All rights reserved. No part of this publication may be reproduced without prior written
permission from Allied Telesyn.
Allied Telesyn International, Corp. reserves the right to make changes in specifications
and other information contained in this document without prior written notice. The
information provided herein is subject to change without notice. In no event shall Allied
Telesyn be liable for any incidental, special, indirect, or consequential damages
whatsoever, including but not limited to lost profits, arising out of or related to this
manual or the information contained herein, even if Allied Telesyn has been advised of,
known, or should have known, the possibility of such damages.
All trademarks are the property of their respective owners.
Contents
CHAPTER 1Introduction
Introducing the AT-8800 Series Switch .............................................................. 7
Why Read this User Guide? ............................................................................... 7
Where To Find More Information ...................................................................... 8
The AT-8800 Series Switch Documentation Set ........................................... 8
Online Technical Support ............................................................................ 9
Features of the AT-8800 Series Switch ............................................................... 9
Management Features .............................................................................. 10
Software Features .................................................................................... 10
Special Feature Licences ........................................................................... 11
Warning about FLASH memory ....................................................................... 12
CHAPTER 2
CHAPTER 3
Getting Started with the Command Line Interface (CLI)
This Chapter ................................................................................................... 13
Connecting a Terminal or PC ........................................................................... 14
Terminal Communication Parameters .............................................................. 14
Logging In ...................................................................................................... 15
Assigning an IP Address .................................................................................. 15
Using Trace Route for IP Traffic ...................................................................... 117
Software Release 2.6.1
C613-02039-00 REV A
Chapter 1
Introduction
Introducing the AT-8800 Series Switch
Congratulations on purchasing an AT-8800 Series Intelligent Workgroup
Switch. The AT-8800 Series Switch has been developed to meet the
exceptionally high performance demands of low to mid-range applications and
deliver low-latency high-bandwidth wirespeed Layer 2 and 3 switching.
This guide introduces the AT-8800 Series Switch and will guide you through
the most common uses and applications of your new switch. Getting started
will not take long—many applications are set up in just a few minutes. If you
have any questions about the switch, contact your authorised distributor or
reseller.
Your AT-8800 Series Switch is supplied with default settings which enable it to
operate as a Layer 2 switch immediately, without any configuration. Even if
this is all you want to do, you should still gain access to the switch
configuration, if only to change the manager password to prevent unauthorised
access.
To change the switching configuration, and to take advantage of the advanced
routing features, you will need to enter detailed configuration. The switch has
both a Command Line Interface (CLI) and a Graphical User Interface (GUI) for
configuration and management. Before you can use the GUI, you will need to
login to the switch and use its CLI to allocate an IP address to at least one
interface.
Why Read this User Guide?
Before you use your switch in a live network, please read this guide. The guide
tells you how to access and use the Command Line Interface (CLI) and
Graphical User Interface (GUI) to configure the switch software. It then
introduces a number of common switch functions and how to configure them
using the CLI. For more detailed descriptions of all commands, display
outputs, and background information, see the Software Reference. For
information on configuration using the GUI, see the context-sensitive online
GUI help.
8AT-8800 Series Switch User Guide
This user guide is organised into the following chapters:
■Chapter 1, Introduction gives an overview of the switch features and of the
documentation supplied with your switch.
■Chapter 2, Getting Started with the Command Line Interface (CLI) describes
how to gain access to the command lineinterface.
■Chapter 3, Getting Started with the Graphical User Interface (GUI) describes
how to access and use the graphical user interface, including
troubleshooting the GUI.
■Chapter 4, Operating the switch introduces general operation, management
and support features, including loading and installing support files and
new releases.
■Chapter 5, Layer 2 Switching describes how to configure Layer 2 switching
features, including switch ports and VLANs.
■Chapter 6, Layer 3 outlines some of the switch’s Layer 3 features, including
IP, IP multicasting, IPX and Appletalk.
■Chapter 7, Maintenance and Troubleshooting describes some of the commands
you can use to monitor the switch and diagnose faults.
Where To Find More Information
Before installing the switch and any expansion options, read the important
safety information in the AT-8800 Series Switch Safety and Statutory Information
booklet.
Follow the Quick Install Guide’s step-by-step instructions for physically
installing the switch.
The AT-8800 Series Switch Hardware Reference gives detailed information about
the equipment hardware.
The context-sensitive online GUI help gives descriptions of each page and
element of the GUI.
Once you are familiar with the basic operations of the switch, use the AT-8800 Series Switch Software Reference for full descriptions of routing features and
command syntax.
The AT-8800 Series Switch Documentation Set
The documentation set for the AT-8800 Series Switch includes:
■AT-8800 Series Switch Safety and Statutory Information
■AT-8800 Series Switch Quick Install Guide
Software Release 2.6.1
C613-02039-00 REV A
Introduction9
■AT-8800 Series Switch Documentation and Tools CD-ROM
The AT-8800 Series Switch Documentation Set in Adobe Acrobat PDF
format is bundled with every switch—the complete reference to installing,
configuring and managing the switch, including detailed descriptions of all
commands.
The CD-ROM includes the following PDF documents:
•AT-8800 Series Switch Safety and Statutory Information
•AT-8800 Series Switch Quick Install Guide
•AT-8800 Series Switch Hardware Reference
•AT-8800 Series Switch Software Reference
The CD-ROM also includes:
•AT-TFTP Server for Windows, for downloading software releases,
scripts and other files to or from an AT8800 switch.
