409

    AT-S63 Management Software Features Guide Section VII: Routin g 409 Port Monitoring Port monitoring is the process of detecting the failure of ports that are part of a VLAN that a virtual rou ter is running over. If a port fails or is disab led, the VRRP priority is reduced by the st epvalue or by an amount that reflects the proportion of the VLAN?[...]

  • Página 410

    Chapter 34: Virtual Rout er Redundancy Protocol 410 Section VII: Routing VRRP on the Switch VRRP is disabled by default. When a virtual router is crea ted on the switch, it is enabled by default, but the VRRP mo dule must be enabled before it is operational. The VRRP modul e or a specific virtual router can be enabled or disabled afterwards by usin[...]

  • Página 411

    AT-S63 Management Software Features Guide Section VII: Routin g 411 prevents a switch from inadvertently backing up another switch. The authentication type and, in the case of pla intext authentication, the password, must be the same for all switches in the virtual router. By default, the virtual router has no authent ication. Auth entication is se[...]

  • Página 412

    Chapter 34: Virtual Rout er Redundancy Protocol 412 Section VII: Routing[...]

  • Página 413

    Section VIII: Port Secu rity 413 Section VIII Port Security The chapters in this section contai n overview information on the port security features of the AT-9400 Switch. The chapter s include:  Chapter 35, “MAC Address-based Port Security” on page 415  Chapter 36, “802.1x Port-based Network Access Control” on p age 421[...]

  • Página 414

    414 Section VIII: Port Security[...]

  • Página 415

    Section VIII: Port Secu rity 415 Chapter 35 MAC Addr ess-based Port Security The sections in this chapter include:  “Supported Platforms” on p age 416  “Overview” on page 417  “Invalid Frames and Intrusion Actions” on p age 419  “Guidelines” on p age 420[...]

  • Página 416

    Chapter 35: MAC Address-b ased Port Security 416 Section VIII: Port Security Supported Platforms Refer to Table 108 and Table 109 for the AT-9400 Switches and the management interfaces that support MAC address-b ased port security. Note This port security feature is not supported on GBIC, SFP, or XFP modules. T able 108. Support for MAC Address-bas[...]

  • Página 417

    AT-S63 Management Software Features Guide Section VIII: Port Security 417 Overview You can use this feature to enha nce the security of your network by controlling which end nodes can forwar d frames through the switch, and so prevent unauthorized individuals from accessing your network. It uses a frame’s source MAC address to dete rmine whether [...]

  • Página 418

    Chapter 35: MAC Address-b ased Port Security 418 Section VIII: Port Security Secured This security level uses only static MAC addresses assigned to a port to forward frames. Consequently, only those end nodes whose MAC addresses are entered as static addresses are able to fo rward frames through a port. Dynamic MAC addresses already le arned on a p[...]

  • Página 419

    AT-S63 Management Software Features Guide Section VIII: Port Security 419 Invalid Frames and Intrusion Actions When a port receives an invalid frame, it has to select an in trusion action , which defines the port’s response to the packet. But before defining the intrusion actions, it helps to understand wh at constitutes an invalid frame. This di[...]

  • Página 420

    Chapter 35: MAC Address-b ased Port Security 420 Section VIII: Port Security Guidelines The following guidelines apply to MAC address-based port security:  The filtering of a packet occurs on th e ingress port, not on the egress port.  Y ou cannot use MAC address port security and 802.1x port-based access control on the same port. T o configu[...]

  • Página 421

    Section VIII: Port Secu rity 421 Chapter 36 802.1x Port-based Network Access Contr ol The sections in this chapter a re:  “Supported Platforms” on p age 422  “Overview” on page 423  “Authentication Process” on p age 425  “Port Roles” on page 426  “Authenticator Ports with Single and Multip le Supplicant s” on page[...]

  • Página 422

    Chapter 36: 802.1x Port-based Network Access Con trol 422 Section VIII: Port Security Supported Platforms Refer to Table 110 and Table 111 for the AT-9400 Switches and the management interfaces that support 8 02.1x port-based network access control. T able 1 10. Support for 802.1x Port-based Network Access Control Switch Supported Layer 2+ Models A[...]

  • Página 423

    AT-S63 Management Software Features Guide Section VIII: Port Security 423 Overview The AT-S63 Management Software has several different metho ds for protecting your network and its reso urces from unauthorized access. For instance, Chapter 35, “MAC Address-b ased Port Security” on page 415, explains how you can restrict network access using the[...]

  • Página 424

    Chapter 36: 802.1x Port-based Network Access Con trol 424 Section VIII: Port Security  Authentication server - The authentication server is the network device that has the RADIUS server sof tware. This is the device that d oes the actual authenticating of the supplicant s. The AT-9400 Switch does not authenticate any of the su pplicants connecte[...]

  • Página 425

    AT-S63 Management Software Features Guide Section VIII: Port Security 425 Authentication Process Below is a brief overvie w of the authenticat ion process that occurs between a supplicant, authenticator, and authentication server. For furth er details, refer to the IEEE 802.1x sta ndard.  Either the authenticator (th at is, a switch port) or the[...]

  • Página 426

    Chapter 36: 802.1x Port-based Network Access Con trol 426 Section VIII: Port Security Port Roles Part of the task of implementing this feat ure is specifying the roles of the ports on the switch. A port can have one o f three roles:  None  Authenticator  Supplicant None Role A switch port in the None role does not participate in port-ba se[...]

  • Página 427

    AT-S63 Management Software Features Guide Section VIII: Port Security 427 Assigning unique username and password combinations to your network users and requiring the users to provide the information when they initially send traf fic through the switch can enhance network security by limiting network access to only those su pplicants who h ave been [...]

  • Página 428

    Chapter 36: 802.1x Port-based Network Access Con trol 428 Section VIII: Port Security Note A supplicant connected to an authenticat or port set to force- authorized must have 802.1x client software if the port’s authenticator mode is 802.1x. Though the fo rce-authorized setting prevents an authentication exchan ge, the supplicant must still have [...]

  • Página 429

    AT-S63 Management Software Features Guide Section VIII: Port Security 429 Authenticator Ports with Single and Multiple Supplicants An authenticator port has two operating modes. The modes relate to t he number of clients using the port and, in situations where an authenticator port is supporting more than one client, whether just one client or all [...]

  • Página 430

    Chapter 36: 802.1x Port-based Network Access Con trol 430 Section VIII: Port Security Figure 57. Authenticator Port in Single Operating Mode with a Single Client The example in Figure 58 on page 431 illustrates a configu ration that uses the piggy-back mode. Multiple clients are connected to an authenticato r port on the switch through an Ethernet [...]

  • Página 431

    AT-S63 Management Software Features Guide Section VIII: Port Security 431 Figure 58. Single Operating Mode with Multiple Clients Using the Piggy- back Feature - Example 1 Because the piggy-back mode is activated on the authenticat or port, only one client needs to be authenticated in orde r for all the clients to forward traffic through the port. I[...]

  • Página 432

    Chapter 36: 802.1x Port-based Network Access Con trol 432 Section VIII: Port Security If the clients are connected to an 80 2.1x-compliant device, such a s another AT-9400 Switch, you can automate the initial log on and reauthentications by configuring one of the switch ports as a supplicant. In this manner, the log on and reauth entications are pe[...]

