Allied-telesis AT-S63 Manuel d'utilisateur

613-000801 Rev. AManagement SoftwareAT-S63◆Features GuideAT-S63 Version 2.2.0 for the AT-9400 Layer 2+ SwitchesAT-S63 Version 3.0.0 for the AT-9400 Ba

Contents10Chapter 34: PKI Certificates and SSL ...

Chapter 8: File System100 Section II: Advanced OperationsOverviewThe AT-9400 Switch has a file system in flash memory for storing system files. You ca

AT-S63 Management Software Features GuideSection II: Advanced Operations 101Boot Configuration FilesA boot configuration file contains the series of c

Chapter 8: File System102 Section II: Advanced OperationsFile Naming ConventionsThe flash memory file system is a flat file system—directories are not

AT-S63 Management Software Features GuideSection II: Advanced Operations 103Using Wildcards to Specify Groups of FilesYou can use the asterisk charact

Chapter 8: File System104 Section II: Advanced Operations

Section II: Advanced Operations 105Chapter 9Event Logs and the Syslog ClientThis chapter describes how to monitor the activity of a switch by viewing

Chapter 9: Event Logs and the Syslog Client106 Section II: Advanced OperationsSupported PlatformsThis feature is supported on all AT-9400 Switches: L

AT-S63 Management Software Features GuideSection II: Advanced Operations 107OverviewA managed switch is a complex piece of computer equipment that inc

Chapter 9: Event Logs and the Syslog Client108 Section II: Advanced OperationsSyslog ClientThe management software features a syslog client for sendin

Section II: Advanced Operations 109Chapter 10ClassifiersThis chapter explains classifiers for access control lists and Quality of Service policies. Th

AT-S63 Management Software Features Guide11IGMP Snooping ...

Chapter 10: Classifiers110 Section II: Advanced OperationsSupported PlatformsThis feature is supported on the following AT-9400 Switches: Layer 2+ Mo

AT-S63 Management Software Features GuideSection II: Advanced Operations 111OverviewA classifier defines a traffic flow. A traffic flow consists of pa

Chapter 10: Classifiers112 Section II: Advanced Operationsis dictated by the QoS policy, as explained in Chapter 13, “Quality of Service” on page 139.

AT-S63 Management Software Features GuideSection II: Advanced Operations 113Classifier CriteriaThe components of a classifier are defined in the follo

Chapter 10: Classifiers114 Section II: Advanced OperationsFigure 4. User Priority and VLAN Fields within an Ethernet FrameYou can identify a traffic f

AT-S63 Management Software Features GuideSection II: Advanced Operations 115Observe the following guidelines when using this variable: When selecting

Chapter 10: Classifiers116 Section II: Advanced OperationsObserve these guidelines when using this criterion: The Protocol variable must be left blan

AT-S63 Management Software Features GuideSection II: Advanced Operations 117Observe this guideline when using these criteria: The Protocol variable m

Chapter 10: Classifiers118 Section II: Advanced OperationsGuidelinesFollow these guidelines when creating a classifier: Each classifier represents a

Section II: Advanced Operations 119Chapter 11Access Control ListsThis chapter describes access control lists (ACL) and how they can improve network se

Contents12Appendix D: MIB Objects ...

Chapter 11: Access Control Lists120 Section II: Advanced OperationsSupported PlatformsThis feature is supported on the following AT-9400 Switches: La

AT-S63 Management Software Features GuideSection II: Advanced Operations 121OverviewAn access control list is a filter that controls the ingress traff

Chapter 11: Access Control Lists122 Section II: Advanced Operations4. Finally, if a packet does not meet the criteria of any ACLs on a port, it is acc

AT-S63 Management Software Features GuideSection II: Advanced Operations 123Parts of an ACLAn ACL must have the following information: Name - An ACL

Chapter 11: Access Control Lists124 Section II: Advanced OperationsGuidelinesHere are the rules to creating ACLs: A port can have multiple permit and

AT-S63 Management Software Features GuideSection II: Advanced Operations 125ExamplesThis section contains several examples of ACLs. In this example, p

Chapter 11: Access Control Lists126 Section II: Advanced OperationsTo deny traffic from several subnets on the same port, you can create multiple clas

AT-S63 Management Software Features GuideSection II: Advanced Operations 127The same result can be achieved by assigning the classifiers to different

Chapter 11: Access Control Lists128 Section II: Advanced OperationsIn this example, the traffic on ports 14 and 15 is restricted to packets from the s

AT-S63 Management Software Features GuideSection II: Advanced Operations 129The next example limits the ingress traffic on port 17 to IP packets from

13Figure 1: Static Port Trunk Example...

Chapter 11: Access Control Lists130 Section II: Advanced Operations

Section II: Advanced Operations 131Chapter 12Class of ServiceThis chapter describes the Class of Service (CoS) feature. Sections in the chapter includ

Chapter 12: Class of Service132 Section II: Advanced OperationsSupported PlatformsThis feature is supported on the following AT-9400 Switches: Layer

AT-S63 Management Software Features GuideSection II: Advanced Operations 133OverviewWhen a port on an Ethernet switch becomes oversubscribed—its egres

Chapter 12: Class of Service134 Section II: Advanced OperationsFor example, when a tagged packet with a priority level of 3 enters a port on the switc

AT-S63 Management Software Features GuideSection II: Advanced Operations 135Note that because all ports must use the same priority-to-egress queue map

Chapter 12: Class of Service136 Section II: Advanced OperationsSchedulingA switch port needs a mechanism for knowing the order in which it should hand

AT-S63 Management Software Features GuideSection II: Advanced Operations 137Table 12 shows an example.In this example, the port transmits a maximum nu

Chapter 12: Class of Service138 Section II: Advanced OperationsQ6 15Q7 0Table 13. Example of a Weight of Zero for Priority Queue 7 (Continued)Port Egr

Section II: Advanced Operations 139Chapter 13Quality of ServiceThis chapter describes Quality of Service (QoS). Sections in the chapter include: “Sup

Figures14

Chapter 13: Quality of Service140 Section II: Advanced OperationsSupported PlatformsThis feature is supported on the following AT-9400 Switches: Laye

AT-S63 Management Software Features GuideSection II: Advanced Operations 141OverviewQuality of Service allows you to prioritize traffic and/or limit t

Chapter 13: Quality of Service142 Section II: Advanced OperationsThe QoS functionality described in this chapter sorts packets into various flows, acc

AT-S63 Management Software Features GuideSection II: Advanced Operations 143ClassifiersClassifiers identify a particular traffic flow, and range from

Chapter 13: Quality of Service144 Section II: Advanced OperationsFlow GroupsFlow groups group similar traffic flows together, and allow more specific

AT-S63 Management Software Features GuideSection II: Advanced Operations 145Traffic ClassesTraffic classes are the central component of the QoS soluti

Chapter 13: Quality of Service146 Section II: Advanced OperationsPoliciesQoS policies consist of a collection of user defined traffic classes. A polic

AT-S63 Management Software Features GuideSection II: Advanced Operations 147QoS Policy GuidelinesFollowing is a list of QoS policy guidelines: A clas

Chapter 13: Quality of Service148 Section II: Advanced OperationsPacket ProcessingYou can use the switch’s QoS tools to perform any combination of the

AT-S63 Management Software Features GuideSection II: Advanced Operations 149Both the VLAN tag User Priority and the traffic class / flow group priorit

15Table 1: AT-9400 Switch Features ...

Chapter 13: Quality of Service150 Section II: Advanced OperationsReplacing PrioritiesThe traffic class or flow group priority (if set) determines the

AT-S63 Management Software Features GuideSection II: Advanced Operations 151DiffServ DomainsDifferentiated Services (DiffServ) is a method of dividing

Chapter 13: Quality of Service152 Section II: Advanced OperationsTo use the QoS tool set to configure a DiffServ domain:1. As packets come into the do

AT-S63 Management Software Features GuideSection II: Advanced Operations 153ExamplesThe following examples demonstrate how to implement QoS in three s

Chapter 13: Quality of Service154 Section II: Advanced OperationsFigure 13. QoS Voice Application ExampleThe parts of the policies are: Classifier -

AT-S63 Management Software Features GuideSection II: Advanced Operations 155 Traffic Class - No action is taken by the traffic class, other than to s

Chapter 13: Quality of Service156 Section II: Advanced OperationsFigure 14. QoS Video Application ExampleThe parts of the policies are: Classifier -

AT-S63 Management Software Features GuideSection II: Advanced Operations 157packets so they leave containing the new level, you would change option 5,

Chapter 13: Quality of Service158 Section II: Advanced OperationsPolicyComponentHierarchyThe purpose of this example is to illustrate the hierarchy of

AT-S63 Management Software Features GuideSection II: Advanced Operations 159Figure 16. Policy Component Hierarchy ExampleCreate Classifier01 - Classif

Tables16Table 50: Port Configuration and Status (AtiStackSwitch MIB) ...