•Adobe Acrobat Reader for Windows for viewing and printing the
online documentation in PDF format. Get instant access to information
with full-text searching of PDF documents by keyword or phrase.
•Microsoft Internet Explorer.
•A demonstration version of F-Secure’s Secure Shell client for Windows.
•Information about other Allied Telesyn routing and switching
products.
Online Technical Support
For online support for your AT-8800 Series Switch, see our online support page
at http://www.alliedtelesyn.co.nz/support/ar
This page also contains the latest switch software releases, patches and GUI
resource files. Use the LOAD command to download software upgrades
directly from the Allied Telesyn web site to the router’s FLASH memory. Use
the SET INSTALL command to enable the new software (see “Upgrading Switch Software” on page 56 for detailed instructions).
If you require further assistance, contact your authorised distributor or reseller.
8800/
Features of the AT-8800 Series Switch
There are two models in the AT-8800 Series, which provide either 48 or 24
10/100 TX Fast Ethernet ports. Both models also feature:
Software Release 2.6.1
C613-02039-00 REV A
•2 GBIC uplink ports
• Single PSU and redundant PSU (RPS)
• PAC interface connection
The software support provides wirespeed Layer 2 switching, including
support for Virtual LANs, and wirespeed Layer 3 switching of IP and IP
multicasting packets. In addition, the switch provides a wide array of
multiprotocol routing, security and network management features.
10AT-8800 Series Switch User Guide
Management Features
The following features enhance management of the switch:
■A sophisticated and configurable event logging facility for monitoring and
alarm notification to single or multiple management centres.
■Triggers for automatic and timed execution of commands in response to
events.
■Scripting for automated configuration and centralised management of
configurations.
■Dynamic Host Configuration Protocol (DHCP) for IP and IPv6. DHCP lets
you automatically assign IP addresses and other configuration information
to PCs and other hosts on TCP/IP networks.
■Support for the Simple Network Management Protocol (SNMP), standard
MIBs and the Allied Telesyn Enterprise MIB, enabling the switch to be
managed by a separate SNMP management station.
■Telnet client and server.
■Secure Shell remote management.
■An HTTP client that allows the direct download of files from a web server
to the router’s FLASH memory.
For complete descriptions of these software features, see the AT-8800 Series Switch Software Reference.
Software Features
AT-8800 Series Intelligent Workgroup Switches provide efficient and costeffective multiprotocol routing, terminal serving and integrated network
management over wide area networks and LANs. All models can run the same
software suite and can provide all of the following functions simultaneously
(depending on the hardware configuration):
■Wide area networking via Point-to-Point Protocol.
■TCP/IP routing.
■Novell® IPX routing.
■AppleTalk routing.
■Generic Routing Encapsulation (GRE) protocols.
■IP multicast routing support, including Internet Group Management
Protocol (IGMP), Distance Vector Multicast Routing Protocol (DVMRP)
and Protocol Independent Multicast (PIM) Sparse and Dense Modes.
■Ping Polling for determining device reachability and responding when a
device or link goes up or down.
■IPv6 routing support, including stateless address autoconfiguration, RIPv6
and ICMPv6.
■IPv6 multicast routing support, including Multicast Listener Discovery
(MLDv2) and Protocol Independent Multicast (PIM) Sparse and Dense
Modes.
■OSPF, RIP (IP and Novell®), SAP (Novell®), EGP and BGP routing
protocols.
■ARP, Proxy ARP and Inverse ARP address resolution protocols.
Software Release 2.6.1
C613-02039-00 REV A
Introduction11
■Sophisticated packet filtering.
■Bridging.
■Van Jacobson’s header compression, STAC LZS and Predictor compression,
and DES encryption.
■Terminal serving using Telnet, with local host nicknames.
■Access to network printers via LPD or TCP streams.
■Resource Reservation Protocol (RSVP) for delivering quality of service to
application data streams.
■A fully featured, stateful inspection firewall.
■IPsec-compliant IP security services.
■Integration with a Public Key Infrastructure (PKI).
■Virtual Router Redundancy Protocol (VRRP).
■Border Gateway Protocol version 4 (BGP-4).
■Load Balancing for distributing traffic among multiple resources.
■Software Secure Sockets Layer (SSL).
■802.1x port authentication.
Special Feature Licences
You need a special feature licence and password to activate some special
features over and above the standard software release. Typically, these special
features are covered by government security regulations. Special feature
licences and passwords are quite separate and distinct from the standard
software release licences and passwords. Some of the software features that
require a special feature licence are:
■Trip l e D E S S / W
■Firewall SW
■Firewall SMTP Application Gateway
■Firewall HTTP Application Gateway
■DES encryption
■IPv6
■IP Multicast routing: DVMRP and PIM-Sparse Mode
■IPX routing
■IPX/SPX Spoofing
Software Release 2.6.1
C613-02039-00 REV A
■IPX Filtering (not between switch ports)
■AppleTalk
■BGP-4
■Load balancer
12AT-8800 Series Switch User Guide
Most software features that require a special feature licence are bundled into
one of the following special feature licence packs:
■Full Layer 3 Feature Licence
■Advanced Layer 3 Feature Licence
■Security Pack Feature Licence
For more information about purchasing special feature licences, contact your
Allied Telesyn authorised distributor or reseller. For information on how to
enable special feature licences using the CLI, see “Enabling Special Feature Licences” on page 20.