  • Página 433

    AT-S63 Management Software Features Guide Section VIII: Port Security 433 Figure 60. Single Operating Mode with Multiple Clients Using the Piggy- back Feature - Example 3 Multiple Operating Mode The second type of operating mode for an authenticator port is the Multiple mode. You use this mode when a port is supporting more tha n one client and you[...]

  • Página 434

    Chapter 36: 802.1x Port-based Network Access Con trol 434 Section VIII: Port Security An example of this authenticator operating mode is illustra ted in Figure 61. The clients are connected to a hub o r non-802.1x-compliant switch wh ich is connected to an authen ticator port on the AT-9400 Switch. If the authenticator port is set to the 802.1x aut[...]

  • Página 435

    AT-S63 Management Software Features Guide Section VIII: Port Security 435 none, port 6 on switch A will discard the packe ts because switch B wo uld not be logged on to the port. Also notice that the ports where the clients are connected on switch B are set to the none role. This is because a client can log on only once. If, in this example, you we[...]

  • Página 436

    Chapter 36: 802.1x Port-based Network Access Con trol 436 Section VIII: Port Security Supplicant and VLAN Associations One of the challenges to man aging a network is accommod ating end users that roam. These are individual s whose work requires that they access the network resources from differe nt points at different times. The difficulty arises [...]

  • Página 437

    AT-S63 Management Software Features Guide Section VIII: Port Security 437 Single Operating Mode Here are the operating characteristics for the switch when an authen ticator port is set to the Single operating mode:  If the switch receives a valid VLAN ID or VLAN name from the RADIUS server , it moves the authenticator port to the designated VLAN[...]

  • Página 438

    Chapter 36: 802.1x Port-based Network Access Con trol 438 Section VIII: Port Security Guest VLAN An authenticator port in the una uthorized state typically accepts and transmits only 802.1x packets while waiting to a uthenticate a supplicant. However, you can configure an authent icator port to be a member of a Guest VLAN when no supplicant is logg[...]

  • Página 439

    AT-S63 Management Software Features Guide Section VIII: Port Security 439 RADIUS Accounting The AT-S63 Management Software supports RADIUS accounting for switch ports set to the Authenticator role. This feature sends information about the status of the supplican ts to the RADIUS server so that you can monitor network activity and use. The switch se[...]

  • Página 440

    Chapter 36: 802.1x Port-based Network Access Con trol 440 Section VIII: Port Security General Steps Here are the general steps to implementing 802.1x Port-based Network Access Control and RADIUS a ccounting on the switch: 1. You must install a RADIUS se rver on one or more of your network servers or management stations. Authentication pro tocol ser[...]

  • Página 441

    AT-S63 Management Software Features Guide Section VIII: Port Security 441 Guidelines The following are general guide lines to using this fea ture:  Ports operating und er port-based access control do not support dynamic MAC address learning.  The appropriate port role for a port o n the AT-9400 Switch connected to a RADIUS authentication serv[...]

  • Página 442

    Chapter 36: 802.1x Port-based Network Access Con trol 442 Section VIII: Port Security  An authenticator port cannot be part of a static port t runk, LACP port trunk, or port mirror .  If a switch port set to the supplicant role is connected to a port on another switch that is not set to the authenticator role, the port, af ter a timeout perio[...]

  • Página 443

    AT-S63 Management Software Features Guide Section VIII: Port Security 443 Here are guidelines for adding VLAN assignments to su pplicant accounts on a RADIUS server:  The VLAN can be either port-base d or tagge d.  The VLAN must already exist on the switch.  A client can have only one VLAN associated wit h it on the RADIUS server .  Whe[...]

  • Página 444

    Chapter 36: 802.1x Port-based Network Access Con trol 444 Section VIII: Port Security[...]

  • Página 445

    Section IX: Manageme nt Security 445 Section IX Management Security The chapters in this section descr ibe the management secu rity features of the AT-9400 Switch. The chapters includ e:  Chapter 37, “W eb Server” on pa ge 447  Chapter 38, “Encryption Ke ys” on p age 453  Chapter 39, “PKI Certificates and SSL” on p age 463  [...]

  • Página 446

    446 Section IX: Management Security[...]

  • Página 447

    Section IX: Manageme nt Security 447 Chapter 37 W eb Server The sections in this chapter a re:  “Supported Platforms” on p age 448  “Overview” on page 449  “Configuring the W eb Server for HTTP” on p age 450  “Configuring the W eb Server for HTTPS” on page 451[...]

  • Página 448

    Chapter 37: Web Server 448 Section IX: Management Security Supported Platforms Refer to Table 112 and Table 113 for the AT-9400 Switches and the management interfaces that support t he web server. T able 1 12. Support for the Web Server Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer 3 Models A T-[...]

  • Página 449

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 449 Overview The AT-S63 Management Software has a web server and a specia l web browser interface that allow you to remotely manage the switch from a management workstation on your network using a web browser. (For instructions on the switch’s web browser interface, refer [...]

  • Página 450

    Chapter 37: Web Server 450 Section IX: Management Security Configuring the Web Server for HTTP The following steps configure the w eb serve r for non-secure HTTP operation. The steps re ference only the comma nd line commands, but the web server can be configure d from the menus interface, too. 1. Disable the web server with the DISABLE HTTP SERVER[...]

  • Página 451

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 451 Configuring the Web Server for HTTPS The following sections outline the steps for configuring t he web server on the switch for HTTPS operation with a self-signed or CA certificate. Th e steps reference only the command line command s, but the web server can be configure[...]

  • Página 452

    Chapter 37: Web Server 452 Section IX: Management Security 6. After receiving the certificates from the CA, down load them into the switch’s file syste m using t he LOAD METHOD=TFTP or LOAD METHOD=XMODEM command. 7. Add the certificates to the certificate data base with the ADD PKI CERTIFICATE command. 8. Disable the web server with the DISABLE H[...]

  • Página 453

    Section IX: Manageme nt Security 453 Chapter 38 Encryption Keys The sections in this chapter a re:  “Supported Platforms” on p age 454  “Overview” on page 455  “Encryption Key Length” on pag e 456  “Encryption Key Guidelines” on page 457  “T echnical Overview” on p age 458 For an overview of the procedures to conf[...]

  • Página 454

    Chapter 38: Encrypti on Keys 454 Section IX: Management Security Supported Platforms Refer to Table 114 and Table 115 for the AT-9400 Switches and the management interfaces that support e ncryption keys. T able 1 14. Support for Encryption Keys Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP Y es Basic Layer 3 Mod[...]

  • Página 455

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 455 Overview Protecting your managed switches from u nauthorized management access is an important role for a netwo rk manager. Network operations and security can be severely compromised if an in truder gains access to critical switch information, such as a manager’s lo g[...]

  • Página 456

    Chapter 38: Encrypti on Keys 456 Section IX: Management Security Encryption Key Length When you create a key pair, you have to specify its length in bits. The range is 512, the default, to 1,536 bits, in increments of 2 56 bits. The longer the key, the more difficult it is for someone to decipher. If you are particularly concerned about the safety [...]

  • Página 457

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 457 Encryption Key Guidelines Observe the following guidelines when creating an encryption key pair:  Web browser encrypt ion requires only one ke y pair .  SSH encryption requires two key p airs. The keys must be of dif ferent lengths of at least one increment (256 bi[...]