Chapter 13: Quality of Service160 Section II: Advanced Operations

Section II: Advanced Operations 161Chapter 14Denial of Service DefensesThis chapter explains the defense mechanisms in the management software that ca

Chapter 14: Denial of Service Defenses162 Section II: Advanced OperationsSupported PlatformsThis feature is supported on the following AT-9400 Switche

AT-S63 Management Software Features GuideSection II: Advanced Operations 163OverviewThe AT-S63 Management Software can help protect your network again

Chapter 14: Denial of Service Defenses164 Section II: Advanced OperationsSYN Flood AttackIn this type of attack, an attacker sends a large number of T

AT-S63 Management Software Features GuideSection II: Advanced Operations 165Smurf AttackThis DoS attack is instigated by an attacker sending a ICMP Ec

Chapter 14: Denial of Service Defenses166 Section II: Advanced OperationsLand AttackIn this attack, an attacker sends a bogus IP packet where the sour

AT-S63 Management Software Features GuideSection II: Advanced Operations 1672. If the source IP address is not local to the network, it discards the p

Chapter 14: Denial of Service Defenses168 Section II: Advanced OperationsTeardrop AttackAn attacker sends an IP packet in several fragments with a bog

AT-S63 Management Software Features GuideSection II: Advanced Operations 169Ping of Death AttackThe attacker sends an oversized, fragmented ICMP Echo

17PrefaceThis guide describes the features of the AT-9400 Layer 2+ and Basic Layer 3 Gigabit Ethernet Switches and the AT-S63 Management Software.This

Chapter 14: Denial of Service Defenses170 Section II: Advanced OperationsIP Options AttackIn the basic scenario of an IP attack, an attacker sends pac

AT-S63 Management Software Features GuideSection II: Advanced Operations 171Mirroring TrafficThe Land, Teardrop, Ping of Death, and IP Options defense

Chapter 14: Denial of Service Defenses172 Section II: Advanced OperationsDenial of Service Defense GuidelinesBelow are guidelines to observe when usin

Section III: Snooping Protocols 173Section IIISnooping ProtocolsThe chapters in this section contain overview information on the snooping protocols. T

174 Section III: Snooping Protocols

Section III: Snooping Protocols 175Chapter 15IGMP SnoopingThis chapter explains Internet Group Management Protocol (IGMP) snooping feature in the foll

Chapter 15: IGMP Snooping176 Section III: Snooping ProtocolsSupported PlatformsThis feature is supported on the following AT-9400 Switches: Layer 2+

AT-S63 Management Software Features GuideSection III: Snooping Protocols 177OverviewIPv4 routers use IGMP to create lists of nodes that are members of

Chapter 15: IGMP Snooping178 Section III: Snooping ProtocolsWithout IGMP snooping a switch would have to flood multicast packets out all of its ports,

Section III: Snooping Protocols 179Chapter 16MLD SnoopingThis chapter explains Multicast Listener Discovery (MLD) snooping: “Supported Platforms” on

Preface18How This Guide is OrganizedThis guide has the following sections and chapters: Section I: Basic OperationsChapter 1, “Overview” on page 29Ch

Chapter 16: MLD Snooping180 Section III: Snooping ProtocolsSupported PlatformsThis feature is supported on the following AT-9400 Switches: Layer 2+ M

AT-S63 Management Software Features GuideSection III: Snooping Protocols 181OverviewMLD snooping performs the same function as IGMP snooping. The swit

Chapter 16: MLD Snooping182 Section III: Snooping Protocols

Section III: Snooping Protocols 183Chapter 17 RRP SnoopingThis chapter explains RRP snooping and contains the following sections:  “Supported Platfor

Chapter 17: RRP Snooping184 Section III: Snooping ProtocolsSupported PlatformsThis feature is supported on the following AT-9400 Switches: Layer 2+ M

AT-S63 Management Software Features GuideSection III: Snooping Protocols 185OverviewThe Router Redundancy Protocol (RRP) allows multiple routers to sh

Chapter 17: RRP Snooping186 Section III: Snooping ProtocolsGuidelinesThe following guidelines apply to the RRP snooping feature: The default setting

Section III: Snooping Protocols 187Chapter 18Ethernet Protection Switching Ring SnoopingThis chapter has the following sections: “Supported Platforms

Chapter 18: Ethernet Protection Switching Ring Snooping188 Section III: Snooping ProtocolsSupported PlatformsThis feature is supported on the followin

AT-S63 Management Software Features GuideSection III: Snooping Protocols 189OverviewEthernet Protection Switching Ring is a feature found on selected

AT-S63 Management Software Features Guide19 Section V: Spanning Tree ProtocolsChapter 20, “Spanning Tree and Rapid Spanning Tree Protocols” on page 2

Chapter 18: Ethernet Protection Switching Ring Snooping190 Section III: Snooping ProtocolsAfter creating the VLANs, you activate EPSR snooping by spec

AT-S63 Management Software Features GuideSection III: Snooping Protocols 191RestrictionsEPSR snooping has three important restrictions. All the restri

Chapter 18: Ethernet Protection Switching Ring Snooping192 Section III: Snooping ProtocolsFigure 17. Double Fault Condition in EPSR SnoopingNow assume

AT-S63 Management Software Features GuideSection III: Snooping Protocols 193GuidelinesThe guidelines to EPSR snooping are: The AT-9400 Switch can sup

Chapter 18: Ethernet Protection Switching Ring Snooping194 Section III: Snooping Protocols

Section IV: SNMPv3 195Section IVSNMPv3The chapter in this section contains overview information on SNMPv3. The chapter is: Chapter 19, ”SNMPv3” on pa

196 Section IV: SNMPv3

Section IV: SNMPv3 197Chapter 19SNMPv3This chapter provides a description of the AT-S63 implementation of the SNMPv3 protocol. The following sections

Chapter 19: SNMPv3198 Section IV: SNMPv3Supported PlatformsThis feature is supported on the following AT-9400 Switches: Layer 2+ Models– AT-9408LC/S

AT-S63 Management Software Features GuideSection IV: SNMPv3 199OverviewThe SNMPv3 protocol builds on the existing SNMPv1 and SNMPv2c protocol implemen

Copyright © 2007 Allied Telesis, Inc. All rights reserved. No part of this publication may be reproduced without prior written permission from Allied

Preface20Product DocumentationFor overview information on the features of the AT-9400 Switch and the AT-S63 Management Software, refer to: AT-S63 Man

Chapter 19: SNMPv3200 Section IV: SNMPv3SNMPv3 Authentication ProtocolsThe SNMPv3 protocol supports two authentication protocols—HMAC-MD5-96 (MD5) and

AT-S63 Management Software Features GuideSection IV: SNMPv3 201SNMPv3 Privacy ProtocolAfter you have configured an authentication protocol, you have t

Chapter 19: SNMPv3202 Section IV: SNMPv3SNMPv3 MIB ViewsThe SNMPv3 protocol allows you to configure MIB views for users and groups. The MIB tree is de

AT-S63 Management Software Features GuideSection IV: SNMPv3 203After you specify a MIB subtree view you have the option of further restricting a view

Chapter 19: SNMPv3204 Section IV: SNMPv3SNMPv3 Storage TypesEach SNMPv3 table entry has its own storage type. You can choose between nonvolatile stora

AT-S63 Management Software Features GuideSection IV: SNMPv3 205SNMPv3 Message NotificationWhen you generate an SNMPv3 message from the switch, there a

Chapter 19: SNMPv3206 Section IV: SNMPv3SNMPv3 Tables The SNMPv3 configuration is neatly divided into configuring SNMPv3 user information and configur

AT-S63 Management Software Features GuideSection IV: SNMPv3 207 Configure SNMPv3 Notify Table Configure SNMPv3 Target Address Table Configure SNMPv

Chapter 19: SNMPv3208 Section IV: SNMPv3 “SNMPv3 Target Parameters Table” on page 209 “SNMPv3 Community Table” on page 209SNMPv3 UserTableThe Config

AT-S63 Management Software Features GuideSection IV: SNMPv3 209SNMPv3 NotifyTableThe Configure SNMPv3 Notify Table menu allows you to define the type

AT-S63 Management Software Features Guide21Where to Go FirstAllied Telesis recommends that you read Chapter 1, “Overview” on page 29 in this guide bef

Chapter 19: SNMPv3210 Section IV: SNMPv3SNMPv3 Configuration ExampleYou may want to have two classes of SNMPv3 users—Managers and Operators. In this s

Section V: Spanning Tree Protocols 211Section VSpanning Tree ProtocolsThe section has the following chapters: Chapter 20, “Spanning Tree and Rapid Sp

212 Section V: Spanning Tree Protocols

Section V: Spanning Tree Protocols 213Chapter 20Spanning Tree and Rapid Spanning Tree ProtocolsThis chapter provides background information on the Spa

Chapter 20: Spanning Tree and Rapid Spanning Tree Protocols214 Section V: Spanning Tree ProtocolsSupported PlatformsThis feature is supported on the f

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 215OverviewThe performance of a Ethernet network can be negatively impacte

Chapter 20: Spanning Tree and Rapid Spanning Tree Protocols216 Section V: Spanning Tree ProtocolsBridge Priority and the Root BridgeThe first task tha

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 217Path Costs andPort CostsAfter the root bridge has been selected, the br

Chapter 20: Spanning Tree and Rapid Spanning Tree Protocols218 Section V: Spanning Tree ProtocolsTable 16 lists the STP port costs with Auto-Detect wh

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 219Table 19. Port Priority Value IncrementsIncrementBridge Priority Increm

Preface22Starting a Management SessionFor instructions on how to start a local or remote management session on the AT-9400 Switch, refer to the Starti

Chapter 20: Spanning Tree and Rapid Spanning Tree Protocols220 Section V: Spanning Tree ProtocolsForwarding Delay and Topology ChangesIf there is a ch

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 221seconds and the default is two seconds. Consequently, if the AT-9400 Sw

Chapter 20: Spanning Tree and Rapid Spanning Tree Protocols222 Section V: Spanning Tree ProtocolsFigure 22. Edge PortA port can be both a point-to-poi

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 223Mixed STP and RSTP NetworksRSTP IEEE 802.1w is fully compliant with STP

Chapter 20: Spanning Tree and Rapid Spanning Tree Protocols224 Section V: Spanning Tree ProtocolsSpanning Tree and VLANsThe spanning tree implementati

Section V: Spanning Tree Protocols 225Chapter 21Multiple Spanning Tree ProtocolThis chapter provides background information on the Multiple Spanning T

Chapter 21: Multiple Spanning Tree Protocol226 Section V: Spanning Tree ProtocolsSupported PlatformsThis feature is supported on the following AT-9400

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 227OverviewAs mentioned in Chapter 20, ”Spanning Tree and Rapid Spanning T

Chapter 21: Multiple Spanning Tree Protocol228 Section V: Spanning Tree ProtocolsMultiple Spanning Tree Instance (MSTI)The individual spanning trees i

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 229Figure 25. VLAN Fragmentation with STP or RSTPBlocked PortFAULTRPSMASTE

AT-S63 Management Software Features Guide23Document ConventionsThis document uses the following conventions:NoteNotes provide additional information.C

Chapter 21: Multiple Spanning Tree Protocol230 Section V: Spanning Tree ProtocolsFigure 26 illustrates the same two AT-9400 Switches and the same two

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 231A MSTI can contain more than one VLAN. This is illustrated in Figure 27

Chapter 21: Multiple Spanning Tree Protocol232 Section V: Spanning Tree ProtocolsMSTI GuidelinesFollowing are several guidelines to keep in mind about

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 233VLAN and MSTI AssociationsPart of the task to configuring MSTP involves

Chapter 21: Multiple Spanning Tree Protocol234 Section V: Spanning Tree ProtocolsPorts in Multiple MSTIsA port can be a member of more than one MSTI a

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 235Multiple Spanning Tree RegionsAnother important concept of MSTP is regi

Chapter 21: Multiple Spanning Tree Protocol236 Section V: Spanning Tree ProtocolsFigure 28 illustrates the concept of regions. It shows one MSTP regio

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 237The same is true for any ports connected to bridges running the single-

Chapter 21: Multiple Spanning Tree Protocol238 Section V: Spanning Tree ProtocolsCommon andInternalSpanning Tree(CIST)MSTP has a default spanning tree

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 239Summary of GuidelinesCareful planning is essential for the successful i

Preface24Where to Find Web-based GuidesThe installation and user guides for all Allied Telesis products are available in portable document format (PDF

Chapter 21: Multiple Spanning Tree Protocol240 Section V: Spanning Tree ProtocolsNoteThe AT-S63 MSTP implementation complies fully with the new IEEE 8

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 241Associating VLANs to MSTIsAllied Telesis recommends that you assign all

Chapter 21: Multiple Spanning Tree Protocol242 Section V: Spanning Tree ProtocolsFigure 30. CIST and VLAN Guideline - Example 2When port 4 on switch B

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 243Connecting VLANs Across Different RegionsSpecial consideration needs to

Chapter 21: Multiple Spanning Tree Protocol244 Section V: Spanning Tree ProtocolsAnother approach is to group those VLANs that need to span regions in

Section VI: Virtual LANs 245Section VIVirtual LANsThe chapters in this section discuss the various types of virtual LANs supported by the AT-9400 Swit

246 Section VI: Virtual LANs

Section VI: Virtual LANs 247Chapter 22 Port-based and Tagged VLANsThis chapter contains overview information about port-based and tagged virtual LANs

Chapter 22: Port-based and Tagged VLANs248 Section VI: Virtual LANsSupported PlatformsThis feature is supported on the following AT-9400 Switches: La

AT-S63 Management Software Features GuideSection VI: Virtual LANs 249OverviewA VLAN is a group of ports on an Ethernet switch that form a logical Ethe

AT-S63 Management Software Features Guide25Contacting Allied TelesisThis section provides Allied Telesis contact information for technical support as

Chapter 22: Port-based and Tagged VLANs250 Section VI: Virtual LANsManagement Software. You can change the VLAN memberships through the management sof

AT-S63 Management Software Features GuideSection VI: Virtual LANs 251Port-based VLAN OverviewAs explained in “Overview” on page 249, a VLAN consists o

Chapter 22: Port-based and Tagged VLANs252 Section VI: Virtual LANsthree AT-9400 Switches, you would assign the Marketing VLAN on each switch the same

AT-S63 Management Software Features GuideSection VI: Virtual LANs 253Guidelines toCreating a Port-based VLANBelow are the guidelines to creating a por

Chapter 22: Port-based and Tagged VLANs254 Section VI: Virtual LANsPort-basedExample 1Figure 32 illustrates an example of one AT-9424T/SP Gigabit Ethe

AT-S63 Management Software Features GuideSection VI: Virtual LANs 255In the example, each VLAN has one port connected to the router. The router interc

Chapter 22: Port-based and Tagged VLANs256 Section VI: Virtual LANsThe table below lists the port assignments for the Sales, Engineering, and Producti

AT-S63 Management Software Features GuideSection VI: Virtual LANs 257Tagged VLAN OverviewThe second type of VLAN supported by the AT-S63 Management So

Chapter 22: Port-based and Tagged VLANs258 Section VI: Virtual LANs Port VLAN IdentifierNoteFor explanations of VLAN name and VLAN identifier, refer

AT-S63 Management Software Features GuideSection VI: Virtual LANs 259Tagged VLANExampleFigure 34 illustrates how tagged ports can be used to interconn

Preface26

Chapter 22: Port-based and Tagged VLANs260 Section VI: Virtual LANsThe port assignments for the VLANs are as follows:This example is nearly identical

Section VI: Virtual LANs 261Chapter 23GARP VLAN Registration ProtocolThis chapter describes the GARP VLAN Registration Protocol (GVRP) and contains th

Chapter 23: GARP VLAN Registration Protocol262 Section VI: Virtual LANsSupported PlatformsThis feature is supported on the following AT-9400 Switches:

AT-S63 Management Software Features GuideSection VI: Virtual LANs 263OverviewThe GARP VLAN Registration Protocol (GVRP) allows network devices to shar

Chapter 23: GARP VLAN Registration Protocol264 Section VI: Virtual LANsFigure 35 provides an example of how GVRP works.Figure 35. GVRP Example Switche

AT-S63 Management Software Features GuideSection VI: Virtual LANs 265as an tagged dynamic GVRP port. If the port is already a member of the VLAN, then

Chapter 23: GARP VLAN Registration Protocol266 Section VI: Virtual LANsGuidelinesFollowing are guidelines to observe when using this feature: GVRP is

AT-S63 Management Software Features GuideSection VI: Virtual LANs 267GVRP and Network SecurityGVRP should be used with caution because it can expose y

Chapter 23: GARP VLAN Registration Protocol268 Section VI: Virtual LANsGVRP-inactive Intermediate SwitchesIf two GVRP-active devices are separated by

AT-S63 Management Software Features GuideSection VI: Virtual LANs 269Generic Attribute Registration Protocol (GARP) OverviewThe following is a technic

Section I: Basic Operations 27Section IBasic OperationsThe chapters in this section contain background information on basic switch features. The chapt

Chapter 23: GARP VLAN Registration Protocol270 Section VI: Virtual LANsGARP architecture is shown in Figure 36. Figure 36. GARP Architecture The GARP

AT-S63 Management Software Features GuideSection VI: Virtual LANs 271Figure 37. GID Architecture GARP registers and deregisters attribute values throu

Chapter 23: GARP VLAN Registration Protocol272 Section VI: Virtual LANsTo control the applicant state machine, an applicant administrative control par

Section VI: Virtual LANs 273Chapter 24Multiple VLAN ModesThis chapter describes the multiple VLAN modes. This chapter contains the following sections:

Chapter 24: Multiple VLAN Modes274 Section VI: Virtual LANsSupported PlatformsThis feature is supported on the following AT-9400 Switches: Layer 2+ M

AT-S63 Management Software Features GuideSection VI: Virtual LANs 275OverviewThe multiple VLAN modes are designed to simplify the task of configuring

Chapter 24: Multiple VLAN Modes276 Section VI: Virtual LANs802.1Q- Compliant Multiple VLAN ModeIn this mode, each port is placed into a separate VLAN

AT-S63 Management Software Features GuideSection VI: Virtual LANs 277This highly segmented configuration is useful in situations where traffic generat

Chapter 24: Multiple VLAN Modes278 Section VI: Virtual LANsNon-802.1Q Compliant Multiple VLAN ModeUnlike the 802.1Q-compliant VLAN mode, which isolate

Section VI: Virtual LANs 279Chapter 25 Protected Ports VLANsThis chapter explains protected ports VLANs. It contains the following sections: “Support

28 Section I: Basic Operations

Chapter 25: Protected Ports VLANs280 Section VI: Virtual LANsSupported PlatformsThis feature is supported on the following AT-9400 Switches: Layer 2+

AT-S63 Management Software Features GuideSection VI: Virtual LANs 281OverviewThe purpose of a protected ports VLAN is to allow multiple ports on the s

Chapter 25: Protected Ports VLANs282 Section VI: Virtual LANsTo create a protected ports VLAN, you perform many of the same steps that you do when you

AT-S63 Management Software Features GuideSection VI: Virtual LANs 283GuidelinesFollowing are the guidelines for implementing protected ports VLANS: A

Chapter 25: Protected Ports VLANs284 Section VI: Virtual LANs

Section VI: Virtual LANs 285Chapter 26MAC Address-based VLANsThis chapter contains overview information about MAC address-based VLANs. Sections in the

Chapter 26: MAC Address-based VLANs286 Section VI: Virtual LANsSupported PlatformsThis feature is supported on the following AT-9400 Switches: Layer

AT-S63 Management Software Features GuideSection VI: Virtual LANs 287OverviewAs explained in “Overview” on page 249, VLANs are a means for creating in

Chapter 26: MAC Address-based VLANs288 Section VI: Virtual LANsEgress PortsImplementing a MAC address-based VLAN involves more than entering the MAC a

AT-S63 Management Software Features GuideSection VI: Virtual LANs 289The community characteristic of egress ports relieves you from having to map each

29Chapter 1OverviewThis chapter has the following sections: “Layer 2+ and Basic Layer 3 Switches” on page 30 “AT-S63 Management Software” on page 35

Chapter 26: MAC Address-based VLANs290 Section VI: Virtual LANsIf security is a major concern for your network, you might not want to assign a port as

AT-S63 Management Software Features GuideSection VI: Virtual LANs 291VLANs That Span SwitchesTo create a MAC address-based VLAN that spans switches, y

Chapter 26: MAC Address-based VLANs292 Section VI: Virtual LANsTable 23. Example of a MAC Address-based VLAN Spanning SwitchesSwitch A Switch BVLAN Na

AT-S63 Management Software Features GuideSection VI: Virtual LANs 293VLAN HierarchyThe switch’s management software employs a VLAN hierarchy when hand

Chapter 26: MAC Address-based VLANs294 Section VI: Virtual LANsSteps to Creating a MAC Address-based VLANHere are the three main steps to creating a M

AT-S63 Management Software Features GuideSection VI: Virtual LANs 295GuidelinesFollow these guidelines when implementing a MAC address-based VLAN: MA

Chapter 26: MAC Address-based VLANs296 Section VI: Virtual LANs Egress ports cannot be part of a static or LACP trunk. Since this type of VLAN does

Section VII: Internet Protocol Routing 297Section VIIRoutingThis section has the following chapters: Chapter 27, “Internet Protocol Version 4 Packet

298 Section VII: Internet Protocol Routing

299Chapter 27Internet Protocol Version 4 Packet RoutingThis chapter describes Internet Protocol version 4 (IPv4) packet routing on the AT-9400 Basic L

3Preface ...

Chapter 1: Overview30Layer 2+ and Basic Layer 3 SwitchesThe switches in the AT-9400 Gigabit Ethernet Series are divided into two groups: Layer 2+ Swi

Chapter 27: Internet Protocol Version 4 Packet Routing300 Section VII: RoutingSupported PlatformsThis feature is supported on the following switches:

AT-S63 Management Software Features GuideSection VII: Routing 301OverviewThis section contains an overview of the IPv4 routing feature on the AT-9400

Chapter 27: Internet Protocol Version 4 Packet Routing302 Section VII: RoutingAt the end of this overview are two examples that illustrate the sequenc

AT-S63 Management Software Features GuideSection VII: Routing 303Routing InterfacesThe IPv4 packet routing feature on the switch is built on the found

Chapter 27: Internet Protocol Version 4 Packet Routing304 Section VII: RoutingNoteRouting interfaces can be configured from either the command line in

AT-S63 Management Software Features GuideSection VII: Routing 305the other interfaces in the same VLAN must be assigned manually. For example, if ther

Chapter 27: Internet Protocol Version 4 Packet Routing306 Section VII: RoutingInterface NamesMany of the IPv4 routing commands have a parameter for an

AT-S63 Management Software Features GuideSection VII: Routing 307Static RoutesIn order for the switch to route an IPv4 packet to a remote network or s

Chapter 27: Internet Protocol Version 4 Packet Routing308 Section VII: Routingdestination. The range for the preference parameter is 0 to 65535. The l

AT-S63 Management Software Features GuideSection VII: Routing 309Routing Information Protocol (RIP)A switch can automatically learn routes to remote d

AT-S63 Management Software Features Guide31Table 1. AT-9400 Switch FeaturesLayer 2+ Switches(Version 2.2.0)Basic Layer 3 Switches(Version 3.0.0)Stack1

Chapter 27: Internet Protocol Version 4 Packet Routing310 Section VII: Routingtheir tables.NoteA RIP version 2 password is sent in plaintext. The AT-S

AT-S63 Management Software Features GuideSection VII: Routing 311Default RoutesA default route is used when the switch cannot find a route in its rout

Chapter 27: Internet Protocol Version 4 Packet Routing312 Section VII: RoutingEqual-cost Multi-path (ECMP) RoutingThe routing table uses ECMP to store

AT-S63 Management Software Features GuideSection VII: Routing 313ECMP also applies to default routes. This enables the switch to store up to 32 defaul

Chapter 27: Internet Protocol Version 4 Packet Routing314 Section VII: RoutingRouting TableThe switch maintains its routing information in a table of

AT-S63 Management Software Features GuideSection VII: Routing 315Address Resolution Protocol (ARP) TableThe switch maintains an ARP table of IP addres

Chapter 27: Internet Protocol Version 4 Packet Routing316 Section VII: RoutingInternet Control Message Protocol (ICMP)ICMP allows routers to send erro

AT-S63 Management Software Features GuideSection VII: Routing 317Time to Live Exceeded (11) If the TTL field in a packet falls to zero the switch will

Chapter 27: Internet Protocol Version 4 Packet Routing318 Section VII: RoutingRouting Interfaces and Management FeaturesRouting interfaces are primary

AT-S63 Management Software Features GuideSection VII: Routing 319As an example, assume you decided not to implement the IPv4 routing feature on a swit

Chapter 1: Overview32Quality of Service YYYYYYYYDenial of service defensesYYYYYYYYSnooping ProtocolsInternet Group Management Protocol (IGMP) snooping

Chapter 27: Internet Protocol Version 4 Packet Routing320 Section VII: RoutingPinging a RemoteDeviceThis function is used to validate the existence of

AT-S63 Management Software Features GuideSection VII: Routing 321Local InterfaceThe local interface is used with the enhanced stacking feature. It is

Chapter 27: Internet Protocol Version 4 Packet Routing322 Section VII: RoutingAT-9408LC/SP AT-9424T/GB, and AT-9424T/SP SwitchesThe AT-9408LC/SP, AT-9

AT-S63 Management Software Features GuideSection VII: Routing 323NoteThe AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP Switches do not use the ARP table

Chapter 27: Internet Protocol Version 4 Packet Routing324 Section VII: RoutingRouting Command ExampleThis section contains an example of the IPv4 rout

AT-S63 Management Software Features GuideSection VII: Routing 325Creating theVLANsThe first step is to create the VLANs for the local subnets on the s

Chapter 27: Internet Protocol Version 4 Packet Routing326 Section VII: Routingcommand.Adding a StaticRoute andDefault RouteBuilding on our example, as

AT-S63 Management Software Features GuideSection VII: Routing 327Adding RIP Rather than adding the static routes to remote destinations, or perhaps to

Chapter 27: Internet Protocol Version 4 Packet Routing328 Section VII: RoutingNon-routing Command ExampleThis example illustrates how to assign an IP

AT-S63 Management Software Features GuideSection VII: Routing 329The following command creates a default route for the example and specifies the next

AT-S63 Management Software Features Guide33802.1Q-compliant and non-802.1Q-compliant multiple VLAN modesYYYYYYYYGARP VLAN Registration ProtocolYYYYYYY

Chapter 27: Internet Protocol Version 4 Packet Routing330 Section VII: RoutingUpgrading from AT-S63 Version 1.3.0 or EarlierWhen the AT-9400 Switch ru

331Chapter 28BOOTP Relay AgentThis chapter has the following sections: “Supported Platforms” on page 332 “Overview” on page 333 “Guidelines” on pag

Chapter 28: BOOTP Relay Agent332 Section VII: RoutingSupported PlatformsThis feature is supported on the following switches: Layer 2+ Models– Not su

AT-S63 Management Software Features GuideSection VII: Routing 333OverviewThe AT-S63 Management Software comes with a BOOTP relay agent for relaying BO

Chapter 28: BOOTP Relay Agent334 Section VII: RoutingA routing interface that receives a BOOTP reply from a server inspects the broadcast flag field i

AT-S63 Management Software Features GuideSection VII: Routing 335GuidelinesThese guidelines apply to the BOOTP relay agent: A routing interface funct

Chapter 28: BOOTP Relay Agent336 Section VII: Routing

337Chapter 29Virtual Router Redundancy ProtocolThe chapter has the following sections: “Supported Platforms” on page 338 “Overview” on page 339 “Ma

Chapter 29: Virtual Router Redundancy Protocol338 Section VII: RoutingSupported PlatformsThis feature is supported on the following switches: Layer 2

AT-S63 Management Software Features GuideSection VII: Routing 339OverviewThis chapter describes the Virtual Router Redundancy Protocol (VRRP) support

Chapter 1: Overview34Remote Secure Shell managementYYYYYYYYTACACS+ and RADIUS authenticationYYYYYYYYManagement access control listYYYYYYYY1. Basic Lay

Chapter 29: Virtual Router Redundancy Protocol340 Section VII: RoutingMaster SwitchThe virtual router has a virtual MAC address known by all the switc

AT-S63 Management Software Features GuideSection VII: Routing 341Backup SwitchesAll the other switches participating in the virtual router are designa

Chapter 29: Virtual Router Redundancy Protocol342 Section VII: RoutingInterface MonitoringThe virtual router can monitor certain interfaces to change

AT-S63 Management Software Features GuideSection VII: Routing 343Port MonitoringPort monitoring is the process of detecting the failure of ports that

Chapter 29: Virtual Router Redundancy Protocol344 Section VII: RoutingVRRP on the SwitchVRRP is disabled by default. When a virtual router is created

AT-S63 Management Software Features GuideSection VII: Routing 345prevents a switch from inadvertently backing up another switch. The authentication ty

Chapter 29: Virtual Router Redundancy Protocol346 Section VII: Routing

Section VIII: Port Security 347Section VIIIPort SecurityThe chapters in this section contain overview information on the port security features of the

348 Section VIII: Port Security

Section VIII: Port Security 349Chapter 30MAC Address-based Port SecurityThe sections in this chapter include: “Supported Platforms” on page 350 “Ove

AT-S63 Management Software Features Guide35AT-S63 Management SoftwareThe AT-9400 Switch is managed with the AT-S63 Management Software. The software c

Chapter 30: MAC Address-based Port Security350 Section VIII: Port SecuritySupported PlatformsThis feature is supported on the following AT-9400 Switch

AT-S63 Management Software Features GuideSection VIII: Port Security 351OverviewYou can use this feature to enhance the security of your network by co

Chapter 30: MAC Address-based Port Security352 Section VIII: Port SecuritySecured This security level uses only static MAC addresses assigned to a por

AT-S63 Management Software Features GuideSection VIII: Port Security 353Invalid Frames and Intrusion ActionsWhen a port receives an invalid frame, it

Chapter 30: MAC Address-based Port Security354 Section VIII: Port SecurityGuidelinesThe following guidelines apply to MAC address-based port security:

Section VIII: Port Security 355Chapter 31802.1x Port-based Network Access ControlThe sections in this chapter are: “Supported Platforms” on page 356

Chapter 31: 802.1x Port-based Network Access Control356 Section VIII: Port SecuritySupported PlatformsThis feature is supported on the following AT-94

AT-S63 Management Software Features GuideSection VIII: Port Security 357OverviewThe AT-S63 Management Software has several different methods for prote

Chapter 31: 802.1x Port-based Network Access Control358 Section VIII: Port Security Authentication server - The authentication server is the network

AT-S63 Management Software Features GuideSection VIII: Port Security 359Authentication ProcessBelow is a brief overview of the authentication process

Chapter 1: Overview36Management Interfaces and FeaturesThe AT-S63 Management Software has three management interfaces:  Menus interface Command line

Chapter 31: 802.1x Port-based Network Access Control360 Section VIII: Port SecurityPort RolesPart of the task of implementing this feature is specifyi

AT-S63 Management Software Features GuideSection VIII: Port Security 361Assigning unique username and password combinations to your network users and

Chapter 31: 802.1x Port-based Network Access Control362 Section VIII: Port SecurityNoteA supplicant connected to an authenticator port set to force-au

AT-S63 Management Software Features GuideSection VIII: Port Security 363Authenticator Ports with Single and Multiple SupplicantsAn authenticator port

Chapter 31: 802.1x Port-based Network Access Control364 Section VIII: Port SecurityFigure 40. Authenticator Port in Single Operating Mode with a Singl

AT-S63 Management Software Features GuideSection VIII: Port Security 365Figure 41. Single Operating Mode with Multiple Clients Using the Piggy-back Fe

Chapter 31: 802.1x Port-based Network Access Control366 Section VIII: Port SecurityIf the clients are connected to an 802.1x-compliant device, such as

AT-S63 Management Software Features GuideSection VIII: Port Security 367Figure 43. Single Operating Mode with Multiple Clients Using the Piggy-back Fe

Chapter 31: 802.1x Port-based Network Access Control368 Section VIII: Port SecurityAn example of this authenticator operating mode is illustrated in F

AT-S63 Management Software Features GuideSection VIII: Port Security 369none, port 6 on switch A will discard the packets because switch B would not b

AT-S63 Management Software Features Guide37Enhanced stacking Y Y YSNMPv1 and SNMPv2community stringsYYYPort parameters Y Y YPort statistics Y Y YMAC a

Chapter 31: 802.1x Port-based Network Access Control370 Section VIII: Port SecuritySupplicant and VLAN AssociationsOne of the challenges to managing a

AT-S63 Management Software Features GuideSection VIII: Port Security 371Single OperatingModeHere are the operating characteristics for the switch when

Chapter 31: 802.1x Port-based Network Access Control372 Section VIII: Port SecurityGuest VLANAn authenticator port in the unauthorized state typically

AT-S63 Management Software Features GuideSection VIII: Port Security 373RADIUS AccountingThe AT-S63 Management Software supports RADIUS accounting for

Chapter 31: 802.1x Port-based Network Access Control374 Section VIII: Port SecurityGeneral StepsHere are the general steps to implementing 802.1x Port

AT-S63 Management Software Features GuideSection VIII: Port Security 375GuidelinesThe following are general guidelines to using this feature: Ports o

Chapter 31: 802.1x Port-based Network Access Control376 Section VIII: Port Security An authenticator port cannot be part of a static port trunk, LACP

AT-S63 Management Software Features GuideSection VIII: Port Security 377Here are guidelines for adding VLAN assignments to supplicant accounts on a RA

Chapter 31: 802.1x Port-based Network Access Control378 Section VIII: Port Security

Section IX: Management Security 379Section IXManagement SecurityThe chapters in this section describe the management security features of the AT-9400

Chapter 1: Overview38Snooping ProtocolsInternet Group Management Protocol (IGMP) snoopingYYYMulticast Listener Discovery (MLD) snoopingYYRouter Redund

380 Section IX: Management Security

Section IX: Management Security 381Chapter 32Web ServerThe sections in this chapter are: “Supported Platforms” on page 382 “Overview” on page 383 “

Chapter 32: Web Server382 Section IX: Management SecuritySupported PlatformsThis feature is supported on the following AT-9400 Switches: Layer 2+ Mod

AT-S63 Management Software Features GuideSection IX: Management Security 383OverviewThe AT-S63 Management Software has a web server and a special web

Chapter 32: Web Server384 Section IX: Management SecurityConfiguring the Web Server for HTTPThe following steps configure the web server for non-secur

AT-S63 Management Software Features GuideSection IX: Management Security 385Configuring the Web Server for HTTPSThe following sections outline the ste

Chapter 32: Web Server386 Section IX: Management Security6. After receiving the certificates from the CA, download them into the switch’s file system

Section IX: Management Security 387Chapter 33Encryption KeysThe sections in this chapter are: “Supported Platforms” on page 388 “Overview” on page 3

Chapter 33: Encryption Keys388 Section IX: Management SecuritySupported PlatformsThis feature is supported on the following AT-9400 Switches: Layer 2

AT-S63 Management Software Features GuideSection IX: Management Security 389OverviewProtecting your managed switches from unauthorized management acce

AT-S63 Management Software Features Guide39Internet Protocol RoutingRouting interfaces Y YStatic routes YRouting Information Protocol (RIP) YAddress R

Chapter 33: Encryption Keys390 Section IX: Management SecurityEncryption Key LengthWhen you create a key pair, you have to specify its length in bits.

AT-S63 Management Software Features GuideSection IX: Management Security 391Encryption Key GuidelinesObserve the following guidelines when creating an

Chapter 33: Encryption Keys392 Section IX: Management SecurityTechnical OverviewThe encryption feature provides the following data security services:

AT-S63 Management Software Features GuideSection IX: Management Security 393algorithm and key. For a given input block of plaintext ECB always produce

Chapter 33: Encryption Keys394 Section IX: Management Securitysecret. Only the decryption, or private key, needs to be kept secret. The other name for

AT-S63 Management Software Features GuideSection IX: Management Security 395 It is very hard to find another message and key which give the same hash

Chapter 33: Encryption Keys396 Section IX: Management SecurityA Diffie-Hellman algorithm requires more processing overhead than RSA-based key exchange

Section IX: Management Security 397Chapter 34PKI Certificates and SSLThe sections in this chapter are: “Supported Platforms” on page 398 “Overview”

Chapter 34: PKI Certificates and SSL398 Section IX: Management SecuritySupported PlatformsThis feature is supported on the following AT-9400 Switches:

AT-S63 Management Software Features GuideSection IX: Management Security 399OverviewThis chapter describes the second part of the encryption feature o

Contents4Chapter 2: Enhanced Stacking ...

Chapter 1: Overview402. You cannot upload or download files to a compact flash card with the web browser interface. Also, the inter-face does not supp

Chapter 34: PKI Certificates and SSL400 Section IX: Management Securitynetwork equipment. With private CAs, companies can keep track of the certificat

AT-S63 Management Software Features GuideSection IX: Management Security 401Distinguished NamesPart of the task to creating a self-signed certificate

Chapter 34: PKI Certificates and SSL402 Section IX: Management SecurityIf your network has a Domain Name System and you mapped a name to the IP addres

AT-S63 Management Software Features GuideSection IX: Management Security 403SSL and Enhanced StackingSecure Sockets Layer (SSL) is supported in an enh

Chapter 34: PKI Certificates and SSL404 Section IX: Management SecurityGuidelinesThe guidelines for creating certificates are: A certificate can have

AT-S63 Management Software Features GuideSection IX: Management Security 405Technical OverviewThis section describes the Secure Sockets Layer (SSL) fe

Chapter 34: PKI Certificates and SSL406 Section IX: Management SecuritySSL uses asymmetrical (Public Key) encryption to establish a connection between

AT-S63 Management Software Features GuideSection IX: Management Security 407To verify the authenticity of a server, the server has a public and privat

Chapter 34: PKI Certificates and SSL408 Section IX: Management Securitythis, and other attacks, PKI provides a means for secure transfer of public key

AT-S63 Management Software Features GuideSection IX: Management Security 409Elements of aPublic KeyInfrastructureA public key infrastructure is a set

AT-S63 Management Software Features Guide41Management Access MethodsYou can access the AT-S63 Management Software on the switch several ways: Local s

Chapter 34: PKI Certificates and SSL410 Section IX: Management SecurityCertificateValidationTo validate a certificate, the end entity verifies the sig

AT-S63 Management Software Features GuideSection IX: Management Security 411PKIImplementationThe following sections discuss the implementation of PKI

Chapter 34: PKI Certificates and SSL412 Section IX: Management Security

Section IX: Management Security 413Chapter 35Secure Shell (SSH)The sections in this chapter are: “Supported Platforms” on page 414 “Overview” on pag

Chapter 35: Secure Shell (SSH)414 Section IX: Management SecuritySupported PlatformsThis feature is supported on the following AT-9400 Switches: Laye

AT-S63 Management Software Features GuideSection IX: Management Security 415OverviewSecure management is increasingly important in modern networks, as

Chapter 35: Secure Shell (SSH)416 Section IX: Management SecuritySupport for SSHThe AT-S63 implementation of the SSH protocol is compliant with the SS

AT-S63 Management Software Features GuideSection IX: Management Security 417SSH ServerWhen the SSH server is enabled, connections from SSH clients are

Chapter 35: Secure Shell (SSH)418 Section IX: Management SecuritySSH ClientsThe SSH protocol provides a secure connection between the switch and SSH c

AT-S63 Management Software Features GuideSection IX: Management Security 419SSH and Enhanced StackingThe AT-S63 Management Software allows for encrypt

Chapter 1: Overview42Remote SNMPManagementYou can also remotely configure the switch using a Simple Network Management Protocol (SNMP) application, su

Chapter 35: Secure Shell (SSH)420 Section IX: Management SecurityBecause enhanced stacking does not allow for SSH encrypted management sessions betwee

AT-S63 Management Software Features GuideSection IX: Management Security 421SSH Configuration GuidelinesHere are the guidelines to configuring SSH: S

Chapter 35: Secure Shell (SSH)422 Section IX: Management SecurityGeneral Steps to Configuring SSHConfiguring the SSH server involves the following pro

Section IX: Management Security 423Chapter 36TACACS+ and RADIUS ProtocolsThis chapter describes the two authentication protocols TACACS+ and RADIUS. S

Chapter 36: TACACS+ and RADIUS Protocols424 Section IX: Management SecuritySupported PlatformsThis feature is supported on the following AT-9400 Switc

AT-S63 Management Software Features GuideSection IX: Management Security 425OverviewTACACS+ and RADIUS are authentication protocols that can enhance t

Chapter 36: TACACS+ and RADIUS Protocols426 Section IX: Management SecurityWhen a network manager logs in to a switch to manage the device, the switch

AT-S63 Management Software Features GuideSection IX: Management Security 427GuidelinesHere are the main steps to using the TACACS+ or RADIUS client on

Chapter 36: TACACS+ and RADIUS Protocols428 Section IX: Management Securitymaximum length for a password is 16 alphanumeric characters and spaces.– T

AT-S63 Management Software Features GuideSection IX: Management Security 429NoteIf no authentication server responds or if no servers have been define

AT-S63 Management Software Features Guide43Manager Access LevelsThe AT-S63 Management Software has two manager access levels of manager and operator.

Chapter 36: TACACS+ and RADIUS Protocols430 Section IX: Management Security

Section IX: Management Security 431Chapter 37Management Access Control ListThis chapter explains how to restrict Telnet and web browser management acc

Chapter 37: Management Access Control List432 Section IX: Management SecuritySupported PlatformsThis feature is supported on the following AT-9400 Swi

AT-S63 Management Software Features GuideSection IX: Management Security 433OverviewThis chapter explains how to restrict remote management access of

Chapter 37: Management Access Control List434 Section IX: Management SecurityParts of a Management ACEAn ACE has the following three parts:  IP addre

AT-S63 Management Software Features GuideSection IX: Management Security 435GuidelinesBelow are guidelines for the management ACL: The default settin

Chapter 37: Management Access Control List436 Section IX: Management SecurityExamplesFollowing are several examples of ACEs.This ACE allows the manage

AT-S63 Management Software Features GuideSection IX: Management Security 437The two ACEs in this management ACL permit remote management from the mana

Chapter 37: Management Access Control List438 Section IX: Management Security

439Appendix AAT-S63 Management Software Default SettingsThis appendix lists the factory default settings for the AT-S63 Management Software. It contai

Chapter 1: Overview44Installation and Management ConfigurationsThe AT-9400 Switches can be installed in three configurations.Stand-aloneSwitchAll the

Appendix A: AT-S63 Management Software Default Settings440 “Telnet Server” on page 471 “Virtual Router Redundancy Protocol” on page 472 “VLANs” on

AT-S63 Management Software Features Guide441Address Resolution Protocol CacheThe following table lists the ARP cache default setting.ARP Cache Setting

Appendix A: AT-S63 Management Software Default Settings442Boot Configuration FileThe following table lists the names of the default configuration file

AT-S63 Management Software Features Guide443BOOTP Relay AgentThe following table lists the default setting for the BOOTP relay agent.BOOTP Relay Agent

Appendix A: AT-S63 Management Software Default Settings444Class of ServiceThe following table lists the default mappings of IEEE 802.1p priority level

AT-S63 Management Software Features Guide445Denial of Service DefensesThe following table lists the default settings for the Denial of Service prevent

Appendix A: AT-S63 Management Software Default Settings446802.1x Port-Based Network Access ControlThe following table describes the 802.1x Port-based

AT-S63 Management Software Features Guide447The following table lists the default settings for a supplicant port.VLAN Assignment EnabledSecure VLAN On

Appendix A: AT-S63 Management Software Default Settings448Enhanced StackingThe following table lists the enhanced stacking default setting.Enhanced St

AT-S63 Management Software Features Guide449Ethernet Protection Switching Ring (EPSR) SnoopingThe following table lists the EPSR default setting.EPSR

AT-S63 Management Software Features Guide45Here are the main points of stacking: The AT-9400 Gigabit Ethernet Switches operate as a single, logical u

Appendix A: AT-S63 Management Software Default Settings450Event LogsThe following table lists the default settings for both the permanent and temporar

AT-S63 Management Software Features Guide451GVRPThis section provides the default settings for GVRP.GVRP Setting DefaultStatus DisabledGIP Status Enab

Appendix A: AT-S63 Management Software Default Settings452IGMP SnoopingThe following table lists the IGMP Snooping default settings.IGMP Snooping Sett

AT-S63 Management Software Features Guide453Internet Protocol Version 4 Packet RoutingThe following table lists the IPv4 packet routing default settin

Appendix A: AT-S63 Management Software Default Settings454MAC Address-based Port SecurityThe following table lists the MAC address-based port security

AT-S63 Management Software Features Guide455MAC Address TableThe following table lists the default setting for the MAC address table.MAC Address Table

Appendix A: AT-S63 Management Software Default Settings456Management Access Control ListThe following table lists the default setting for the manageme

AT-S63 Management Software Features Guide457Manager and Operator AccountThe following table lists the manager and operator account default settings.No

Appendix A: AT-S63 Management Software Default Settings458Multicast Listener Discovery SnoopingThe following table lists the MLD Snooping default sett

AT-S63 Management Software Features Guide459Public Key InfrastructureThe following table lists the PKI default settings, including the generate enroll

Chapter 1: Overview46IP ConfigurationDo you intend to remotely manage the switch with a Telnet or Secure Shell client, or a web browser? Or, will the

Appendix A: AT-S63 Management Software Default Settings460Port SettingsThe following table lists the port configuration default settings.Port Configur

AT-S63 Management Software Features Guide461RJ-45 Serial Terminal PortThe following table lists the RJ-45 serial terminal port default settings.The ba

Appendix A: AT-S63 Management Software Default Settings462Router Redundancy Protocol SnoopingThe following table lists the RRP Snooping default settin

AT-S63 Management Software Features Guide463Server-based Authentication (RADIUS and TACACS+)This section describes the server-based authentication, RA

Appendix A: AT-S63 Management Software Default Settings464Simple Network Management ProtocolThe following table describes the SNMP default settings.SN

AT-S63 Management Software Features Guide465Simple Network Time ProtocolThe following table lists the SNTP default settings.SNTP Setting DefaultSystem

Appendix A: AT-S63 Management Software Default Settings466Spanning Tree Protocols (STP, RSTP, and MSTP)This section provides the spanning tree, STP RS

AT-S63 Management Software Features Guide467MultipleSpanning TreeProtocolThe following table lists the MSTP default settings.MSTP Setting DefaultStatu

Appendix A: AT-S63 Management Software Default Settings468Secure Shell ServerThe following table lists the SSH default settings.The SSH port number is

AT-S63 Management Software Features Guide469Secure Sockets LayerThe following table lists the SSL default settings.SSL Setting DefaultMaximum Number o

AT-S63 Management Software Features Guide47Redundant Twisted Pair PortsSeveral AT-9400 Switches have twisted pair ports and GBIC or SFP slots that are

Appendix A: AT-S63 Management Software Default Settings470System Name, Administrator, and Comments SettingsThe following table describes the IP defaul

AT-S63 Management Software Features Guide471Telnet ServerThe following table lists the Telnet server default settings.The Telnet port number is not ad

Appendix A: AT-S63 Management Software Default Settings472Virtual Router Redundancy ProtocolThe following table lists the VRRP default setting.VRRP Se

AT-S63 Management Software Features Guide473VLANsThis section provides the VLAN default settings.VLAN Setting DefaultDefault VLAN Name Default_VLAN (a

Appendix A: AT-S63 Management Software Default Settings474Web ServerThe following table lists the web server default settings.Web Server Configuration

475Appendix BSNMPv3 Configuration ExamplesThis appendix provides two examples of SNMPv3 configuration using the SNMPv3 Table menus and a worksheet to

Appendix B: SNMPv3 Configuration Examples476SNMPv3 Configuration Examples This appendix provides SNMPv3 configuration examples for the following type

AT-S63 Management Software Features Guide477Configure SNMPv3 SecurityToGroup TableUser Name:systemadmin24Security Model:v3Group Name: ManagersStorage

Appendix B: SNMPv3 Configuration Examples478Configure SNMPv3 View Table Menu View Name: internetView Subtree OID: 1.3.6.1 (or internet)Subtree Mask: V

AT-S63 Management Software Features Guide479Security ModelSecurity LevelRead View NameWrite View NameNotify View NameStorage TypeSNMPv3 SecurityToGrou

Chapter 1: Overview48NoteThese guidelines do not apply to the SFP slots on the AT-9408LC/SP switch and the XFP slots on the AT-9424Ts/XP and AT-9448Ts

Appendix B: SNMPv3 Configuration Examples480Security ModelSecurity LevelStorage TypeSNMPv3 Parameters (Continued)

481Appendix CFeatures and StandardsThis appendix lists the features and standards of the AT-9400 Switch. Section include: ”10/100/1000Base-T Twisted

Appendix C: Features and Standards48210/100/1000Base-T Twisted Pair PortsIEEE 802.1d BridgingIEEE 802.3 10Base-TIEEE 802.3u 100Base-TXIEEE 802.3ab 100

AT-S63 Management Software Features Guide483Fiber Optic Ports (AT-9408LC/SP Switch)IEEE 802.1d BridgingIEEE 802.3z 1000Base-SX— Head of Line Blocking—

Appendix C: Features and Standards484RFC 826 Address Resolution Protocol— Equal Cost Multi-path— Split Horizon and Split Horizon with Poison Reverse—

AT-S63 Management Software Features Guide485Management Access MethodsEnhanced Stacking™Out-of-band management (serial port) In-band management (over t

Appendix C: Features and Standards486Port SecurityIEEE 802.1x Port-based Network Access Control: Supports multiple supplicants per port and the follo

AT-S63 Management Software Features Guide487RFC 1757 RMON Groups 1, 2, 3, and 9Traffic ControlRFC 2386 Quality of Service featuring:— Layer 2, 3, and

Appendix C: Features and Standards488— MAC Address-based VLANs (Not supported on the AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP switches.)IEEE 802.3ac

489Appendix DMIB ObjectsThis appendix lists the SNMP MIB objects in the private Allied Telesis MIBs that apply to the AT-S63 Management Software and t

AT-S63 Management Software Features Guide49History of New FeaturesThe following sections contain the history of new features in the AT-S63 Management

Appendix D: MIB Objects490Access Control ListsTable 31. Access Control Lists (AtiStackSwitch MIB)Object Name OIDatiStkSwACLConfigTable 1.3.6.1.4.1.207

AT-S63 Management Software Features Guide491Class of ServiceTable 32. CoS Scheduling (AtiStackSwitch MIB)Object Name OIDatiSwQoSGroup 1.3.6.1.4.1.207.

Appendix D: MIB Objects492Date, Time, and SNTP ClientTable 36. Date, Time, and SNTP Client (AtiStackSwitch MIB)Object Name OIDatiStkSysSystemTimeConfi

AT-S63 Management Software Features Guide493Denial of Service DefensesTable 37. LAN Address and Subnet Mask (AtiStackSwitch MIB)Object Name OIDatiStkD

Appendix D: MIB Objects494Enhanced StackingTable 39. Switch Mode and Discovery (AtiStackInfo MIB)Object Name OIDatiswitchEnhancedStackingInfo 1.3.6.1.

AT-S63 Management Software Features Guide495GVRPTable 41. GVFP Switch Configuration (AtiStackSwitch MIB)Object Name OIDatiStkSwGVRPConfig 1.3.6.1.4.1.

Appendix D: MIB Objects496atiStkSwGVRPCountersPortNotListening 1.3.6.1.4.1.207.8.17.3.8.1.8atiStkSwGVRPCountersInvalidPort 1.3.6.1.4.1.207.8.17.3.8.1.

AT-S63 Management Software Features Guide497MAC Address TableTable 44. MAC Address Table (AtiStackSwitch MIB)Object Name OIDatiStkSwMacAddr2VlanTable

Appendix D: MIB Objects498Management Access Control ListTable 46. Management Access Control List Status (AtiStackSwitch MIB)Object Name OIDatiStkSwSys

AT-S63 Management Software Features Guide499MiscellaneousTable 48. System Reset (AtiStackSwitch MIB)Object Name OIDatiStkSwSysGroup 1.3.6.1.4.1.207.8.

AT-S63 Management Software Features Guide5Chapter 10: Classifiers ...

Chapter 1: Overview50Version 2.1.0 Table 5 lists the new features in version 2.1.0.Version 2.0.0 Table 6 lists the new feature in version 2.0.0 of the

Appendix D: MIB Objects500Port MirroringTable 51. Port Mirroring (AtiStackSwitch MIB)Object Name OIDatiStkSwPortMirroringConfig 1.3.6.1.4.1.207.8.17.2

AT-S63 Management Software Features Guide501Quality of ServiceTable 52. Flow Groups (AtiStackSwitch MIB)Object Name OIDatiStkSwQosFlowGrpTable 1.3.6.1

Appendix D: MIB Objects502atiStkSwQosTrafficClassClassPriority 1.3.6.1.4.1.207.8.17.7.6.1.9atiStkSwQosTrafficClassRemarkPriority 1.3.6.1.4.1.207.8.17.

AT-S63 Management Software Features Guide503Port Configuration and StatusTable 55. Port Configuration and Status (AtiStackSwitch MIB)Object Name OIDa

Appendix D: MIB Objects504Spanning TreeTable 56. Spanning Tree (AtiStackSwitch MIB)Object Name OIDatiStkSwSysConfig 1.3.6.1.4.1.207.8.17.1.1atiStkSwSy

AT-S63 Management Software Features Guide505Static Port TrunkTable 57. Static Port Trunks (AtiStackSwitch MIB)Object Name OIDatiStkSwStaticTrunkTable

Appendix D: MIB Objects506VLANsThe objects in Table 58 display the specifications of the Default_VLAN.The objects in Table 59 display the names and VI

AT-S63 Management Software Features Guide507Table 61. PVID Table (AtiStackSwitch MIB)Object Name OIDatiStkSwPort2VlanTable 1.3.6.1.4.1.207.8.17.3.2ati

Appendix D: MIB Objects508

509IndexNumerics802.1p priority level in classifiers 113802.1Q-compliant VLAN mode 276802.1x Port-based Network Access Controlauthentication process 3

AT-S63 Management Software Features Guide51Version 1.3.0 Table 7 lists the new features in version 1.3.0 of the AT-S63 Management Software.Table 7. Ne

Index510TCP source and destination ports 117UDP source and destination ports 117VLAN ID 114Common and Internal Spanning Tree (CIST)defined 238priority

AT-S63 Management Software Features Guide511interface monitoring 342Internet Group Management Protocol (IGMP) snoopingdefault settings 452described 17

Index512Ooperator accounts, default settings 457Ppassword, default 43path cost 217permit access control lists 121ping of death attack 169PKI. See Publ

AT-S63 Management Software Features Guide513encryption keys 416management sessions 41server 41, 417supported platforms 414Secure Sockets Layer (SSL)Se

Index514Triple DES (3DES) encryption algorithms 393UUDP destination ports 117UDP destination ports in classifiers 117UDP source ports 117UDP source po

Chapter 1: Overview52Version 1.2.0 Table 8 lists the new features in version 1.2.0.Table 8. New Features in AT-S63 Version 1.2.0Feature ChangeMAC Addr

AT-S63 Management Software Features Guide53802.1x Port-based Network Access ControlAdded a new parameter to authenticator ports: Supplicant Mode for

Chapter 1: Overview54

Section I: Basic Operations 55Chapter 2Enhanced StackingThis chapter contains the following sections: “Supported Platforms” on page 56 “Overview” on

Chapter 2: Enhanced Stacking56 Section I: Basic OperationsSupported PlatformsThis feature is supported on the following AT-9400 Switches: Layer 2+ Mo

AT-S63 Management Software Features GuideSection I: Basic Operations 57OverviewHaving to manage a large number of network devices typically involves s

Chapter 2: Enhanced Stacking58 Section I: Basic OperationsMaster and Slave SwitchesAn enhanced stack must have at least one master switch. This switch

AT-S63 Management Software Features GuideSection I: Basic Operations 59Common VLANA master switch searches for the other switches in an enhanced stack

Contents6Section III: Snooping Protocols ...173Chapter 15: IGMP Snooping .

Chapter 2: Enhanced Stacking60 Section I: Basic OperationsMaster Switch and the Local InterfaceBefore a switch can function as the master switch of an

AT-S63 Management Software Features GuideSection I: Basic Operations 61Slave SwitchesThe slave switches of an enhanced stack must be connected to the

Chapter 2: Enhanced Stacking62 Section I: Basic OperationsEnhanced Stacking CompatibilityThis version of enhanced stacking is compatible with earlier

AT-S63 Management Software Features GuideSection I: Basic Operations 63Enhanced Stacking GuidelinesHere are the guidelines to using the enhanced stack

Chapter 2: Enhanced Stacking64 Section I: Basic OperationsGeneral StepsHere are the basic steps to implementing the enhanced stacking feature on the A

Section I: Basic Operations 65Chapter 3SNMPv1 and SNMPv2cThis chapter describes SNMPv1 and SNMPv2c community strings for SNMP management of the switch

Chapter 3: SNMPv1 and SNMPv2c66 Section I: Basic OperationsSupported PlatformsThis feature is supported on all AT-9400 Switches: Layer 2+ Models– AT

AT-S63 Management Software Features GuideSection I: Basic Operations 67OverviewYou can manage a switch by viewing and changing the management informat

Chapter 3: SNMPv1 and SNMPv2c68 Section I: Basic OperationsCommunity String AttributesA community string has attributes for controlling who can use th

AT-S63 Management Software Features GuideSection I: Basic Operations 69the community strings.Each community string can have up to eight trap IP addres

AT-S63 Management Software Features Guide7Chapter 21: Multiple Spanning Tree Protocol ...

Chapter 3: SNMPv1 and SNMPv2c70 Section I: Basic OperationsDefault SNMP Community StringsThe AT-S63 Management Software provides two default community

Section I: Basic Operations 71Chapter 4MAC Address TableThis chapter contains background information about the MAC address table.This chapter contains

Chapter 4: MAC Address Table72 Section I: Basic OperationsOverviewThe AT-9400 Switch has a MAC address table with a storage capacity of 16,000 entries

AT-S63 Management Software Features GuideSection I: Basic Operations 73MAC address table from becoming filled with addresses of nodes that are no long

Chapter 4: MAC Address Table74 Section I: Basic Operations

Section I: Basic Operations 75Chapter 5Static Port TrunksThis chapter describes static port trunks. Sections in the chapter include: “Supported Platf

Chapter 5: Static Port Trunks76 Section I: Basic OperationsSupported PlatformsThis feature is supported on all AT-9400 Switches: Layer 2+ Models– AT

AT-S63 Management Software Features GuideSection I: Basic Operations 77OverviewA static port trunk is a group of two to eight ports that function as a

Chapter 5: Static Port Trunks78 Section I: Basic OperationsLoad Distribution MethodsThis section discusses load distribution methods and applies to bo

AT-S63 Management Software Features GuideSection I: Basic Operations 79A similar method is used for the two load distribution methods that employ both

Contents8Chapter 26: MAC Address-based VLANs ...285Sup

Chapter 5: Static Port Trunks80 Section I: Basic OperationsGuidelinesThe following guidelines apply to static trunks: Allied Telesis recommends limit

Section I: Basic Operations 81Chapter 6LACP Port TrunksThis chapter explains Link Aggregation Control Protocol (LACP) port trunks. Sections in the cha

Chapter 6: LACP Port Trunks82 Section I: Basic OperationsSupported PlatformsThis feature is supported on the following AT-9400 Switches: Layer 2+ Mod

AT-S63 Management Software Features GuideSection I: Basic Operations 83OverviewLACP (Link Aggregation Control Protocol) port trunks perform the same f

Chapter 6: LACP Port Trunks84 Section I: Basic OperationsIf there will be more than one aggregate trunk on a switch, each trunk might require a separa

AT-S63 Management Software Features GuideSection I: Basic Operations 85Here is how the example looks in a table format.CautionThe example cited here i

Chapter 6: LACP Port Trunks86 Section I: Basic OperationsHere is how this example looks in table format.You could, if you wanted, create separate aggr

AT-S63 Management Software Features GuideSection I: Basic Operations 87LACP System PriorityIt is possible for two devices interconnected by an aggrega

Chapter 6: LACP Port Trunks88 Section I: Basic OperationsAdminkey ParameterThe adminkey is a hexadecimal value from 1 to FFFF that identifies an aggre

AT-S63 Management Software Features GuideSection I: Basic Operations 89Load Distribution MethodsThe load distribution method determines the manner in

AT-S63 Management Software Features Guide9Interface Monitoring...

Chapter 6: LACP Port Trunks90 Section I: Basic OperationsGuidelinesThe following guidelines apply to creating aggregators: LACP must be activated on

AT-S63 Management Software Features GuideSection I: Basic Operations 91 When creating a new aggregator, you can specify either a name for the aggrega

Chapter 6: LACP Port Trunks92 Section I: Basic Operations

Section I: Basic Operations 93Chapter 7Port MirrorThis chapter explains the port mirror feature. Sections in the chapter include: “Supported Platform

Chapter 7: Port Mirror94 Section I: Basic OperationsSupported PlatformsThis feature is supported on all AT-9400 Switches: Layer 2+ Models– AT-9408LC

AT-S63 Management Software Features GuideSection I: Basic Operations 95OverviewThe port mirror feature allows for the unobtrusive monitoring of ingres

Chapter 7: Port Mirror96 Section I: Basic Operations

Section II: Advanced Operations 97Section IIAdvanced OperationsThis section contains the following chapters: Chapter 8, ”File System” on page 99 Cha

98 Section II: Advanced Operations

Section II: Advanced Operations 99Chapter 8File SystemThe chapter explains the switch’s file system and contains the following sections: “Overview” o