Warning about FLASH memory
Before you start to configure your switch, note that it is possible to enter
commands that can impact severely on your router’s performance.
DO NOT clear the FLASH memory completely. The software release files are
stored in FLASH, and clearing FLASH memory would leave no software to run
the switch.
While FLASH is compacting, do not restart the switch or use any commands
that affect the FLASH file subsystem. Do not restart the switch, or create, edit,
load, rename or delete any files until a message confirms that FLASH file
compaction is completed. Interrupting flash compaction may result in damage
to files. Damaged files are likely to prevent the switch from operating correctly.
For more information, see “How to Avoid Problems” on page 109 and “What to
Do if You Clear FLASH Memory Completely” on page 111.
Software Release 2.6.1
C613-02039-00 REV A
Chapter 2
Getting Started with the Command Line
Interface (CLI)
This Chapter
This chapter describes how to access the switch’s CLI, and provides basic
information about configuring the switch, including how to:
■Physically connect a terminal or PC to the switch (see “Connecting a
Terminal or PC” on page 14 and the Quick Install Guide).
■Set the Terminal Communication parameters to match the router’s settings
(see “Terminal Communication Parameters” on page 14).
■Log in to the switch as a manager (see “Logging In” on page 15).
■Configure IP addresses on the switch interfaces over which you will
manage the switch. This is necessary if you will access the switch using the
GUI or Telnet (see “Assigning an IP Address” on page 15).
■Set routes (see “Setting Routes” on page 16)
■Change the management password to limit unauthorised access to the
switch configuration (see “Changing a Password” on page 17).
■Use the command line interface to control the switch software, including
creating aliases for often used character sequences (see “Using the
Commands” on page 18).
■Set the online help file to gain access to command syntax help (see “Getting
Command Line Help” on page 19).
■Enable any special feature licences (see “Enabling Special Feature Licences”
on page 20).
■Set the name, location and contact details for the switch (see “Setting
System Parameters” on page 20).
14AT-8800 Series Switch User Guide
Connecting a Terminal or PC
The first thing to do after physically installing the switch is to start a terminal
or terminal emulation session to access the switch. Then you can use the
command line interface (CLI) to configure the switch. If you wish to configure
the switch using the Graphical User Interface, you must first access the CLI and
assign an IP address to at least one interface.
You can use a PC running terminal emulation software as the manager console
instead of a terminal. Many terminal emulation applications are available for
the PC, but the most readily available is the HyperTerminal application
included in Microsoft® Windows™ 95, Windows™ 98, and Windows™ 2000.
In a normal Windows™ installation HyperTerminal is located in the
Accessories group. In Windows™ 2000, HyperTerminal is located in the Start >
Programs > Accessories > Communications menu.
The key to successfully using terminal emulation software with the switch is to
configure the communications parameters in the terminal emulation software
to match the default settings of the console port on the switch. For instructions
on how to configure HyperTerminal, see the AT-8800 Series Switch Hardware Reference.
To start a terminal session, connect to the switch in one of the following ways:
■Connect a VT100-compatible terminal to the RS-232 Terminal Port (asyn0),
set the communications parameters on the terminal (Table 1 on page 14),
and press [Enter] a few times until the router’s login prompt appears
OR
■Connect the COM port of a PC running terminal emulation software such
as Windows Terminal or HyperTerminal to the RS-232 Terminal Port
(asyn0), set the communications parameters on the terminal emulation
software (Table 1 on page 14), and press [Enter] a few times until the
router’s login prompt appears.
Terminal Communication Parameters
Check that the terminal or modem’s communication settings match the settings
of the asynchronous port. By default, the asynchronous port (also known as the
Console, RS-232, or Config port) on the switch is set to the parameters shown
in Table 1 on page 14:
Table 1: Parameters for terminal communication
ParameterValue
Baud rate9600
Data bits8
ParityNone
Stop bits1
Flow controlHardware
Refer to the user manual supplied with the terminal or modem for details of
how to change the communications settings for the terminal or modem.
Software Release 2.6.1
C613-02039-00 REV A
Getting Started with the Command Line Interface (CLI)15
If a modem is connected, configure the switch to make and/or accept calls via
the modem. To set the CDCONTROL parameter to “CONNECT” and the
FLOW parameter to “HARDWARE”, enter the command:
SET ASYN CDCONTROL=CONNECT FLOW=HARDWARE
If the terminal or modem is used with communications settings other than the
default settings, then configure the asynchronous port to match the terminal or
modem settings using the SET ASYN command.
See the router’s online help or the Interfaces chapter in the AT-8800 Series Switch Software Reference for more information on how to configure the asynchronous
port.
Logging In
When you access the switch from a terminal or PC connected to the RS-232
terminal port (asyn0), or via a Telnet or HTTP connection, you must enter a
login name and password to gain access to the command prompt. When the
switch is supplied, it has a manager account with an initial password friend.