  • Página 458

    Chapter 38: Encrypti on Keys 458 Section IX: Management Security Technical Overview The encryption feature provides the follo wing data security services:  Data encryptio n  Data authen tica tion  Key exchange algorithms  Key creation and stora ge Data Encryption Data encryption for switches is driven by the need for organ izations to k[...]

  • Página 459

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 459 algorithm and key . For a given input block of plaintext ECB always produces the same block of ciphertext.  Cipher Block Chaining (CBC) is the most popular form of DES encryption. CBC also operates on 64-bit blocks of data, but in clu des a feedback step which chains [...]

  • Página 460

    Chapter 38: Encrypti on Keys 460 Section IX: Management Security secret. Only the decryption, or private key, needs to be kept secret. The other name for this type of algorithm is public key e ncryption. The public and private key pair cannot be randomly assigned, but must be generated together. In a typical scenario, a decryption station g enerate[...]

  • Página 461

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 461  It is very hard to find another messag e and key which give the same hash The two most commonly used one-way hash a lgorithms are MD5 (Message Digest 5, defined in RFC 1321) and SHA-1 (Secure Hash Algorithm, defined in FIPS-180-1). MD5 returns a 128-bit hash and SHA-[...]

  • Página 462

    Chapter 38: Encrypti on Keys 462 Section IX: Management Security A Diffie-Hellman algorithm requires more processing overhead than RSA- based key exchange schemes, but it does not need the initial exchange of public keys. Instead, it uses publish ed and well t ested public key values. The security of the Diffie-Hellman algorith m depends on these v[...]

  • Página 463

    Section IX: Manageme nt Security 463 Chapter 39 PKI Certificates and SSL The sections in this chapter a re:  “Supported Platforms” on p age 464  “Overview” on page 465  “T ypes of Certificates” on page 465  “Distinguished Names” on p age 467  “SSL and Enhanced S tacking” on p age 469  “Guidelines” on p age [...]

  • Página 464

    Chapter 39: PKI Certificat es and SSL 464 Section IX: Management Security Supported Platforms Refer to Table 116 and Table 117 for the AT-9400 Switches and the management interfaces that support t he PKI certificates and SSL. T able 1 16. Support for PKI Certificates and SSL Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-[...]

  • Página 465

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 465 Overview This chapter describes the second part of the encryption feature of the AT-S63 Management Software—PKI certificates. The first part is explained in Chapter 38, “Encryption Ke ys” on page 453. Encryption keys and certificates allow you to encry pt the commu[...]

  • Página 466

    Chapter 39: PKI Certificat es and SSL 466 Section IX: Management Security network equipment. With private CAs, companies can keep tra ck of the certificates and control access to various network devices. If your company is large enough, it might have a private CA and you might want the group to issue the certificate for the AT-9400 Switch so that y[...]

  • Página 467

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 467 Distinguished Names Part of the task to creating a self-signed certificate or enrollment request is selecting a distinguished name . A distingu ished name is integrated into a certificate along with the key an d can have up to five parts. The parts are:  cn - common n[...]

  • Página 468

    Chapter 39: PKI Certificat es and SSL 468 Section IX: Management Security If your network has a Domain Name System and you mapped a name to the IP address of a switch, you can specify the swit ch’s name instead of the IP address as the distinguished name. For those switches that do not ha ve an IP address, such as slave switches of an enhanced st[...]

  • Página 469

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 469 SSL and Enhanced Stacking Secure Sockets Layer (SSL) is supported in an enhanced stack, but only when all switches in the sta ck are using the feature. When a switch’s web server is operating in HTTP, management packets are transmitted in plaintext. When it operates in[...]

  • Página 470

    Chapter 39: PKI Certificat es and SSL 470 Section IX: Management Security Guidelines The guidelines for creating certificates are:  A certificate can have only one key .  A switch can use only those certificates th at contain a key that was generated on the switch.  Y ou can create multip le certificates on a switch, but the device uses th[...]

  • Página 471

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 471 Technical Overview This section describes the Secure Sockets Layer (SSL) feature , a security protocol that provides a secure and private TCP connection between a client and server. SSL can be used with many higher la yer prot ocols including HTTP, File Transfer Protocol[...]

  • Página 472

    Chapter 39: PKI Certificat es and SSL 472 Section IX: Management Security SSL uses asymmetrical (Public Key) encryption to establish a conne ction between client and server, and symmetrical (Secret Key) encryption for the data transfer phase. User Verification An SSL connect ion has two phases: ha ndshake and data transfer . The handshake initiates[...]

  • Página 473

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 473 To verify the authenticity of a server, the serve r has a public and private key. The public key is given to the user. SSL uses certificates for authentication. A certificate binds a public key to a server name. A certification authorit y (CA) issues ce rtificates after [...]

  • Página 474

    Chapter 39: PKI Certificat es and SSL 474 Section IX: Management Security this, and other attacks, PKI provides a me ans for secure transfe r of public keys by linking an identity and that ide ntity’s public key in a secure certificate. Caution Although a certificate binds a public key to a subject to ensure the public key’s security, it does n[...]

  • Página 475

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 475 Elements of a Public Key Infrastructure A public key infrastructure is a set of applicatio ns which manage the creation, retrieval, validation and storage of certificates. A PKI consists of the following key elements:  At least one certification authority (CA), which [...]

  • Página 476

    Chapter 39: PKI Certificat es and SSL 476 Section IX: Management Security Certificate Validation To validate a certificate, the end en tity verifies the signature in the certificate, using the public key of the CA who issued the certificate. CA Hierarchies and Certificate Chains It may not be practical for every individu al certificate in an organi[...]

  • Página 477

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 477 PKI Implementation The following sections discuss the implementation of PKI on the AT-9400 Switch. The following topics are covered:  PKI S tandards  Certificate Retrieval and S torage  Certificate V alidation  Root CA Certificates PKI Standards The following[...]

  • Página 478

    Chapter 39: PKI Certificat es and SSL 478 Section IX: Management Security[...]

  • Página 479

    Section IX: Manageme nt Security 479 Chapter 40 Secur e Shell (SSH) The sections in this chapter a re:  “Supported Platforms” on p age 480  “Overview” on page 481  “Support for SSH” on pag e 482  “SSH Server” on page 483  “SSH Clients” on p age 484  “SSH and Enhanced S tacking” on pa ge 485  “SSH Confi[...]

  • Página 480

    Chapter 40: Secure She ll (SSH) 480 Section IX: Management Security Supported Platforms Refer to Table 118 and Table 119 for the AT-9400 Switches and the management interfaces that support t he Secure Shell protocol. T able 1 18. Support for the Secure Shell Protocol Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-9424T/GB Y es A T-9424T/SP[...]

  • Página 481

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 481 Overview Secure management is increasingly important in modern networks, as the ability to easily and effectively manage switches and the requ irement for security are two universal requireme nts. Switches are oft en remotely managed using remote sessions via the Telnet [...]

  • Página 482

    Chapter 40: Secure She ll (SSH) 482 Section IX: Management Security Support for SSH The AT-S63 implementation of the SSH protocol is complia nt with the SSH protocol versions 1 .3, 1.5, and 2.0. In addition, the following SSH opt ions and features are supported:  Inbound SSH connections (server mo de) is supported.  The following security alg[...]