Enter your login name at the login prompt:
login: manager
Enter the password at the password prompt:
password: friend
After you log into the manager account you can enter commands from this
document and from the AT-8800 Series Switch Software Reference.
Assigning an IP Address
To configure the switch to perform IP routing (for example, to access the
Internet) you need to configure IP. You also need to configure IP if you want to
manage the switch from a Telnet session or with the GUI. For detailed
instructions on accessing the switch with the GUI, see “Establishing a
Connection to the Switch” on page 24.
First enable IP, using the command:
ENABLE IP
Then, add an IP address to each of the switch interfaces that you want to
process IP traffic (for example, the default VLAN (vlan1)).
Software Release 2.6.1
C613-02039-00 REV A
For the default VLAN, use the command:
ADD IP INTERFACE=vlan1 IPADDRESS=ipadd MASK=mask
where:
■ipadd is an unused IP address on your LAN.
■mask is the subnet mask (for example 255.255.255.0)
16AT-8800 Series Switch User Guide
If IP addresses on your LAN are assigned dynamically by DHCP, you can set
the switch to request an IP address from the DHCP server, using the
commands:
ADD IP INTERFACE=vlan1 IPADDRESS=DHCP
ENABLE IP REMOTEASSIGN
You do not need to set the MASK parameter because the subnet mask received
from the DHCP server is used.
If you use DHCP to assign IP addresses to devices on your LAN, and you want to
manage the switch within this DHCP regime, it is recommended that you set your
DHCP server to always assign the same IP address to the switch. This will enable you
to access the GUI by browsing to that IP address, and will also let you use the switch as
a gateway device for your LAN. If you need the switch's MAC address for this, it can be
displayed using the command SHOW SWITCH.
To change the IP address for an interface, enter the command:
SET IP INTERFACE=interface IPADDRESS=ipadd MASK=ipadd
When you are configuring the switch remotely, if you change the configuration (for
example, the VLAN membership) of the port over which you are configuring, the switch
is likely to break the connection.
For more information about switch ports and Virtual LANs (VLANs), see
Chapter 5, Layer 2 Switching in this document, and the Switching chapter in the
AT-8800 Series Switch Software Reference. For more information about IP addressing and routing, see Chapter 6, Layer 3 in this document, and the Internet
Protocol (IP) chapter in the AT-8800 Series Switch Software Reference.
Setting Routes
The process of routing packets consists of selectively forwarding data packets
from one network to another. Your switch makes a decision to send a packet to
a particular network on information it learns dynamically from listening to the
selected route protocol and on the static information entered as part of the
configuration process. In addition, you can configure user-defined filters to
restrict the way packets are sent.
Your switch maintains a table of routes which holds information about routes
to destinations. The route table tells the switch how to find a remote network or
host. A route is uniquely identified by IP address, network mask, next hop,
ifIndex, protocol and policy. A list of routes comprises all the different routes to
a destination. The routes may have different metrics, next hops, policy or
protocol. A list of routes is uniquely identified by its IP address and net mask.
The routing table is maintained dynamically by using one or more routing
protocols such as RIP, EGP and OSPF. These act to exchange routing
information with other switches or hosts.
You can also add static routes to the route table to define default routes to
external switches or networks and to define subnets.
Software Release 2.6.1
C613-02039-00 REV A
Getting Started with the Command Line Interface (CLI)17
To add a static route, enter the command:
ADD IP ROUTE=ipadd INTERFACE=interface NEXTHOP=ipadd
To displays the entire routing table, including both static and dynamic routes,
enter the command:
SHOW IP ROUTE
For more information about setting IP routes, see the Internet Protocol (IP)
chapter in the AT-8800 Series Switch Software Reference.
Changing a Password
You should change this password to prevent unauthorised access to the switch.
Enter the command:
SET PASSWORD
The switch prompts you for the current password, for the new password, and
for confirmation of the new password. The password can contain any printable
characters, and must be at least a minimum length, by default six characters.
(To change the default minimum length, see the SET USER command in the
Operations chapter, AT-8800 Series Switch Software Reference.)
Choosing a Password
All users, including managers, should take care in selecting passwords. Tools
exist that enable hackers to guess or test many combinations of login names
and passwords easily. The User Authentication Facility (UAF) provides some
protection against such attacks by allowing the manager to set the number of
consecutive login failures allowed and a lockout period when the limit is
exceeded.
However, the best protection against password discovery is to select a good
password and keep it secret. When choosing a password:
■Do make it six or more characters in length. The UAF enforces a minimum
password length, which the manager can change. The default is six
characters.
■Do include both alphabetic (a–z) and numeric (0–9) characters.
Software Release 2.6.1
C613-02039-00 REV A
■Do include both uppercase and lowercase characters. The passwords
stored by the switch are case-sensitive, so “bgz4kal” and “Bgz4Kal” are
different.
■Do avoid words found in a dictionary, unless combined with other random
alphabetic and numeric characters.
■Do not use the login name, or the word “password” as the password.
■Do not use your name, your mother’s name, your spouse’s name, your
pet’s name, or the name of your favourite cologne, actor, food or song.
18AT-8800 Series Switch User Guide
■Do not use your birth date, street number or telephone number.
■Do not write down your password anywhere.
Make sure you remember the new password created as you cannot retrieve a
lost password. Recovery of access to the switch is complex.
Once you have logged into the manager account you are able to enter
commands from this guide and from the AT-8800 Series Switch Software Reference.
Using the Commands
You control the switch with commands described in this document and in the
AT-8800 Series Switch Software Reference. While the keywords in commands are
not case sensitive, the values entered for some parameters are (especially
passwords). The switch supports command line editing and recall. Command
line editing functions and keystrokes are shown in Table 2 on page 18.
Table 2: Command line editing functions and keystrokes .
FunctionVT100 TerminalDumb terminal
Move cursor within command line ←, →Not available
Delete character to left of cursor[Delete] or [Backspace][Delete] or [Backspace]
Toggle between insert/overstrike[Ctrl/O]Not available
Clear command line[Ctrl/U][Ctrl/U]
Recall previous command↑ or [Ctrl/B][Ctrl/B]
Recall next command↓ or [Ctrl/F][Ctrl/F]
Display command history[Ctrl/C] or
SHOW PORT HISTORY
Clear command historyRESET PORT HISTORYRESET PORT HISTORY
Recall matching command[Tab] or [Ctrl/I][Tab] or [Ctrl/I]
[Ctrl/C]
or SHOW PORT HISTORY
The switch assumes that the width of the terminal screen is 80 characters, and
performs command line wrapping at the 80th column regardless of the setting
of the terminal. To execute a command the cursor does not need to be at the
end of the line. The default editing mode is insert mode. Characters are
inserted at the cursor position and any characters to the right of the cursor are
pushed to the right to make room. In overstrike mode, characters are inserted
at the cursor position and replace any existing characters.
Commands are limited to 1000 characters, excluding the prompt. Pathnames of
up to 256 characters, including file names, and file names up to 16 characters
long, with extensions of 3 characters, are supported.
Software Release 2.6.1
C613-02039-00 REV A
Getting Started with the Command Line Interface (CLI)19
Aliases
The command line interface supports aliases. An alias is a short name for an
often-used longer character sequence. When the user presses [Enter] to execute
the command line, the command processor first checks the command line for
aliases and substitutes the replacement text. The command line is then parsed
and processed normally. Alias substitution is not recursive—the command line
is scanned only once for aliases.
Aliases are created and destroyed using the commands:
ADD ALIAS=name STRING=substitution
DELETE ALIAS=name
Getting Command Line Help
Online help is available for all switch commands. A multilingual, languageindependent online help facility provides help information via the command:
HELP [topic]
If a topic is not specified, a list of available topics is displayed. The HELP
command displays information from the system help file stored in FLASH
memory. The help file uses a simple mark-up language to identify topics,
access level (USER or MANAGER) and help text. Both standard ASCII and
Unicode character encodings are supported. Alternate help files can be
uploaded and stored in FLASH, then activated using the command:
SET HELP=helpfile
To display the current help file, enter the command:
SHOW SYSTEM
The help file is easily modified, for example to provide detailed site-specific
support information. The mark-up language specification and preprocessor
program are available from your authorised distributor or reseller.
Also, typing a question mark “?” at the end of a partially completed command
displays a list of the parameters that may follow the current command line,
with the minimum abbreviations in uppercase letters (see Figure 1). The
current command line is then re-displayed, ready for further input.
Figure 1: Using the question mark character (“?”) to display help for the current command.
Manager > ADD ?
Options : ACC APPletalk BGP CLASSifier BOOTp BRIDge DECnet FRamerelay GRE IP IPX
ISDN LAPD LOG MIOX NTP OSPF PERM PPP RADius SA SCript SNmp STReam STT TRIGger
TACacs USEr X25C X25T TDM
Manager > ADD ACC ?
Options : CALL SCript DOmainname
Manager > ADD ACC CALL ?
Options : DIrection DScript CScript RScript POrt ENcapsulation AUthentication
DOmainname
Software Release 2.6.1
C613-02039-00 REV A
20AT-8800 Series Switch User Guide
Enabling Special Feature Licences
You must enable the special feature licence you have purchased before you can
use the licenced features. You will need the password provided by your
authorised distributor or reseller. The advanced upgrade licence and password
are different from the standard software release licence and password. The
licence cannot be transferred from one switch to another.
For software features that require a special feature licence see “Special Feature
Licences” on page 11.
You must order passwords for special feature licences from your authorised distributor
or reseller. You must specify the special feature licence bundle and the serial number(s)
of the switch(s) on which the special feature licences are to be enabled.
The password for a special feature licence is a string of at least 16 hexadecimal
characters. This password encodes the special feature, or features, covered by
the license, and the switch serial number. The password information is stored
in the router’s FLASH memory.
To enable or disable a special feature licence, enter the commands:
ENABLE FEATURE=feature PASSWORD=password
DISABLE FEATURE=feature
To list the current special feature licences, enter the command:
SHOW FEATURE[={featurename|index}]
Setting System Parameters
You can set some general system parameters to ensure the router’s
compatibility with the public network, and to aid network administration.
System name, location and contact parameters can help a remote network
administrator identify the switch. By convention the system name is the full
domain name. Set the name and location of the switch, for example:
SET SYSTEM NAME=nd1.co.nz
SET SYSTEM LOCATION=”Head Office, 3rd floor east”
and a contact name and phone number for the network administrator
responsible for the switch, for example:
SET SYSTEM CONTACT=”Anna Brown 03-456 789”
The name, location, and contact are strings 1 to 80 characters in length of any
printable character. If the string includes spaces enclose it in double quotes.