  • Página 483

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 483 SSH Server When the SSH server is enabled, connections from SSH clients are accepted. When the SSH server is di sabled, connect ions from SSH clients are rejected by the switch. Within the switch, the AT-S63 Management Software uses well-known port 22 as th e SSH default[...]

  • Página 484

    Chapter 40: Secure She ll (SSH) 484 Section IX: Management Security SSH Clients The SSH protocol provides a secure connection be tween the switch and SSH clients. After you have configured th e SSH server, you need to install SSH client software on your manageme nt workstations. The AT-S63 Management Software supports both SSH1 and SSH2 clients. Yo[...]

  • Página 485

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 485 SSH and Enhanced Stacking The AT-S63 Management Software allows for encrypted SSH management sessions between a management station and a master switch of an enhanced stack, but not with sla ve switches, as explained in this section. When you remotely manage a sla ve swit[...]

  • Página 486

    Chapter 40: Secure She ll (SSH) 486 Section IX: Management Security Because enhanced stacking does not allow for SSH encrypted management sessions between a management station and a slave switch, you configure SSH only on the ma ster switch of a stack. Activating SSH on a slave switch has no affect.[...]

  • Página 487

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 487 SSH Configuration Guidelines Here are the guidelines to configuring SSH:  SSH requires two encryption key p airs. One key pair functions as the host key and the other as the server key .  The two encryption key pairs must be of dif ferent lengths of at least one in[...]

  • Página 488

    Chapter 40: Secure She ll (SSH) 488 Section IX: Management Security General Steps to Configuring SSH Configuring the SSH server involves the fo llowing procedures: 1. Create two encryption key pairs on the switch . One pair will function as the host key and the other the se rver key. 2. Configure and activate the Secure Shell serve r on the switch [...]

  • Página 489

    Section IX: Manageme nt Security 489 Chapter 41 T ACACS+ and RADIUS Pr otocols This chapter describes the two aut h entication protocols TACACS+ and RADIUS. Sections in the chapter in clude:  “Supported Platforms” on p age 490  “Overview” on page 491  “Guidelines” on p age 493[...]

  • Página 490

    Chapter 41: TACACS+ and RADIUS Prot ocols 490 Section IX: Management Security Supported Platforms Refer to Table 120 and Table 121 for the AT-9400 Switches and the management interfaces that support t he TACACS+ and RADIUS protocols. T able 120. Support for the TACACS+ and RADIUS Protocols Switch Supported Layer 2+ Models A T-9408LC/SP Y es A T-942[...]

  • Página 491

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 491 Overview TACACS+ and RADIUS are authentication protocols that can e nhance the manageability of your network. In general terms, the se authentication protocols transfer the ta sk of auth enticating network access from a network device to an auth entication protocol serve[...]

  • Página 492

    Chapter 41: TACACS+ and RADIUS Prot ocols 492 Section IX: Management Security When a network manager logs in to a swit ch to manage the device, the switch passes the username and password entered by the manager to the authentication protocol server. The server checks to see if the username and password are valid. This is referred to as au thenticat[...]

  • Página 493

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 493 Guidelines Here are the main steps to using the TACACS+ or RADIUS client on the switch. 1. Install a TACACS+ or RADIUS server on one or more of your network servers or management stations. Authentica tion protocol server software is not available from Allied Telesis. 2. [...]

  • Página 494

    Chapter 41: TACACS+ and RADIUS Prot ocols 494 Section IX: Management Security maximum length for a password is 16 alphanumeric characters and spaces. – To create an account for a supplicant connected to an authenticator port set to the MAC address-based authentication mode, enter the MAC address of the node used by the supplicant as both its user[...]

  • Página 495

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 495 Note If no authentication server re sponds or if no servers h ave been defined, the AT-S63 Management So ftware defaults to the stand ard manager and operator accounts. Note For more information on TACACS+, refer to the RFC 1492 standard. For more information on RADIUS, [...]

  • Página 496

    Chapter 41: TACACS+ and RADIUS Prot ocols 496 Section IX: Management Security[...]

  • Página 497

    Section IX: Manageme nt Security 497 Chapter 42 Management Access Contr ol List This chapter explains how to restri ct Telnet and web browser managemen t access to the switch with the ma n agement access control list (ACL). Sections in this chapter include:  “Supported Platforms” on p age 498  “Overview” on page 499  “Parts of a [...]

  • Página 498

    Chapter 42: Manage ment Access Control Li st 498 Section IX: Management Security Supported Platforms Refer to Table 122 and Table 123 for the AT-9400 Switches and the management interfaces that support t he management access control list . T able 122. Support for the Management Access Control List Switch Supported Layer 2+ Models A T-9408LC/SP Y es[...]

  • Página 499

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 499 Overview This chapter explains how t o restrict remote man agement access to a switch by creating a management ac cess control list (management ACL). This feature controls which management sta tions can remotely manage the device using the Telnet applicat ion protocol or[...]

  • Página 500

    Chapter 42: Manage ment Access Control Li st 500 Section IX: Management Security Parts of a Management ACE An ACE has the following three p arts:  IP address  Subnet mask  Application IP Address You can specify the IP address of a specific management station or a subnet. Mask The mask indicates the parts of the IP add ress the switch shoul[...]

  • Página 501

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 501 Guidelines Below are guidelines for the management ACL:  The default setting for this feature is disab led.  A switch can have only one management ACL.  A management ACL can have up to 256 ACEs.  An ACE must have an IP address and mask.  All management ACE[...]

  • Página 502

    Chapter 42: Manage ment Access Control Li st 502 Section IX: Management Security Examples Following are several examples of ACEs. This ACE allows the management sta tion with the IP address 149.11.11.11 to remotely manage the switch using either the Telnet application protocol or a web browser, and to ping the device: IP Address: 149.11.11 .11 Mask[...]

  • Página 503

    AT-S63 Management Software Features Guide Section IX: Management Securi ty 503 The two ACEs in this management ACL permit remote management from the management station with the IP addr ess 149.11.11.11 and all management stations in the subnet 14 9.22.22.0: ACE #1 IP Address: 149.11.11.11 Mask: 255.255.255.255 Application Type: All ACE #2 IP Addres[...]

  • Página 504

    Chapter 42: Manage ment Access Control Li st 504 Section IX: Management Security[...]

  • Página 505

    505 Appendix A A T-S63 Management Softwar e Default Settings This appendix lists the factory default settings for the AT-S63 Management Software. The features are listed in alph abetical order:  “Address Resolution Pr otocol Cache” on p age 507  “Boot Configuration File” on page 508  “BOOTP Relay Agent” on p age 509  “Clas[...]

  • Página 506

    Appendix A: AT-S63 Manage ment Software Default Settings 506  “System Name, Administrator , and Comments Settings” on p age 537  “T elnet Server” on page 538  “Virtual Route r Redundancy Protocol” on p age 539  “VLANs” on page 540  “Web Se rver” on p age 541[...]

  • Página 507

    AT-S63 Management Software Features Guide 507 Address Resolution Protocol Cache The following table lists the ARP cache default setting. ARP Cache Setting Default ARP Cache T imeout 150 seconds[...]

  • Página 508

    Appendix A: AT-S63 Manage ment Software Default Settings 508 Boot Configuration File The following table lists the names of the default configuration files. Boot Configuration File Default S tand-alone Switch boot.cfg S tack of A T-9400 Basic Layer 3 Switches and the A T-S t ackXG S tacking Modu le stack.cfg[...]

  • Página 509

    AT-S63 Management Software Features Guide 509 BOOTP Relay Agent The following table lists the defaul t setting for the BOOT P relay agent. BOOTP Relay Agent Setting Default S tatus Disabled Hop Count 1 1. Hop count is no t adjustable. 4[...]

  • Página 510

    Appendix A: AT-S63 Manage ment Software Default Settings 510 Class of Service The following table lists the default mappings of IEEE 80 2.1p priority levels to egress port priority queues. IEEE 802.1p Priority Level Port Priority Queue 0Q 1 1 Q0 (lowest) 2Q 2 3Q 3 4Q 4 5Q 5 6Q 6 7 Q7 (highest)[...]

  • Página 511

    AT-S63 Management Software Features Guide 511 Denial of Service Defenses The following table lists the default se ttings for the Denial of Service prevention feature. Denial of Service Prevention Setting Default IP Address 0.0.0.0 Subnet Mask 0.0.0.0 Uplink Port Highest numbered existing port SYN Flood Defense Disabled Smurf Defense Disabled Land D[...]

  • Página 512

    Appendix A: AT-S63 Manage ment Software Default Settings 512 802.1x Port-Based Network Access Control The following table describes the 802.1x Port-based Netwo rk Access Control default settings. The following table lists the defa ult settings for RADIUS accounting. The following table lists the defa ult settings for an authenticator port. 802.1x P[...]

  • Página 513

    AT-S63 Management Software Features Guide 513 The following table lists the defaul t settings for a supp licant port. VLAN Assignment Enabled Secure VLAN On Control Direction Both Piggyback Mode Disabled Guest VLAN None Supplicant Port Setting Default Auth Period 30 seconds Held Period 60 seconds Max S tart 3 S tart Period 30 seconds User Name (non[...]

  • Página 514

    Appendix A: AT-S63 Manage ment Software Default Settings 514 Enhanced Stacking The following table lists the enhanced stacking default settin g. Enhanced St acking Setting Default Switch S t ate Slave[...]

  • Página 515

    AT-S63 Management Software Features Guide 515 Ethernet Protection Switch ing Ring (EPSR) Snooping The following table lists the EPSR default setting. EPSR Setting Default EPSR S tate Disabled[...]

  • Página 516

    Appendix A: AT-S63 Manage ment Software Default Settings 516 Event Logs The following table lists the defa ult settings for both the permane nt and temporary event logs. Event Log Setting Default S tatus Enabled Full Log Action Wrap[...]

  • Página 517

    AT-S63 Management Software Features Guide 517 GVRP This section provides the default settings f or GVRP. GVRP Setting Default S tatus Disabled GIP S tatus Enabled Join T imer 20 centiseconds Leave T imer 60 centiseconds Leave All T imer 1000 centiseconds Port Mode Normal[...]

  • Página 518

    Appendix A: AT-S63 Manage ment Software Default Settings 518 IGMP Snooping The following table lists the IG MP Snooping default settings. IGMP Snooping Setting Default IGMP Snooping S tatus Disabled Multicast Host T opology Single Host/ Port (Edge) Host/Router T imeout Interval 260 seconds Maximum IGMP Mul ticast Groups 64 Multicast Router Ports Mo[...]

  • Página 519

    AT-S63 Management Software Features Guide 519 Internet Protocol Version 4 Packet Routing The following table lists the IPv4 packet routing default settings. Note The update and invalid timers ar e not adjustable. The switch does not support the IPv4 routing holddown and flush timers. Packet Routing Setting Defau lt Equal Cost Multi-path (ECMP) Enab[...]

  • Página 520

    Appendix A: AT-S63 Manage ment Software Default Settings 520 Link-flap Protection The following table lists the defa ult settings for link-flap protection. Link-flap Protection Setting Default S tatus Disabled Rate 10 link state ch anges Duration 60 seconds[...]

  • Página 521

    AT-S63 Management Software Features Guide 521 MAC Address-based Port Security The following table lists the MAC ad dress-based port security default settings. MAC Address-based Port Security Setting Default Security Mode Automatic (no security) Intrusion Action Discard Participating No MAC Limit No Limit[...]

  • Página 522

    Appendix A: AT-S63 Manage ment Software Default Settings 522 MAC Address Table The following table lists the defa ult setting for the MAC address table. MAC Address T able Setting Default MAC Address Aging T ime 300 seconds[...]

  • Página 523

    AT-S63 Management Software Features Guide 523 Management Access Control List The following table lists the default setting for the manageme nt access control list. Management ACL Setting Default S tatus Disabled[...]

  • Página 524

    Appendix A: AT-S63 Manage ment Software Default Settings 524 Manager and Operator Account The following table lists the manager and operator account default settings. Note Login names and passwords are case sensitive . Manager Account Setting Default Manager Login Name mana ger Manager Password friend Operator Login Name o perator Operator Password[...]

  • Página 525

    AT-S63 Management Software Features Guide 525 Multicast Listener Discovery Snooping The following table lists the ML D Snooping default settings. MLD Snooping Setting Default MLD Snooping S tatus Disabled Multicast Host T opology Single Host/ Port (Edge) Host/Router T imeo ut Interval 260 seconds Maximum MLD Multicast Groups 6 4 Multicast Router Po[...]

  • Página 526

    Appendix A: AT-S63 Manage ment Software Default Settings 526 Public Key Infrastructure The following table lists the PKI defaul t settings, includ ing the generate enrollment request settings. PKI Setting Default Switch Distinguished Name None Maximum Number of Certificates 256 Request Name None Key Pair ID 0 Format PEM T ype PKCS10[...]

  • Página 527

    AT-S63 Management Software Features Guide 527 Port Settings The following table lists the por t configuration default settings . Port Configuration Setting Default S tatus Enabled 10/100/1000Base-T S peed Auto-Negotiation Duplex Mode Auto-Negotiation MDI/MDI-X Auto-MDI/MDIX Packet Filtering Disabled Packet Rate Limiting Disabled Override Priority N[...]

  • Página 528

    Appendix A: AT-S63 Manage ment Software Default Settings 528 RJ-45 Serial Terminal Port The following table lists the RJ-45 seri al terminal port default settings. The baud rate is the only adjustable parameter o n the port. RJ-45 Serial T erminal Port Setting Default Data B its 8 St o p B i t s 1 Parity None Flow Control None Baud Rate 9600 bp s[...]

  • Página 529

    AT-S63 Management Software Features Guide 529 Router Redundancy Protocol Snooping The following table lists the RRP Snooping default setting. RRP Snooping Setting Default RRP Snooping S tatus Disabled[...]

  • Página 530

    Appendix A: AT-S63 Manage ment Software Default Settings 530 Server-based Authenticati on (RADIUS and TACACS+) This section describes the server-ba sed authentication , RADIUS, and TACACS+ client default settings. Server-based Authentication The following table describes the serv er-based authenticatio n default settings. RADIUS Client The followin[...]

  • Página 531

    AT-S63 Management Software Features Guide 531 Simple Network Management Protocol The following table describes the SNMP default settings. SNMP Communities Setting Default SNMP S tatus Disabled Authentication Failure T rap S t atus Disabled Community Name public (Read only) Community Name private (Read|W rite) S tatus (public) Enabled S tatus (priva[...]

  • Página 532

    Appendix A: AT-S63 Manage ment Software Default Settings 532 Simple Network Time Protocol The following table lists t he SNTP default settings. SNTP Setting Default System T i me 00:00:00 on January 1, 1980 SNTP S tatus Disabled SNTP Server 0.0.0.0 UTC Of fset +0 Daylight Savings T ime (DST) Enabled Poll Interval 600 seconds[...]

  • Página 533

    AT-S63 Management Software Features Guide 533 Spanning Tree Protocols (STP, RSTP, and MSTP) This section provides the spanning tree, STP RSTP, and MSTP, default settings. Spanning Tree Switch Settings The following table describes the S panning Tree Protocol default settings for the switch. Spanning Tree Protocol The following table describes the S[...]

  • Página 534

    Appendix A: AT-S63 Manage ment Software Default Settings 534 Multiple Spanning Tree Protocol The following table lists the MSTP default settings. Loop Guard Disabled BPDU Guard Disabled RSTP Setting Default MSTP Setting Default S tatus Disabled Force V ersion MSTP Bridge Hello T ime 2 Bridge Forwarding Delay 15 Bridge Max Age 20 Maximum Hop s 20 Co[...]

  • Página 535

    AT-S63 Management Software Features Guide 535 Secure Shell Server The following table lists the SSH default settings. The SSH port number is not adjustable. SSH Setting Default S tatus Disabled Host Key ID Not Defined Server Key ID Not Defined Server Key Expiry T ime 0 hours Login T imeout 180 seconds SSH Port Number 22[...]

  • Página 536

    Appendix A: AT-S63 Manage ment Software Default Settings 536 Secure Sockets Layer The following table lists the SSL default settings. SSL Setting Default Maximum Number of Sessions 50 Session Cache T imeout 300 seconds[...]

  • Página 537

    AT-S63 Management Software Features Guide 537 System Name, Administrator, and Comments Settings The following table describes the IP default settings . IP Setting Default System Name None Administrator None Comments None[...]

  • Página 538

    Appendix A: AT-S63 Manage ment Software Default Settings 538 Telnet Server The following table lists the Te lnet server default settings. The Telnet port number is not adjustable. T elnet Server Setting Default T elnet Server Enabled T elnet Port Number 23 NULL Character Off[...]

  • Página 539

    AT-S63 Management Software Features Guide 539 Virtual Router Redundancy Protocol The following table lists the VRRP default setting. VRRP Setting Default S tatus Disabled[...]

  • Página 540

    Appendix A: AT-S63 Manage ment Software Default Settings 540 VLANs This section provides the VLAN default sett ings. VLAN Setting Default Default VLAN Name Default_VLAN (all p orts) Management VLAN ID 1 (Default_VLAN) VLAN Mode User Configured Uplink Port None Ingress Filtering Disabled[...]

  • Página 541

    AT-S63 Management Software Features Guide 541 Web Server The following table lists the web server default settings. Web Serve r Configuration Setting Default S tatus Enabled Operating Mode HTTP HTTP Port Number 80 HTTPS Port Number 443[...]

  • Página 542

    Appendix A: AT-S63 Manage ment Software Default Settings 542[...]

  • Página 543

    543 Appendix B SNMPv3 Configuration Examples This appendix provides two example s of SNMPv3 configuration using the SNMPv3 Table menus and a worksheet to use as an aid whe n configuring the SNMPv3 protocol. It incl udes the following sections:  “SNMPv3 Manager Configuration” on p age 544  “SNMPv3 Operator Configuration” on p age 545 ?[...]

  • Página 544

    Appendix B: SNMPv3 Configura tion Examples 544 SNMPv3 Configuration Examples  This appendix provides SNMPv3 configuration e xamples for the following types of users:  Manager  Operator In addition an SNMPv3 Configuration Table is provid ed to record your SNMPv3 configuration. For more information about the SNMPv3 protocol, see Chapter 24, [...]

  • Página 545

    AT-S63 Management Software Features Guide 545 Configure SNMPv3 SecurityToGroup Table User Name:s ystemadmi n24 Security Mode l: v3 Group Name: Man ag ers Storage Typ e: NonVol atile Configure SNMPv3 Notify Table Notify Name : sysadmi nTrap Notify Tag: sysadmin Tag Notify Type : Trap Storage Typ e: NonVol atile Configure SNMPv3 Target Address Table [...]

  • Página 546

    Appendix B: SNMPv3 Configura tion Examples 546 Configure SNMPv3 View Table Menu View Name : intern et View Subtr ee OID: 1 .3.6.1 (or internet) Subtree Mas k: View Type : Includ ed Storage Ty pe: NonVo latile Configure SNMPv3 Access Table Group Name : Operato rs Security Mo del: SNMP v3 Security Le vel: Auth enticati on Read View Name : int er ne t[...]

  • Página 547

    AT-S63 Management Software Features Guide 547 Security Model Security Level Read View Name Wri te Vi ew N am e Notify View Name S torage T ype SNMPv3 SecurityT oGroup T able User Name Security Model Group Name S torage T ype SNMPv3 Notify T able Notify Name Notify T ag Notify T ype S torage T ype SNMPv3 T arget Address T able T arget Address Name T[...]

  • Página 548

    Appendix B: SNMPv3 Configura tion Examples 548 Security Model Security Level S torage T ype SNMPv3 Parameters (Continued)[...]

  • Página 549

    549 Appendix C Featur es and S tandards This appendix lists the features an d standards of the AT-9400 Switch. Section include:  ”10/100/1000Base-T T wisted Pair Ports” on page 550  ”Denial of Service Defenses” on p age 550  ”Fiber Optic Ports (A T-9408LC/SP Switch)” on page 551  ”File System” on page 551  ”Ethernet[...]

  • Página 550

    Appendix C: Features an d Standards 550 10/100/1000Base-T Twisted Pair Ports IEEE 802.1d Bridging IEEE 802.3 10Base-T IEEE 802.3u 100Base-TX IEEE 802.3ab 1000Base-T IEEE 802.3u Auto-Negotiation IEEE 802.3x 10/100 Mbps Flow Control / Backpressure IEEE 802.3z 1000 Mbps Flow Control — Auto-MDI/MDIX — Head of Line Blocking — Eight Egress Queues P[...]

  • Página 551

    AT-S63 Management Software Features Guide 551 Fiber Optic Ports (AT-9408LC/SP Switch) IEEE 802.1d Bridging IEEE 802.3z 1000Base-SX — Head of Line Blocking — Eight Egress Queues Per Port File System — 8 megabyte storage capacity DHCP and BOOTP Clients RFC 2131 DHCP client RFC 951, 1542 BOOTP client Internet Protocol Multicasting RFC 1112 IGMP [...]

  • Página 552

    Appendix C: Features an d Standards 552 RFC 826 Address Resolution Protocol — Equal Cost Multi-path — Split Horizon and Split Horizon with Poison Reverse — Autosummarization of Routes RFC 1542 BOOTP Relay MAC Address Table — Storage capacity of 16K entries Management Access and Security RFC 1157 SNMPv1 RFC 1901 SNMPv2 RFC 3411 SNMPv3 RFC 14[...]

  • Página 553

    AT-S63 Management Software Features Guide 553 Management Access Methods Enhanced Stacking  Out-of-band management (serial port) In-band management (over the network) using Telne t, SSH, web browser, and SNMP Management Interfaces Menus Command Line Web Browser SNMP v1, v2, & v3 Management MIBs RFC 1213 MIB-II RFC 1215 TRAP MIB RFC 1493 Bridg[...]

  • Página 554

    Appendix C: Features an d Standards 554 Port Security IEEE 802.1x Port-based Netw ork Access Control: Su pports multiple supplicants per port and th e following authentication methods: EAP-MD5 EAP-TLS EAP-TTLS PEAP RFC 2865 RADIUS Client RFC 2866 RADIUS Accounting — MAC Address-based security Port Trunking and Mirroring IEEE 802.3ad Link Aggregat[...]

  • Página 555

    AT-S63 Management Software Features Guide 555 RFC 1757 RMON Groups 1, 2, 3, and 9 Traffic Control RFC 2386 Quality of Service featuring: — Layer 2, 3, and 4 criteria — Flow Groups, Traffic Classes, and Policies — DSCP Replacement — 802.1q Priority Replaceme nt — Type of Service Replacement — Type of Service to 802.1q Priority Replacemen[...]

  • Página 556

    Appendix C: Features an d Standards 556 — MAC Address-based VLANs (Not supported on the AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP switches.) IEEE 802.3ac VLAN Ta g Frame Extension IEEE 802.1P GARP VLAN Reg istration Protocol Virtual Router Redundancy Protocol RFC 3768 Virtual Router Redundancy Protocol[...]

  • Página 557

    557 Appendix D MIB Objects This appendix lists the SNMP MIB objects in the p rivate Allied Telesis MIBs that apply to the AT-S63 Management Software a nd the AT-9400 Switch. Sections in the appendix include:  ”Access Control Lists” on page 558  ”Class of Service” on p age 559  ”Date, T ime, and SNTP Client” on page 560  ”D[...]

  • Página 558

    Appendix D: MIB Objects 558 Access Control Li sts T able 31. Access Control Lists (AtiStackSwitch MIB) Object Name OID atiStkSwACLConfigTable 1.3.6.1.4.1.2 07.8.17.9.1 atiStkSwACLConfigEntry 1.3.6.1.4.1.207.8.17.9.1.1 atiStkSwACLModuleId 1.3.6.1.4.1.207.8.1 7.9.1.1.1 atiStkSwACLId 1.3.6.1.4.1.207.8.17.9.1.1 .2 atiStkSwACLDescription 1.3.6.1.4.1.207[...]

  • Página 559

    AT-S63 Management Software Features Guide 559 Class of Service T able 32. CoS Schedulin g (AtiStackSwitch MIB) Object Name OID atiSwQoSGroup 1.3.6.1.4.1.207.8.17.7 atiS tkSwQoSGroupNumberOfQueues 1.3.6.1.4.1.207.8.17.7.1 atiS tkSwQoSGroupSchedulingMode 1.3. 6.1.4.1.207.8.17.7.2 T able 33. CoS Priority to Egress Queue Mappings (AtiStackSwitch MIB) O[...]

  • Página 560

    Appendix D: MIB Objects 560 Date, Time, and SNTP Client T able 36. Date, Time, and SNTP Client (AtiStackSwitch MIB) Object Name OID atiStkSysSystemTimeConfig 1.3.6.1.4.1.2 07.8.17.1.5 atiStkSwSysCurrentTime 1.3.6.1.4.1.207.8.17.1.5.1 atiStkSwSysCurrentDate 1.3.6.1.4.1.207.8.1 7.1.5.2 atiStkSwSysSNTPStatus 1.3.6.1.4.1.207.8.1 7.1.5.3 atiStkSwSysSNTP[...]

  • Página 561

    AT-S63 Management Software Features Guide 561 Denial of Service Defenses T able 37. LAN Address and Su bnet Mask (AtiStackSwitch MIB) Object Name OID atiStkDOSConfig 1.3.6.1.4.1.207.8.17.2.6 atiStkDOSConfigLANIpAddress 1.3.6.1.4.1.207.8 .17.2.6.1 atiStkDOSConfigLANSubnetMask 1.3.6.1.4.1.207.8.17.2.6 .2 T able 38. Denial of Service Defense s (AtiSta[...]

  • Página 562

    Appendix D: MIB Objects 562 Enhanced Stacking T able 39. Switch Mode and Discovery (AtiStackInfo MIB) Object Name OID atiswitchEnhancedStackingInfo 1.3.6.1.4.1.207.8.16.1 atiswitchEnhStackMode 1.3.6.1.4.1.207.8.16.1.1 atiswitchEnhStackDiscover 1.3.6 .1.4.1.207.8.16.1.2 atiswitchEnhStackRemoteNumber 1.3.6.1.4.1.207.8.16.1.3 T able 40. Switches of an[...]

  • Página 563

    AT-S63 Management Software Features Guide 563 GVRP T able 41. GVFP Switch Configuration (AtiStackSwitch MIB) Object Name OID atiStkSwGVRPConfig 1.3.6.1.4.1.207.8.17.3.6 atiStkSwGVRPStatus 1.3.6.1.4.1.207.8.17.3.6.1 atiStkSwGVRPGIPStatus 1.3.6.1.4.1.207.8.17.3.6.2 atiStkSwGVRPJoinTimer 1.3.6.1.4.1.207.8 .17.3.6.3 atiStkSwGVRPLeaveTimer 1.3.6.1.4.1.2[...]

  • Página 564

    Appendix D: MIB Objects 564 atiStkSwGVRPCountersPortNotListening 1.3.6.1.4.1.207.8.1 7.3.8.1.8 atiStkSwGVRPCountersInvalidPort 1.3.6.1.4.1.207.8.17.3.8.1 .9 atiStkSwGVRPCountersInvalidProtocol 1.3.6.1.4.1.207.8.17.3.8.1 .10 atiStkSwGVRPCountersInvalidFormat 1.3.6.1.4.1.207.8.17.3.8.1 .1 1 atiStkSwGVRPCountersDatabaseFull 1.3.6.1.4.1.2 07.8.17.3.8.1[...]

  • Página 565

    AT-S63 Management Software Features Guide 565 MAC Address Table T able 44. MAC Address T a ble (AtiStackSwitch MIB) Object Name OID atiStkSwMacAddr2VlanTable 1.3.6.1.4.1.207.8 .17.3.3 atiStkSwMacAddr2VlanEntry 1.3.6.1.4.1.207.8.17.3.3.1 atiStkSwMacAddress 1.3.6.1.4.1 .207.8.17.3.3.1.1 atiStkSwMacAddrVlanId 1.3.6.1.4.1.207.8 .17.3.3.1.2 atiStkSwMacA[...]

  • Página 566

    Appendix D: MIB Objects 566 Management Access Control List T able 46. Management Access Control List S tatus (AtiStackSwitch MIB) Object Name OID atiStkSwSysMgmtACLGroup 1.3.6.1.4.1.207.8.17.1.7 atiStkSwSysMgmtACLStatus 1.3.6.1.4.1.207.8.17.1.7.1 T able 47. Management Access Control List Entries (AtiStackSwitch MIB) Object Name OID atiStkSwSysMgmtA[...]

  • Página 567

    AT-S63 Management Software Features Guide 567 Miscellaneous T able 48. System Reset (AtiStackSwitch MIB) Object Name OID atiStkSwSysGroup 1.3.6.1.4.1.207.8.17.1 atiStkSwSysConfig 1.3.6.1.4.1.207.8.17.1.1 atiStkSwSysReset 1.3.6.1.4.1.207.8.17.1.1 .1 T able 49. Local Interface (AtiStackSwitch MIB) Object Name OID atiStkSwSysGroup 1.3.6.1.4.1.207.8.17[...]

  • Página 568

    Appendix D: MIB Objects 568 Port Mirroring T able 51. Port Mirroring (At iStackSwitch MIB) Object Name OID atiStkSwPortMirroringConfig 1.3.6.1.4.1.2 07.8.17.2.2 atiStkSwPortMirroringState 1.3.6 .1.4.1.207.8.17.2.2.1 atiStkSwPortMirroringDestination ModuleId 1.3.6.1.4.1.207.8.17.2.2.4 atiStkSwPortMirroringDestination PortId 1.3.6.1.4.1.207.8.17.2.2.[...]

  • Página 569

    AT-S63 Management Software Features Guide 569 Quality of Service T able 52. Flow Groups (AtiS tackSwitch MIB) Object Name OID atiStkSwQosFlowGrpTable 1.3.6.1.4.1.207.8 .17.7.5 atiStkSwQosFlowGrpEntry 1.3.6.1.4.1.207.8.17.7.5 .1 atiStkSwQosFlowGrpModuleId 1.3.6.1.4.1.207.8.17.7.5 .1.1 atiStkSwQosFlowGrpId 1.3.6.1.4.1.207.8.17.7.5 .1.2 atiStkSwQosFlo[...]

  • Página 570

    Appendix D: MIB Objects 570 atiStkSwQosTrafficClassClassPriority 1.3.6.1.4.1.2 07.8.17.7.6.1.9 atiStkSwQosTrafficClassRemarkPriority 1.3.6.1.4.1.207.8.1 7.7.6.1.10 atiStkSwQosTrafficClassToS 1.3.6.1.4.1.2 07.8.17.7.6.1.1 1 atiStkSwQosTrafficClassMoveToSToPriority 1.3.6.1.4.1.2 07.8.17.7.6.1.12 atiStkSwQosTrafficClassMovePriorityToToS 1.3.6.1.4.1.2 [...]

  • Página 571

    AT-S63 Management Software Features Guide 571 Port Configuration and Status T able 55. Port Configuration and S tatus (AtiStackSwitch MIB) Object Name OID atiStkSwPortConfigTable 1.3.6.1.4.1.207.8.17.2.1 atiStkPortConfigEntry 1.3. 6.1.4.1.207.8.17.2.1.1 atiStkSwModuleId 1.3.6.1.4.1.207.8.17.2.1.1.1 atiStkSwPortId 1.3.6.1.4.1.207.8.17.2.1 .1.2 atiSt[...]

  • Página 572

    Appendix D: MIB Objects 572 Spanning Tree T able 56. S panning T ree (AtiStackSwitch MIB) Object Name OID atiStkSwSysConfig 1.3.6.1.4.1.207.8.1 7.1.1 atiStkSwSysSpanningTreeStatus 1.3.6.1.4.1.2 07.8.17.1.1.9 atiStkSwSysSpanningTreeVersion 1.3.6.1.4.1.207.8.1 7.1.1.10[...]

  • Página 573

    AT-S63 Management Software Features Guide 573 Static Port Trunk T able 57. S tatic Port T runks (AtiStackSwitch MIB) Object Name OID atiStkSwStaticTrunkTable 1.3.6.1.4.1.207.8.17.8.1 atiStkSwStaticTrunkEntry 1.3.6.1.4.1.207.8 .17.8.1.1 atiStkSwStaticTrunkModuleId 1.3.6.1.4.1.207.8.17.8.1 .1.1 atiStkSwStaticTrunkIndex 1.3.6.1.4.1 .207.8.17.8.1.1.2 a[...]

  • Página 574

    Appendix D: MIB Objects 574 VLANs The objects in Table 58 display the specifications of the Defa ult_VLAN. The objects in Table 59 display the names and VIDs of all the VLANs on a switch, but not the VLAN ports. T able 58. VLAN T able (AtiStackSwitch MIB) Object Name OID atiStkSwVlanConfigTable 1.3.6.1.4.1.207.8.1 7.3.1 atiStkSwVlanConfigEntry 1.3.[...]

  • Página 575

    AT-S63 Management Software Features Guide 575 T able 61. PVID T able (AtiStackSwitch MIB) Object Name OID atiStkSwPort2VlanTable 1.3.6.1.4.1.207.8.17.3.2 atiStkSwPort2VlanEntry 1.3.6.1.4.1.207.8.17.3.2 .1 atiStkSwPortVlanId 1.3.6.1.4.1.207.8.17.3.2.1.1 atiStkSwPortVlanName 1.3.6.1.4.1.207.8.17.3.2 .1.2[...]

  • Página 576

    Appendix D: MIB Objects 576[...]

  • Página 577

    577 Index Numerics 802.1p priority level in classifiers 139 802.1Q-compliant VLAN mode 340 802.1x Port-based Network Access Control authentication process 425 authenticator port role 423 default settings 512 described 423 guidelines 441 port roles 426 supplicant port role 423 supported platforms 422 A access control entries (ACE) described 499 exam[...]

  • Página 578

    Index 578 protocols 1 40 source MAC addresses 139 TCP flags 143 TCP source and destination ports 143 UDP source and destination ports 143 VLAN ID 140 Common and Internal Spanning Tree (CIST) defined 30 2 priority 302 common VLAN 85 community names SNMPv1 and SNMPv2c 94 configuration file described 75 configuration name 299 control messages, Ethern [...]

  • Página 579

    AT-S63 Management Software Features Guide 579 H hello time 276 history of new features 55 HMAC authentication algorithm 461 HMAC-MD5-96 (MD5) authentication protocol 256 HMAC-SHA-96 (SHA) auth entication protocol 256 HTTP 449 HTTPS 449 I IEEE 802.1D standard 269 IGMP snooping querier. See Internet Group Mana gement Protocol (IGMP) snooping querier [...]

  • Página 580

    Index 580 module ID numbers described 74 MSTI priority 301 MSTI. See Multiple Spanning Tree Instances (MSTI) MSTP. See Multiple Spanning Tree Protocol (MST P) Multicast Listener Di scovery (MLD) snooping default settings 525 described 237 supported platforms 236 Multiple Spanning Tree Instances (MSTI) 292 guideli n es 29 6 ports in multiple instanc[...]

  • Página 581

    AT-S63 Management Software Features Guide 581 loop guard 283 supported platforms 270 redundant twisted pair ports 53 regional root 30 1 regions 299 revision number 299 RJ-45 serial terminal port, defa ult settings 528 root bridge 272 Router Redundancy Protocol (RRP) snooping default setting 529 described 241 guidelines 242 supported platforms 240 R[...]

  • Página 582

    Index 582 static module ID numbers described 74 static port trunks described guideli n es 10 6 load distributi on method s 104 supported platforms 102 static routes 372 strict priority scheduling 162 subtree mask, related to MIB subtree view 259 supplicant port role 423, 428 supported features 34 SYN flood attack 204 syslog client 134 system priori[...]