Set the router’s real time clock to the current local time in 24 hour notation
(hh:mm:ss), and to the current date (dd-mmm-yy, or dd-mmm-yyyy), for
example:
SET TIME=14:50:00
SET DATE=29-JAN-02 or
SET DATE=29-JAN-2003
Software Release 2.6.1
C613-02039-00 REV A
Getting Started with the Graphical User Interface (GUI)21
Chapter 3
Getting Started with the Graphical User
Interface (GUI)
This Chapter
This chapter describes how to access the switch’s HTTP-based Graphical User
Interface (GUI), and provides basic information about using the GUI,
including:
■What is the GUI?
•an introduction to the Graphical User Interface
■Accessing the switch via the GUI:
•browser and PC setup, including interaction with HTTP proxy servers
•establishing a connection to your switch, including an example of
configuring SSL for secure access
•the System Status page, the first GUI page you see
■Using the GUI: navigation and features:
•an overview of the menus
•using configuration pages, with a description of key elements of GUI
pages
•changing your password
•using the context sensitive online help
•saving your configuration
•combining GUI and CLI configuration
•configuring multiple devices
■Upgrading the GUI
Software Release 2.6.1
C613-02039-00 REV A
■Troubleshooting
•diagnosing and solving connection problems
•using the GUI to troubleshoot the switch’s configuration.
22AT-8800 Series Switch User Guide
What is the GUI?
The GUI (Graphical User Interface) is a web-based device management tool,
designed to make it easier to configure and monitor the switch. The GUI
provides an alternative to the CLI (Command Line Interface). Its purpose is to
make complicated tasks simpler and regularly performed tasks quicker.
The GUI relies on an HTTP server that runs on the switch, and a web browser
on the host PC. When you use the GUI to configure the switch, the GUI sends
commands to the switch and the switch sends the results back to your browser,
all via HTTP.
The tasks you may perform using the GUI are not as comprehensive as the
command set available on the CLI, but for some protocols, a few clicks of the
mouse will perform many commands.
The GUI is stored on the switch in the form of an embedded resource file, with
file extension
version encoded in the file name.
rsc. Resource files are model-specific, with the model and
Accessing the Switch via the GUI
To use the GUI to configure the switch, you use a web browser to open a
connection to the switch’s HTTP server. Therefore, you need a PC, a web
browser and the switch. Supported browsers and operating systems, and the
settings you need on your PC and browser, are detailed in the following
section. Switch setup is detailed in “Establishing a Connection to the Switch” on
page 24.
Browser and PC Setup
The GUI requires a web browser installed on a PC. Table 3 shows supported
combinations of operating system and browser. A copy of Internet Explorer can
be found on the switch’s Documentation and Tools CD-ROM.
Table 3: Supported browsers and operating systems
IE 5.0IE 5.5IE 6.0NS 6.2.2NS 6.2.3
Windows 95
Windows 98!!!
Windows ME!!!!!
Windows 2000!!!!!
Windows XP!!!!!
!
JavaScript must be enabled. To enable JavaScript in Internet Explorer:
1.From the Tools menu, select Internet Options
2.Select the Security tab
3.Click on the Custom Level button
4.Under the Scripting section, ensure that “Active scripting” is enabled.
Software Release 2.6.1
C613-02039-00 REV A
Getting Started with the Graphical User Interface (GUI)23
To enable JavaScript in Netscape 6.2.x:
1.From the Edit menu, select Preference
2.Select the Advanced menu option.
3.Ensure that the “Enable JavaScript for Navigator” checkbox is checked.
The minimum screen resolution on the PC is 800x600.
HTTP Proxy Servers
An HTTP proxy server provides a security barrier between a private network’s
PCs and the Internet. The PCs send HTTP requests (and other web traffic) to
the server, which then forwards the requests appropriately. Similarly, the server
receives incoming HTTP traffic addressed to a PC on the private network, and
forwards it to the appropriate PC. Proxy servers can be used to block traffic
from undesirable websites, to log traffic flows, and to disallow cookies.
If your browser is configured to use a proxy server, and the switch is on your
side of the proxy server, you will need to set the browser to bypass proxy
entries for the IP address of the appropriate interface on the switch. (See
“Establishing a Connection to the Switch” on page 24 for information about
giving switch interfaces IP addresses.)
To ensure that your network’s security settings are not compromised, see your
network administrator for information about bypassing the proxy server on
your system.
To bypass the proxy server on Internet Explorer, if your browser administration
does not use a script, and the PC and the switch are in the same subnet:
1.From the Tools menu, select Internet Options.
2.Select the Connections tab and click the LAN Settings button.
3.Check the “Bypass proxy server for local addresses” checkbox.
4.If necessary, click the Advanced button and enter a list of local addresses.
To bypass the proxy server on Netscape, if your browser does not use a script:
1.From the Edit menu, select Preferences
2.Click on the Advanced menu option to expand it.
3.Select the Proxies menu option
4.Enter the switch’s IP address in the “No Proxy for” list.
Software Release 2.6.1
C613-02039-00 REV A
24AT-8800 Series Switch User Guide
Establishing a Connection to the Switch
Before you start, consider how the switch fits into your network. If you are
installing a new switch, consider whether you want to configure it before
deploying it into the LAN, or want to configure it in situ. If you want to access
a switch that has already been configured, consider the relative positions of the
PC and the switch. The flow chart below summarises this process, and the
procedures that follow take you through each possibility in detail.
Figure 2: A summary of the process for establishing a connection via the GUI.
Start here
Is the router
already installed and
configured in
the LAN?
No
Do you want
to configure the router
before installing it in
the LAN?
Ye s
Ye s
Determine the IP address
of an interface on the router
and browse to it.
See “Option 3: Connecting
to an Installed Switch” on
page 28.
Connect your PC directly to
the router, give the router an
IP address and browse to it.
See “Option 1: Configuring
the Switch before
Installation” on page 25.
No
Install the router into the LAN,
give it an IP address and
browse to it.
See “Option 2: Installing
the Switch into the LAN”
on page 26.
Software Release 2.6.1
C613-02039-00 REV A
Getting Started with the Graphical User Interface (GUI)25
Option 1: Configuring the Switch before Installation
Use this procedure if:
■You want to configure the switch before installing it in your LAN.
■You will be installing the switch at a remote office or a customer site and
want to configure it first.
■You want a dedicated management PC permanently connected to the
switch.
1.Select a PC to browse to the switch from
You can browse to the switch from any PC that is running a supported
operating system with a supported browser installed. See “Browser and
PC Setup” on page 22 for more information.
You need to know the PC’s subnet.
2.Connect the PC to the switch
Use a straight-through Ethernet cable to connect an Ethernet card on the
PC to any one of the switch ports (see Figure 3).
Figure 3: Connecting a PC directly to the switch.
You can browse to the switch through any VLAN, as long as you give that VLAN an IP
address (see below). These instructions assume you will use vlan1. The switch ports all
belong to vlan1 by default.
3.Access the switch’s command line interface
Access the CLI from the PC, as described in “Connecting a Terminal or PC”
on page 14.
4.Enable IP
ENABLE IP
5.Assign the vlan1 interface an IP address in the same subnet as the PC
ADD IP INTERFACE=vlan1 IP=ipaddress MASK=mask
Software Release 2.6.1
C613-02039-00 REV A
6.Save the configuration and set the switch to use it on bootup
CREATE CONFIG=your-name.cfg
SET CONFIG=your-name.cfg
7.On the PC, bypass the HTTP proxy server, if necessary
See “HTTP Proxy Servers” on page 23 for more information.
8.Point your web browser at the LAN interface’s IP address
26AT-8800 Series Switch User Guide
9.At the login prompt, enter the user name and password
The default username is manager:
User Name: manager
Password: friend
The System Status page is displayed (Figure 6 on page 31). Select options
from the sidebar menu to configure and manage the switch.
Option 2: Installing the Switch into the LAN
Use this procedure if:
■You want to install the switch into the LAN before you configure it.
1.Select a PC to browse to the switch from
You can browse to the switch from any PC that is running a supported
operating system with a supported browser installed, with JavaScript
enabled. See “Browser and PC Setup” on page 22 for more information.
You need to know the PC’s subnet.
2.Plug the switch into the LAN
To i ns ta l l t he switch into the same subnet as the PC:
Use an Ethernet cable to connect one of the switch ports to a device on the
LAN segment, for example, a hub, router or switch (see Figure 4).
Figure 4: Connecting the switch into the same LAN segment as the PC
PC
ON
OFF
POWER
Hub or Layer 2
10BASE-T/100BASE-TX SWITCH PORTS
3421
Switch
To i ns ta l l t he switch into a different subnet than the PC:
Use an Ethernet cable to connect any one of the switch ports to a device on
the LAN segment in which you require the switch to work, for example, a
hub, router or switch (see Figure 5).
AT-8800 Series Switch
Software Release 2.6.1
C613-02039-00 REV A
Getting Started with the Graphical User Interface (GUI)27
Figure 5: Configuring the switch from a PC in another subnet.
gateway
subnetsubnet
AT-8800 Series Switch
You can browse to the switch through any VLAN, as long as you give that VLAN an IP
address (see below). These instructions assume you will use vlan1. The switch ports all
belong to vlan1 by default.
3.Access the switch’s command line interface
Access the CLI from the PC, as described in “Connecting a Terminal or PC”
on page 14.
4.Enable IP
ENABLE IP
5.Assign the vlan1 interface an IP address
ADD IP INTERFACE=vlan1 IP=ipaddress MASK=mask
If you use DHCP to assign IP addresses to devices on your LAN, and you want to
manage the switch within this DHCP regime, it is recommended that you set your
DHCP server to always assign the same IP address to the switch. This will enable you
to access the GUI by browsing to that IP address, and will also let you use the switch as
a gateway device for your LAN. If you need the switch's MAC address for this, you can
display it using the command SHOW SWITCH. To set the interface to obtain its IP
address by DHCP, use the commands:
ADD IP INTERFACE=VLAN1 IPADDRESS=DHCP and
ENABLE IP REMOTEASSIGN.
where:
•PC-subnet is the IP subnet address of the PC. For example, if the PC has
an IP address of 192.168.6.1 and a mask of 255.255.255.0, its subnet
address is 192.168.6.0.
Software Release 2.6.1
C613-02039-00 REV A
•gateway-ipaddress is the IP address of the gateway device that connects
the PC’s subnet with the switch’s subnet (Figure 5 on page 27).
6.If you want to be able to browse to the GUI securely, configure SSL (Secure
Sockets Layer)
See “Secure Access” on page 29 for more information.
7.Save the configuration and set the switch to use it on bootup
CREATE CONFIG=filename.cfg
SET CONFIG=filename.cfg
28AT-8800 Series Switch User Guide
8.On the PC, bypass the HTTP proxy server, if necessary
See “HTTP Proxy Servers” on page 23 for more information.
9.Point your web browser at the LAN interface’s IP address
For normal access, point your web browser to
http://ip-address
For secure access, point your web browser to
https://ip-address
where ip-address is the interface’s IP address.
10. At the login prompt, enter the user name and password
The default username is manager:
User Name: manager
Password: friend
The System Status page is displayed (see Figure 6 on page 31). Select
options from the sidebar menu to configure and manage the switch.
Option 3: Connecting to an Installed Switch
Use this procedure if:
■At least one interface on the switch already has an IP address, and the
switch is already installed in a LAN.
1.Find out the IP address of the switch’s interface
Ask your system administrator. Alternatively, access the CLI, as described
in “Connecting a Terminal or PC” on page 14, and enter the command:
SHOW IP INTERFACE
You can browse to the switch through any VLAN, as long as you give that VLAN an IP
address (see below). These instructions assume you will use vlan1. The switch ports all
belong to vlan1 by default.
2.Select a PC
You can browse to the GUI from any PC that:
•has an IP address in the same subnet as the switch, or that the switch
has a route to
•is running a supported operating system
•has a supported browser installed, with JavaScript enabled
See “Browser and PC Setup” on page 22 for more information.
3.If necessary, bypass the HTTP proxy server
See “HTTP Proxy Servers” on page 23 for more information.
Software Release 2.6.1
C613-02039-00 REV A
Getting Started with the Graphical User Interface (GUI)29
4.Browse to the switch
For normal access, point your web browser to
http://ip-address
where ip-address is the interface’s IP address.
To access the switch securely if SSL (Secure Sockets Layer) has been
configured on the interface, point your web browser to
https://ip-address
For more information about secure access, see “Secure Access” on page 29.
5.At the login prompt, enter the user name and password
The default username is manager:
User Name: manager
Password: friend
The System Status page is displayed (see Figure 6 on page 31). Select
options from the sidebar menu to configure and manage the switch.
If the Firewall and/or VPN (IPSec) have already been configured on the switch
using the CLI, this configuration may conflict with the GUI. Do not attempt to
modify existing CLI firewall or VPN configuration with the GUI.
Secure Access
You can optionally browse to the switch using Secure Sockets Layer (SSL). This
means that sensitive data including passwords and email addresses can not be
accessed by malicious parties. This section details the required configuration.
For information about SSL, refer to the Secure Sockets Layer (SSL) chapter of
your Software Reference.
For this configuration to succeed your switch must have PKI, ISAKMP, SSH and SSL
feature licences. If these licences are not already present on your switch, please contact
your authorised distributor or reseller.
To secure your switch’s HTTP Server with SSL for secure switch
management via the GUI.
1.Create a Security Officer user account
Only a user with Security Officer privilege can enable system security and SSL.
To add a user with the login name “CIPHER”, password “sbr4y3”,
login=yes, and SECURITY OFFICER privilege, use the command:
ADD USER="CIPHER" PASSWORD="sbr4y3"
PRIVILEGE=SECURITYOFFICER Login=yes
CREATE CONFIG=ssl.cfg
RESTART SWITCH
Software Release 2.6.1
C613-02039-00 REV A
30AT-8800 Series Switch User Guide
2.Login as a Security Officer
To login as the user with Security Officer privilege called “CIPHER”, use
the command:
LOGIN CIPHER
And then enter the password for “CIPHER”, “sbr4y3”.
3.Enable system security
To enable system security, use the command:
ENABLE SYSTEM SECURITY
4.Create an RSA key pair for this switch.
To create an RSA key pair, use the command:
CREATE ENCO KEY=0 TYPE=RSA LENGTH=1024
5.Set the switch’s distinguished name.
To set the switch’s distinguished name to
"cn=switch1,o=my_company,c=us", use the command:
SET SYSTEM DISTINGUISHEDNAME="cn=switch1,
o=my_company,c=us"
6.Set the UTC offset.
To set the Universal Coordinated Time to inform the switch that the
difference between local time and GMT is 7 hours, use the command:
SET LOG UTCOFFSET=7
7.Create a self-signed certificate for the switch.
To create a PKI certificate without contacting a CA for browsing to the GUI,
use the command:
Using this command creates a certificate that is only suitable for secure switch
management via the GUI. A pop-up message will appear in the browser
window warning that the certificate is not issued by a trusted authority. You
should create a certificate via a Certification Authority if you want to use SSL
with the Load Balancer. For details, see the Public Key Infrastructure (PKI)
chapter of your Software Reference.
8.Load self-signed switch certificate
To load the signed switch certificate onto the switch, use the command: