Allied Telesis AT-S63 User Manual

Download

◆

Management Software

AT-S63

Features Guide

AT-S63 Version 2.2.0 for the AT-9400 Layer 2+ Switches AT-S63 Version 3.0.0 for the AT-9400 Basic Layer 3 Switches

613-000801 Rev. A

Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation. Netscape Navigator is a registered trademark of Netscape Communications Corporation. All other product names, company names, logos or other designations mentioned herein are trademarks or registered trademarks of their respective owners.

Allied Telesis, Inc. reserves the right to make changes in specifications and other information contained in this document without prior written notice. The information provided herein is subject to change without notice. In no event shall Allied Telesis, Inc. be liable for any incidental, special, indirect, or consequential damages whatsoever, including but not limited to lost profits, arising out of or related to this manual or the information contained herein, even if Allied Telesis, Inc. has been advised of, known, or should have known, the possibility of such damages.

Preface ............................................................................................................................................................ 17

How This Guide is Organized........................................................................................................................... 18

Product Documentation .................................................................................................................................... 20

Where to Go First ............................................................................................................................................. 21

Starting a Management Session ...................................................................................................................... 22

Document Conventions .................................................................................................................................... 23

Where to Find Web-based Guides ................................................................................................................... 24

Contacting Allied Telesis .................................................................................................................................. 25

Online Support ........................................................................................................................................... 25

Email and Telephone Support.................................................................................................................... 25

Returning Products .................................................................................................................................... 25

Sales or Corporate Information.................................................................................................................. 25

Management Software Updates................................................................................................................. 25

Section I: Basic Operations ...................................................................................... 27

Chapter 1: Overview ...................................................................................................................................... 29

Layer 2+ and Basic Layer 3 Switches .............................................................................................................. 30

AT-S63 Management Software ........................................................................................................................ 35

Management Interfaces and Features.............................................................................................................. 36

Management Access Methods ......................................................................................................................... 41

Local Management Sessions ..................................................................................................................... 41

Remote Telnet Sessions ............................................................................................................................ 41

Remote Secure Shell (SSH) Sessions....................................................................................................... 41

Remote Web Browser Session .................................................................................................................. 41

Remote SNMP Management ..................................................................................................................... 42

Manager Access Levels ................................................................................................................................... 43

Installation and Management Configurations ................................................................................................... 44

Stand-alone Switch .................................................................................................................................... 44

Enhanced Stacking .................................................................................................................................... 44

Stacking ..................................................................................................................................................... 44

IP Configuration................................................................................................................................................ 46

Redundant Twisted Pair Ports.......................................................................................................................... 47

History of New Features ................................................................................................................................... 49

Version 3.0.0 .............................................................................................................................................. 49

Version 2.1.0 .............................................................................................................................................. 50

Version 2.0.0 .............................................................................................................................................. 50

Version 1.3.0 .............................................................................................................................................. 51

Version 1.2.0 .............................................................................................................................................. 52

Contents

Chapter 2: Enhanced Stacking .....................................................................................................................55

Supported Platforms ......................................................................................................................................... 56

Overview ...........................................................................................................................................................57

Master and Slave Switches...............................................................................................................................58

Common VLAN ................................................................................................................................................. 59

Master Switch and the Local Interface .............................................................................................................. 60

Slave Switches.................................................................................................................................................. 61

Enhanced Stacking Compatibility ..................................................................................................................... 62

Enhanced Stacking Guidelines ......................................................................................................................... 63

General Steps ................................................................................................................................................... 64

Chapter 3: SNMPv1 and SNMPv2c ............................................................................................................... 65

Supported Platforms ......................................................................................................................................... 66

Overview ...........................................................................................................................................................67

Community String Attributes ............................................................................................................................. 68

Community String Name ............................................................................................................................68

Access Mode .............................................................................................................................................. 68

Operating Status......................................................................................................................................... 68

Open or Closed Access Status...................................................................................................................68

Trap Receivers ...........................................................................................................................................68

Default SNMP Community Strings .................................................................................................................... 70

Chapter 4: MAC Address Table .................................................................................................................... 71

Overview ...........................................................................................................................................................72

Chapter 5: Static Port Trunks .......................................................................................................................75

Supported Platforms ......................................................................................................................................... 76

Overview ...........................................................................................................................................................77

Load Distribution Methods ................................................................................................................................78

Guidelines .........................................................................................................................................................80

Chapter 6: LACP Port Trunks ....................................................................................................................... 81

Supported Platforms ......................................................................................................................................... 82

Overview ...........................................................................................................................................................83

LACP System Priority ....................................................................................................................................... 87

Adminkey Parameter ........................................................................................................................................88

LACP Port Priority Value................................................................................................................................... 88

Load Distribution Methods ................................................................................................................................89

Guidelines .........................................................................................................................................................90

Chapter 7: Port Mirror ....................................................................................................................................93

Supported Platforms ......................................................................................................................................... 94

Overview ...........................................................................................................................................................95

Guidelines .........................................................................................................................................................95

Section II: Advanced Operations .............................................................................97

Chapter 8: File System ..................................................................................................................................99

Overview .........................................................................................................................................................100

Boot Configuration Files..................................................................................................................................101

File Naming Conventions................................................................................................................................102

Using Wildcards to Specify Groups of Files ....................................................................................................103

Chapter 9: Event Logs and the Syslog Client ...........................................................................................105

Supported Platforms ....................................................................................................................................... 106

Overview .........................................................................................................................................................107

Event Messages ............................................................................................................................................. 107

Syslog Client ................................................................................................................................................... 108

AT-S63 Management Software Features Guide

Chapter 10: Classifiers ................................................................................................................................ 109

Supported Platforms....................................................................................................................................... 110

Overview......................................................................................................................................................... 111

Classifier Criteria ............................................................................................................................................ 113

Guidelines....................................................................................................................................................... 118

Chapter 11: Access Control Lists .............................................................................................................. 119

Supported Platforms....................................................................................................................................... 120

Overview......................................................................................................................................................... 121

Parts of an ACL .............................................................................................................................................. 123

Guidelines....................................................................................................................................................... 124

Examples........................................................................................................................................................ 125

Chapter 12: Class of Service ...................................................................................................................... 131

Supported Platforms....................................................................................................................................... 132

Overview......................................................................................................................................................... 133

Scheduling...................................................................................................................................................... 136

Strict Priority Scheduling.......................................................................................................................... 136

Weighted Round Robin Priority Scheduling ............................................................................................. 136

Chapter 13: Quality of Service ................................................................................................................... 139

Supported Platforms....................................................................................................................................... 140

Overview......................................................................................................................................................... 141

Classifiers ....................................................................................................................................................... 143

Flow Groups ................................................................................................................................................... 144

Traffic Classes................................................................................................................................................ 145

Policies ........................................................................................................................................................... 146

QoS Policy Guidelines.................................................................................................................................... 147

Packet Processing.......................................................................................................................................... 148

Bandwidth Allocation ...................................................................................................................................... 148

Packet Prioritization........................................................................................................................................ 148

Replacing Priorities......................................................................................................................................... 150

VLAN Tag User Priorities ............................................................................................................................... 150

DSCP Values.................................................................................................................................................. 150

DiffServ Domains............................................................................................................................................ 151

Examples........................................................................................................................................................ 153

Voice Applications.................................................................................................................................... 153

Video Applications.................................................................................................................................... 155

Critical Database...................................................................................................................................... 157

Policy Component Hierarchy.................................................................................................................... 158

Chapter 14: Denial of Service Defenses .................................................................................................... 161

Supported Platforms....................................................................................................................................... 162

Overview......................................................................................................................................................... 163

SYN Flood Attack ........................................................................................................................................... 164

Smurf Attack ................................................................................................................................................... 165

Land Attack..................................................................................................................................................... 166

Teardrop Attack .............................................................................................................................................. 168

Ping of Death Attack....................................................................................................................................... 169

IP Options Attack..............................................................................................................

.............................. 170

Mirroring Traffic .............................................................................................................................................. 171

Denial of Service Defense Guidelines ............................................................................................................ 172

Contents

Section III: Snooping Protocols ..............................................................................173

Chapter 15: IGMP Snooping ....................................................................................................................... 175

Supported Platforms ....................................................................................................................................... 176

Overview .........................................................................................................................................................177

Chapter 16: MLD Snooping .........................................................................................................................179

Supported Platforms ....................................................................................................................................... 180

Overview .........................................................................................................................................................181

Chapter 17: RRP Snooping .........................................................................................................................183

Supported Platforms ....................................................................................................................................... 184

Overview .........................................................................................................................................................185

Guidelines .......................................................................................................................................................186

Chapter 18: Ethernet Protection Switching Ring Snooping .................................................................... 187

Supported Platforms ....................................................................................................................................... 188

Overview .........................................................................................................................................................189

Restrictions ..................................................................................................................................................... 191

Guidelines .......................................................................................................................................................193

Section IV: SNMPv3 ................................................................................................ 195

Chapter 19: SNMPv3 .................................................................................................................................... 197

Supported Platforms ....................................................................................................................................... 198

Overview .........................................................................................................................................................199

SNMPv3 Authentication Protocols .................................................................................................................. 200

SNMPv3 Privacy Protocol............................................................................................................................... 201

SNMPv3 MIB Views........................................................................................................................................202

SNMPv3 Storage Types .................................................................................................................................204

SNMPv3 Message Notification .......................................................................................................................205

SNMPv3 Tables .............................................................................................................................................. 206

SNMPv3 User Table................................................................................................................................. 208

SNMPv3 View Table................................................................................................................................. 208

SNMPv3 Access Table............................................................................................................................. 208

SNMPv3 SecurityToGroup Table ............................................................................................................. 208

SNMPv3 Notify Table ...............................................................................................................................209

SNMPv3 Target Address Table................................................................................................................209

SNMPv3 Target Parameters Table .......................................................................................................... 209

SNMPv3 Community Table ...................................................................................................................... 209

SNMPv3 Configuration Example ....................................................................................................................210

Section V: Spanning Tree Protocols ......................................................................211

Chapter 20: Spanning Tree and Rapid Spanning Tree Protocols ........................................................... 213

Supported Platforms ....................................................................................................................................... 214

Overview .........................................................................................................................................................215

Bridge Priority and the Root Bridge ................................................................................................................ 216

Path Costs and Port Costs .......................................................................................................................217

Port Priority............................................................................................................................................... 218

Forwarding Delay and Topology Changes...................................................................................................... 220

Hello Time and Bridge Protocol Data Units (BPDU)................................................................................. 220

Point-to-Point and Edge Ports .................................................................................................................. 221

Mixed STP and RSTP Networks ..................................................................................................................... 223

Spanning Tree and VLANs .............................................................................................................................224

AT-S63 Management Software Features Guide

Chapter 21: Multiple Spanning Tree Protocol ........................................................................................... 225

Supported Platforms....................................................................................................................................... 226

Overview......................................................................................................................................................... 227

Multiple Spanning Tree Instance (MSTI) ........................................................................................................ 228

MSTI Guidelines ............................................................................................................................................. 232

VLAN and MSTI Associations ........................................................................................................................ 233

Ports in Multiple MSTIs................................................................................................................................... 234

Multiple Spanning Tree Regions .................................................................................................................... 235

Region Guidelines.................................................................................................................................... 237

Common and Internal Spanning Tree (CIST) .......................................................................................... 238

MSTP with STP and RSTP ...................................................................................................................... 238

Summary of Guidelines .................................................................................................................................. 239

Associating VLANs to MSTIs.......................................................................................................................... 241

Connecting VLANs Across Different Regions ................................................................................................ 243

Section VI: Virtual LANs ....................................................................................... 245

Chapter 22: Port-based and Tagged VLANs ............................................................................................. 247

Supported Platforms....................................................................................................................................... 248

Overview......................................................................................................................................................... 249

Port-based VLAN Overview............................................................................................................................ 251

VLAN Name ............................................................................................................................................. 251

VLAN Identifier ......................................................................................................................................... 251

Untagged Ports ........................................................................................................................................ 252

Port VLAN Identifier ................................................................................................................................. 252

Guidelines to Creating a Port-based VLAN.............................................................................................. 253

Drawbacks of Port-based VLANs............................................................................................................. 253

Port-based Example 1.............................................................................................................................. 254

Port-based Example 2.............................................................................................................................. 255

Tagged VLAN Overview ................................................................................................................................. 257

Tagged and Untagged Ports .................................................................................................................... 258

Port VLAN Identifier ................................................................................................................................. 258

Guidelines to Creating a Tagged VLAN ................................................................................................... 258

Tagged VLAN Example............................................................................................................................ 259

Chapter 23: GARP VLAN Registration Protocol ....................................................................................... 261

Supported Platforms....................................................................................................................................... 262

Overview......................................................................................................................................................... 263

Guidelines....................................................................................................................................................... 266

GVRP and Network Security .......................................................................................................................... 267

GVRP-inactive Intermediate Switches............................................................................................................ 268

Generic Attribute Registration Protocol (GARP) Overview............................................................................. 269

Chapter 24: Multiple VLAN Modes ............................................................................................................. 273

Supported Platforms....................................................................................................................................... 274

Overview......................................................................................................................................................... 275

802.1Q- Compliant Multiple VLAN Mode........................................................................................................ 276

Non-802.1Q Compliant Multiple VLAN Mode ................................................................................................. 278

Chapter 25: Protected Ports VLANs .......................................................................................................... 279

Supported Platforms....................................................................................................................................... 280

Overview......................................................................................................................................................... 281

Guidelines....................................................................................................................................................... 283

Contents

Chapter 26: MAC Address-based VLANs ..................................................................................................285

Supported Platforms ....................................................................................................................................... 286

Overview .........................................................................................................................................................287

Egress Ports ................................................................................................................................................... 288

VLANs That Span Switches............................................................................................................................ 291

VLAN Hierarchy .............................................................................................................................................. 293

Steps to Creating a MAC Address-based VLAN............................................................................................. 294

Guidelines .......................................................................................................................................................295

Section VII: Routing ................................................................................................ 297

Chapter 27: Internet Protocol Version 4 Packet Routing ......................................................................... 299

Supported Platforms ....................................................................................................................................... 300

Overview .........................................................................................................................................................301

Routing Interfaces ...........................................................................................................................................303

VLAN ID (VID) ..........................................................................................................................................304

Interface Numbers ....................................................................................................................................304

IP Address and Subnet Mask ................................................................................................................... 304

Interface Names..............................................................................................................................................306

Static Routes................................................................................................................................................... 307

Routing Information Protocol (RIP) ................................................................................................................. 309

Default Routes ................................................................................................................................................311

Equal-cost Multi-path (ECMP) Routing ...........................................................................................................312

Routing Table.................................................................................................................................................. 314

Address Resolution Protocol (ARP) Table ...................................................................................................... 315

Internet Control Message Protocol (ICMP) .....................................................................................................316

Routing Interfaces and Management Features............................................................................................... 318

Network Servers .......................................................................................................................................318

Enhanced Stacking...................................................................................................................................319

Remote Telnet, SSH, and Web Browser Management Sessions ............................................................ 319

Pinging a Remote Device ......................................................................................................................... 320

DHCP or BOOTP Server ..........................................................................................................................320

Local Interface ................................................................................................................................................ 321

AT-9408LC/SP AT-9424T/GB, and AT-9424T/SP Switches...........................................................................322

Local Interface ..........................................................................................................................................322

ARP Table ................................................................................................................................................322

Default Gateway .......................................................................................................................................323

Routing Command Example ...........................................................................................................................324

Creating the VLANs.................................................................................................................................. 325

Creating the Routing Interfaces................................................................................................................325

Adding a Static Route and Default Route................................................................................................. 326

Adding RIP ...............................................................................................................................................327

Selecting the Local Interface .................................................................................................................... 327

Non-routing Command Example..................................................................................................................... 328

Upgrading from AT-S63 Version 1.3.0 or Earlier ............................................................................................ 330

Chapter 28: BOOTP Relay Agent ................................................................................................................ 331

Supported Platforms ....................................................................................................................................... 332

Overview .........................................................................................................................................................333

Guidelines .......................................................................................................................................................335

Chapter 29: Virtual Router Redundancy Protocol .................................................................................... 337

Supported Platforms ....................................................................................................................................... 338

Overview .........................................................................................................................................................339

Master Switch ................................................................................................................................................. 340

Backup Switches.............................................................................................................................................341

AT-S63 Management Software Features Guide

Interface Monitoring........................................................................................................................................ 342

Port Monitoring ............................................................................................................................................... 343

VRRP on the Switch ....................................................................................................................................... 344

Section VIII: Port Security ..................................................................................... 347

Chapter 30: MAC Address-based Port Security ....................................................................................... 349

Supported Platforms....................................................................................................................................... 350

Overview......................................................................................................................................................... 351

Automatic ................................................................................................................................................. 351

Limited...................................................................................................................................................... 351

Secured.................................................................................................................................................... 352

Locked...................................................................................................................................................... 352

Invalid Frames and Intrusion Actions ............................................................................................................. 353

Guidelines....................................................................................................................................................... 354

Chapter 31: 802.1x Port-based Network Access Control ........................................................................ 355

Supported Platforms....................................................................................................................................... 356

Overview......................................................................................................................................................... 357

Authentication Process................................................................................................................................... 359

Port Roles....................................................................................................................................................... 360

None Role ................................................................................................................................................ 360

Authenticator Role.................................................................................................................................... 360

Supplicant Role ........................................................................................................................................ 362

Authenticator Ports with Single and Multiple Supplicants............................................................................... 363

Single Operating Mode ............................................................................................................................ 363

Multiple Operating Mode .......................................................................................................................... 367

Supplicant and VLAN Associations ................................................................................................................ 370

Single Operating Mode ............................................................................................................................ 371

Multiple Operating Mode .......................................................................................................................... 371

Supplicant VLAN Attributes on the RADIUS Server................................................................................. 371

Guest VLAN.................................................................................................................................................... 372

RADIUS Accounting ....................................................................................................................................... 373

General Steps................................................................................................................................................. 374

Guidelines....................................................................................................................................................... 375

Section IX: Management Security ......................................................................... 379

Chapter 32: Web Server .............................................................................................................................. 381

Supported Platforms....................................................................................................................................... 382

Overview......................................................................................................................................................... 383

Supported Protocols................................................................................................................................. 383

Configuring the Web Server for HTTP............................................................................................................ 384

Configuring the Web Server for HTTPS ......................................................................................................... 385

General Steps for a Self-signed Certificate.............................................................................................. 385

General Steps for a Public or Private CA Certificate................................................................................ 385

Chapter 33: Encryption Keys ..................................................................................................................... 387

Supported Platforms....................................................................................................................................... 388

Overview......................................................................................................................................................... 389

Encryption Key Length ................................................................................................................................... 390

Encryption Key Guidelines ............................................................................................................................. 391

Technical Overview ........................................................................................................................................ 392

Data Encryption........................................................................................................................................ 392

Data Authentication.................................................................................................................................. 394

Key Exchange Algorithms ........................................................................................................................ 395

Contents

Chapter 34: PKI Certificates and SSL ........................................................................................................397

Supported Platforms ....................................................................................................................................... 398

Overview .........................................................................................................................................................399

Types of Certificates ....................................................................................................................................... 399

Distinguished Names ...................................................................................................................................... 401

SSL and Enhanced Stacking ..........................................................................................................................403

Guidelines .......................................................................................................................................................404

Technical Overview.........................................................................................................................................405

SSL Encryption......................................................................................................................................... 405

User Verification .......................................................................................................................................406

Authentication........................................................................................................................................... 406

Public Key Infrastructure .......................................................................................................................... 407

Public Keys............................................................................................................................................... 407

Message Encryption .................................................................................................................................407

Digital Signatures ..................................................................................................................................... 407

Certificates................................................................................................................................................ 408

Elements of a Public Key Infrastructure ................................................................................................... 409

Certificate Validation................................................................................................................................. 410

Certificate Revocation Lists (CRLs)..........................................................................................................410

PKI Implementation .................................................................................................................................. 411

Chapter 35: Secure Shell (SSH) ..................................................................................................................413

Supported Platforms ....................................................................................................................................... 414

Overview .........................................................................................................................................................415

Support for SSH..............................................................................................................................................416

SSH Server ..................................................................................................................................................... 417

SSH Clients..................................................................................................................................................... 418

SSH and Enhanced Stacking..........................................................................................................................419

SSH Configuration Guidelines ........................................................................................................................421

General Steps to Configuring SSH .................................................................................................................422

Chapter 36: TACACS+ and RADIUS Protocols .........................................................................................423

Supported Platforms ....................................................................................................................................... 424

Overview .........................................................................................................................................................425

Guidelines .......................................................................................................................................................427

Chapter 37: Management Access Control List .......................................................................................... 431

Supported Platforms ....................................................................................................................................... 432

Overview .........................................................................................................................................................433

Parts of a Management ACE ..........................................................................................................................434

IP Address ................................................................................................................................................ 434

Mask ......................................................................................................................................................... 434

Application ................................................................................................................................................434

Guidelines .......................................................................................................................................................435

Examples ........................................................................................................................................................ 436

Appendix A: AT-S63 Management Software Default Settings ................................................................. 439

Address Resolution Protocol Cache ...............................................................................................................441

Boot Configuration File ...................................................................................................................................442

BOOTP Relay Agent .......................................................................................................................................443

Class of Service .............................................................................................................................................. 444

Denial of Service Defenses.............................................................................................................................445

802.1x Port-Based Network Access Control ...................................................................................................446

Enhanced Stacking ......................................................................................................................................... 448

Ethernet Protection Switching Ring (EPSR) Snooping ................................................................................... 449

Event Logs ...................................................................................................................................................... 450

GVRP.............................................................................................................................................................. 451

AT-S63 Management Software Features Guide

IGMP Snooping .............................................................................................................................................. 452

Internet Protocol Version 4 Packet Routing.................................................................................................... 453

MAC Address-based Port Security................................................................................................................. 454

MAC Address Table ....................................................................................................................................... 455

Management Access Control List................................................................................................................... 456

Manager and Operator Account ..................................................................................................................... 457

Multicast Listener Discovery Snooping........................................................................................................... 458

Public Key Infrastructure ................................................................................................................................ 459

Port Settings ................................................................................................................................................... 460

RJ-45 Serial Terminal Port ............................................................................................................................. 461

Router Redundancy Protocol Snooping ......................................................................................................... 462

Server-based Authentication (RADIUS and TACACS+)................................................................................. 463

Server-based Authentication.................................................................................................................... 463

RADIUS Client ......................................................................................................................................... 463

TACACS+ Client ...................................................................................................................................... 463

Simple Network Management Protocol .......................................................................................................... 464

Simple Network Time Protocol ....................................................................................................................... 465

Spanning Tree Protocols (STP, RSTP, and MSTP) ....................................................................................... 466

Spanning Tree Switch Settings ................................................................................................................ 466

Spanning Tree Protocol ........................................................................................................................... 466

Rapid Spanning Tree Protocol ................................................................................................................. 466

Multiple Spanning Tree Protocol.............................................................................................................. 467

Secure Shell Server........................................................................................................................................ 468

Secure Sockets Layer .................................................................................................................................... 469

System Name, Administrator, and Comments Settings ................................................................................. 470

Telnet Server .................................................................................................................................................. 471

Virtual Router Redundancy Protocol .............................................................................................................. 472

VLANs ............................................................................................................................................................ 473

Web Server..................................................................................................................................................... 474

Appendix B: SNMPv3 Configuration Examples ........................................................................................ 475

SNMPv3 Configuration Examples .................................................................................................................. 476

SNMPv3 Manager Configuration ............................................................................................................. 476

SNMPv3 Operator Configuration ............................................................................................................. 477

SNMPv3 Worksheet................................................................................................................................. 478

Appendix C: Features and Standards ....................................................................................................... 481

10/100/1000Base-T Twisted Pair Ports.......................................................................................................... 482

Denial of Service Defenses ............................................................................................................................ 482

Ethernet Protection Switching Ring Snooping................................................................................................ 482

Fiber Optic Ports (AT-9408LC/SP Switch) ..................................................................................................... 483

File System..................................................................................................................................................... 483

DHCP and BOOTP Clients............................................................................................................................. 483

Internet Protocol Multicasting ......................................................................................................................... 483

Internet Protocol Version 4 Routing................................................................................................................ 483

MAC Address Table ....................................................................................................................................... 484

Management Access and Security ................................................................................................................. 484

Management Access Methods ....................................................................................................................... 485

Management Interfaces.................................................................................................................................. 485

Management MIBs ......................................................................................................................................... 485

Port Security ................................................................................................................................................... 486

Port Trunking and Mirroring............................................................................................................................ 486

Spanning Tree Protocols ................................................................................................................................ 486

System Monitoring.......................................................................................................................................... 486

Traffic Control ................................................................................................................................................. 487

Virtual LANs.................................................................................................................................................... 487

Virtual Router Redundancy Protocol .............................................................................................................. 488

Contents

Appendix D: MIB Objects ............................................................................................................................ 489

Access Control Lists ....................................................................................................................................... 490

Class of Service .............................................................................................................................................. 491

Date, Time, and SNTP Client..........................................................................................................................492

Denial of Service Defenses.............................................................................................................................493

Enhanced Stacking ......................................................................................................................................... 494

GVRP.............................................................................................................................................................. 495

MAC Address Table........................................................................................................................................497

Management Access Control List ...................................................................................................................498

Miscellaneous ................................................................................................................................................. 499

Port Mirroring .................................................................................................................................................. 500

Quality of Service............................................................................................................................................501

Port Configuration and Status......................................................................................................................... 503

Spanning Tree ................................................................................................................................................504

Static Port Trunk ............................................................................................................................................. 505

VLANs............................................................................................................................................................. 506

Index .............................................................................................................................................................. 509

Figures

Figure 1: Static Port Trunk Example.....................................................................................................................................77

Figure 2: Example of Multiple Aggregators for Multiple Aggregate Trunks ..........................................................................84

Figure 3: Example of an Aggregator with Multiple Trunks....................................................................................................85

Figure 4: User Priority and VLAN Fields within an Ethernet Frame....................................................................................114

Figure 5: ToS field in an IP Header ....................................................................................................................................115

Figure 6: ACL Example 1 ...................................................................................................................................................125

Figure 7: ACL Example 2 ...................................................................................................................................................126

Figure 8: ACL Example 3 ...................................................................................................................................................127

Figure 9: ACL Example 4 ...................................................................................................................................................128

Figure 10: ACL Example 5 .................................................................................................................................................128

Figure 11: ACL Example 6 .................................................................................................................................................129

Figure 12: DiffServ Domain Example .................................................................................................................................151

Figure 13: QoS Voice Application Example........................................................................................................................154

Figure 14: QoS Video Application Example........................................................................................................................156

Figure 15: QoS Critical Database Example ........................................................................................................................157

Figure 16: Policy Component Hierarchy Example ..............................................................................................................159

Figure 17: Double Fault Condition in EPSR Snooping .......................................................................................................192

Figure 18: MIB Tree............................................................................................................................................................202

Figure 19: SNMPv3 User Configuration Process ...............................................................................................................206

Figure 20: SNMPv3 Message Notification Process ............................................................................................................207

Figure 21: Point-to-Point Ports ...........................................................................................................................................221

Figure 22: Edge Port ..........................................................................................................................................................222

Figure 23: Point-to-Point and Edge Port.............................................................................................................................222

Figure 24: VLAN Fragmentation.........................................................................................................................................224

Figure 25: VLAN Fragmentation with STP or RSTP...........................................................................................................229

Figure 26: MSTP Example of Two Spanning Tree Instances ............................................................................................230

Figure 27: Multiple VLANs in a MSTI..................................................................................................................................231

Figure 28: Multiple Spanning Tree Region .........................................................................................................................236

Figure 29: CIST and VLAN Guideline - Example 1.............................................................................................................241

Figure 30: CIST and VLAN Guideline - Example 2.............................................................................................................242

Figure 31: Spanning Regions - Example 1 .........................................................................................................................243

Figure 32: Port-based VLAN - Example 1 ..........................................................................................................................254

Figure 33: Port-based VLAN - Example 2 ..........................................................................................................................255

Figure 34: Example of a Tagged VLAN..............................................................................................................................259

Figure 35: GVRP Example ........................................................................................................

Figure 36: GARP Architecture ............................................................................................................................................270

Figure 37: GID Architecture................................................................................................................................................271

Figure 38: Example of a MAC Address-based VLAN Spanning Switches .........................................................................291

Figure 39: Example of the Supplicant Role ........................................................................................................................362

Figure 40: Authenticator Port in Single Operating Mode with a Single Client.....................................................................364

Figure 41: Single Operating Mode with Multiple Clients Using the Piggy-back Feature - Example 1 ................................365

Figure 42: Single Operating Mode with Multiple Clients Using the Piggy-back Feature - Example 2 ................................366

Figure 43: Single Operating Mode with Multiple Clients Using the Piggy-back Feature - Example 3 ................................367

Figure 44: Authenticator Port in Multiple Operating Mode - Example 1..............................................................................368

Figure 45: Authenticator Port in Multiple Operating Mode - Example 2..............................................................................369

Figure 46: SSH Remote Management of a Slave Switch ...................................................................................................419

.........................................264

Figures

Tables

Table 1: AT-9400 Switch Features ......................................................................................................................................31

Table 2: Management Interfaces and Features ...................................................................................................................36

Table 3: Twisted Pair Ports Matched with GBIC and SFP Slots ..........................................................................................47

Table 4: New Features in AT-S63 Version 3.0.0 .................................................................................................................49

Table 5: New Features in AT-S63 Version 2.1.0 .................................................................................................................50

Table 6: New Features in AT-S63 Version 2.0.0 .................................................................................................................50

Table 7: New Features in AT-S63 Version 1.3.0 .................................................................................................................51

Table 8: New Features in AT-S63 Version 1.2.0 .................................................................................................................52

Table 9: File Extensions and File Types ............................................................................................................................102

Table 10: Default Mappings of IEEE 802.1p Priority Levels to Priority Queues ................................................................134

Table 11: Customized Mappings of IEEE 802.1p Priority Levels to Priority Queues .........................................................134

Table 12: Example of Weighted Round Robin Priority ......................................................................................................137

Table 13: Example of a Weight of Zero for Priority Queue 7 .............................................................................................137

Table 14: Bridge Priority Value Increments .......................................................................................................................216

Table 15: STP Auto-Detect Port Costs ..............................................................................................................................217

Table 16: STP Auto-Detect Port Trunk Costs ....................................................................................................................218

Table 17: RSTP Auto-Detect Port Costs ...........................................................................................................................218

Table 18: RSTP Auto-Detect Port Trunk Costs .................................................................................................................218

Table 19: Port Priority Value Increments ...........................................................................................................................219

Table 20: 802.1Q-Compliant Multiple VLAN Example .......................................................................................................276

Table 21: Mappings of MAC Addresses to Egress Ports Example ....................................................................................288

Table 22: Revised Example of Mappings of MAC Addresses to Egress Ports ..................................................................289

Table 23: Example of a MAC Address-based VLAN Spanning Switches ..........................................................................292

Table 24: ICMP Messages Implemented on the AT-9400 Switch .....................................................................................316

Table 25: IPv4 Routing Example .......................................................................................................................................324

Table 26: Access Control Lists (AtiStackSwitch MIB) ........................................................................................................490

Table 27: CoS Scheduling (AtiStackSwitch MIB) ..............................................................................................................491

Table 28: CoS Priority to Egress Queue Mappings (AtiStackSwitch MIB) ........................................................................491

Table 29: CoS Packet Weights of Egress Queues (AtiStackSwitch MIB) .........................................................................491

Table 30: CoS Port Settings (AtiStackSwitch MIB) ............................................................................................................491

Table 31: Date, Time, and SNTP Client (AtiStackSwitch MIB) ....................................................................

Table 32: LAN Address and Subnet Mask (AtiStackSwitch MIB) ......................................................................................493

Table 33: Denial of Service Defenses (AtiStackSwitch MIB) .............................................................................................493

Table 34: Switch Mode and Discovery (AtiStackInfo MIB) ................................................................................................494

Table 35: Switches of an Enhanced Stack (AtiStackInfo MIB) ..........................................................................................494

Table 36: GVFP Switch Configuration (AtiStackSwitch MIB) ............................................................................................495

Table 37: GVRP Port Configuration (AtiStackSwitch MIB) ................................................................................................495

Table 38: GVRP Counters (AtiStackSwitch MIB) ..............................................................................................................495

Table 39: MAC Address Table (AtiStackSwitch MIB) ........................................................................................................497

Table 40: Static MAC Address Table (AtiStackSwitch MIB) ..............................................................................................497

Table 41: Management Access Control List Status (AtiStackSwitch MIB) ........................................................................498

Table 42: Management Access Control List Entries (AtiStackSwitch MIB) .......................................................................498

Table 43: System Reset (AtiStackSwitch MIB) ..................................................................................................................499

Table 44: Local Interface (AtiStackSwitch MIB) .................................................................................................................499

Table 45: Saving the Configuration and Returning to Default Settings (AtiStackSwitch MIB) ...........................................499

Table 46: Port Mirroring (AtiStackSwitch MIB) ..................................................................................................................500

Table 47: Flow Groups (AtiStackSwitch MIB) ....................................................................................................................501

Table 48: Traffic Classes (AtiStackSwitch MIB) ................................................................................................................501

Table 49: Policies (AtiStackSwitch MIB) ............................................................................................................................502

......................492

Tables

Table 50: Port Configuration and Status (AtiStackSwitch MIB) ........................................................................................503

Table 51: Spanning Tree (AtiStackSwitch MIB) .................................................................................................................504

Table 52: Static Port Trunks (AtiStackSwitch MIB) ...........................................................................................................505

Table 53: VLAN Table (AtiStackSwitch MIB) .....................................................................................................................506

Table 54: VLAN Table (AtiStackSwitch MIB) .....................................................................................................................506

Table 55: VLAN Mode and Uplink Port (AtiStackSwitch MIB) ...........................................................................................506

Table 56: PVID Table (AtiStackSwitch MIB) ......................................................................................................................507

Preface

This guide describes the features of the AT-9400 Layer 2+ and Basic Layer 3 Gigabit Ethernet Switches and the AT-S63 Management Software.

This preface contains the following sections:

 “How This Guide is Organized” on page 18

 “Product Documentation” on page 20

 “Where to Go First” on page 21

 “Starting a Management Session” on page 22

 “Document Conventions” on page 23

 “Where to Find Web-based Guides” on page 24

 “Contacting Allied Telesis” on page 25

Caution

The software described in this documentation contains certain cryptographic functionality and its export is restricted by U.S. law. As of this writing, it has been submitted for review as a “retail encryption item” in accordance with the Export Administration Regulations, 15 C.F.R. Part 730-772, promulgated by the U.S. Department of Commerce, and conditionally may be exported in accordance with the pertinent terms of License Exception ENC (described in 15 C.F.R. Part 740.17). In no case may it be exported to Cuba, Iran, Iraq, Libya, North Korea, Sudan, or Syria. If you wish to transfer this software outside the United States or Canada, please contact your local Allied Telesis sales representative for current information on this product’s export status.

Preface

How This Guide is Organized

This guide has the following sections and chapters:

 Section I: Basic Operations

Chapter 1, “Overview” on page 29

Chapter 2, “Enhanced Stacking” on page 55

Chapter 3, “SNMPv1 and SNMPv2c” on page 65

Chapter 4, “MAC Address Table” on page 71

Chapter 5, “Static Port Trunks” on page 75

Chapter 6, “LACP Port Trunks” on page 81

Chapter 7, “Port Mirror” on page 93

 Section II: Advanced Operations

Chapter 8, “File System” on page 99

Chapter 9, “Event Logs and the Syslog Client” on page 105

Chapter 10, “Classifiers” on page 109

Chapter 11, “Access Control Lists” on page 119

Chapter 12, “Class of Service” on page 131

Chapter 13, “Quality of Service” on page 139

Chapter 14, “Denial of Service Defenses” on page 161

 Section III: Snooping Protocols

Chapter 15, “IGMP Snooping” on page 175

Chapter 16, “MLD Snooping” on page 179

Chapter 17, “RRP Snooping” on page 183

Chapter 18, “Ethernet Protection Switching Ring Snooping” on page 187

 Section IV: SNMPv3

Chapter 19, “SNMPv3” on page 197

AT-S63 Management Software Features Guide

 Section V: Spanning Tree Protocols

Chapter 20, “Spanning Tree and Rapid Spanning Tree Protocols” on page 213

Chapter 21, “Multiple Spanning Tree Protocol” on page 225

 Section VI: Virtual LANs

Chapter 22, “Port-based and Tagged VLANs” on page 247

Chapter 23, “GARP VLAN Registration Protocol” on page 261

Chapter 24, “Multiple VLAN Modes” on page 273

Chapter 25, “Protected Ports VLANs” on page 279

Chapter 26, “MAC Address-based VLANs” on page 285

 Section VII: Routing

Chapter 27, “Internet Protocol Version 4 Packet Routing” on page 299

Chapter 28, “BOOTP Relay Agent” on page 331

Chapter 29, “Virtual Router Redundancy Protocol” on page 337

 Section VIII: Port Security

Chapter 30, “MAC Address-based Port Security” on page 349

Chapter 31, “802.1x Port-based Network Access Control” on page 355

 Section IX: Management Security

Chapter 32, “Web Server” on page 381

Chapter 33, “Encryption Keys” on page 387

Chapter 34, “PKI Certificates and SSL” on page 397

Chapter 35, “Secure Shell (SSH)” on page 413

Chapter 36, “TACACS+ and RADIUS Protocols” on page 423

Chapter 37, “Management Access Control List” on page 431

 Appendices

Appendix A, “AT-S63 Management Software Default Settings” on page 439

Appendix B, “SNMPv3 Configuration Examples” on page 475

Appendix C, “Features and Standards” on page 481

Appendix D, “MIB Objects” on page 489

Preface

Product Documentation

For overview information on the features of the AT-9400 Switch and the AT-S63 Management Software, refer to:

 AT-S63 Management Software Features Guide

(PN 613-000801)

For instructions on starting a local or remote management session, refer to:

 Starting an AT-S63 Management Session Guide

(PN 613-000817)

For instructions on installing or managing stand-alone switches, refer to:

 AT-9400 Gigabit Ethernet Switch Installation Guide

(PN 613-000357)

 AT-S63 Management Software Menus Interface User’s Guide

(PN 613-50570-00)

 AT-S63 Management Software Command Line Interface User’s Guide

(PN 613-50571-00)

 AT-S63 Management Software Web Browser Interface User’s Guide

(PN 613-50592-00)

For instructions on installing or managing a stack of AT-9400 Basic Layer 3 Switches and the AT-StackXG Stacking Module, refer to:

 AT-9400 Stack Installation Guide

(PN 613-000796)

 AT-S63 Stack Command Line Interface User’s Guide

(PN 613-000777)

Where to Go First

AT-S63 Management Software Features Guide

Allied Telesis recommends that you read Chapter 1, “Overview” on page 29 in this guide before you begin to manage the switch for the first time. There you will find a variety of basic information about the unit and the management software, like the two levels of manager access levels and the different types of management sessions.

This guide is also your resource for background information on the features of the switch. You can refer here for the relevant concepts and guidelines when you configure a feature for the first time.

Preface

Starting a Management Session

For instructions on how to start a local or remote management session on the AT-9400 Switch, refer to the Starting an AT-S63 Management Session Guide.

Document Conventions

This document uses the following conventions:

AT-S63 Management Software Features Guide

Note

Notes provide additional information.

Caution

Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data.

Warning

Warnings inform you that performing or omitting a specific action may result in bodily injury.

Preface

Where to Find Web-based Guides

The installation and user guides for all Allied Telesis products are available in portable document format (PDF) on our web site at www.alliedtelesis.com. You can view the documents online or download them onto a local workstation or server.

AT-S63 Management Software Features Guide

Contacting Allied Telesis

This section provides Allied Telesis contact information for technical support as well as sales and corporate information.

Online Support You can request technical support online by accessing the Allied Telesis

Knowledge Base: http://kb.alliedteleisn.com. You can use the Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions.

Email and Telephone

Support

Returning

Products

Sales or

Corporate

Information

Management

Software Updates

For Technical Support via email or telephone, refer to the Support & Services section of the Allied Telesis web site: www.alliedtelesis.com.

Products for return or repair must first be assigned a return materials authorization (RMA) number. A product sent to Allied Telesis without an RMA number will be returned to the sender at the sender’s expense.

To obtain an RMA number, contact Allied Telesis Technical Support through our web site: www.alliedtelesis.com.

You can contact Allied Telesis for sales or corporate information through our web site: www.alliedtelesis.com. To find the contact information for your country, select Contact Us -> Worldwide Contacts.

New releases of management software for our managed products are available from the following Internet sites:

 Allied Telesis web site: www.alliedtelesis.com

 Allied Telesis FTP server: ftp://ftp.alliedtelesis.com

FTP client software is required to download new software from the Allied Telesis FTP server using your workstation’s command prompt. Furthermore, you must log in to the server. The user name is “anonymous” and the password is your email address.

Preface

Section I

Basic Operations

The chapters in this section contain background information on basic switch features. The chapters include:

 Chapter 1, “Overview” on page 29

 Chapter 2, ”Enhanced Stacking” on page 55

 Chapter 3, ”SNMPv1 and SNMPv2c” on page 65

 Chapter 4, ”MAC Address Table” on page 71

 Chapter 5, ”Static Port Trunks” on page 75

 Chapter 6, “LACP Port Trunks” on page 81

 Chapter 7, ”Port Mirror” on page 93

Section I: Basic Operations 27

28 Section I: Basic Operations

Chapter 1 Overview

This chapter has the following sections:

 “Layer 2+ and Basic Layer 3 Switches” on page 30

 “AT-S63 Management Software” on page 35

 “Management Interfaces and Features” on page 36

 “Management Access Methods” on page 41

 “Manager Access Levels” on page 43

 “Installation and Management Configurations” on page 44

 “IP Configuration” on page 46

 “Redundant Twisted Pair Ports” on page 47

 “History of New Features” on page 49

Chapter 1: Overview

Layer 2+ and Basic Layer 3 Switches

The switches in the AT-9400 Gigabit Ethernet Series are divided into two groups:

 Layer 2+ Switches

– AT-9408LC/SP

– AT-9424T/GB

– AT-9424T/SP

 Basic Layer 3 Switches

– AT-9424T

– AT-9424Ts

– AT-9424Ts/XP

– AT-9448T/SP

– AT-9448Ts/XP

The switches of the two groups offer many of the same features and capabilities. However, there are a couple of significant differences. For instance, the Internet Protocol Version 4 packet routing feature is only supported on the Basic Layer 3 switches and is the reason for the group’s name. For a list of the supported features, refer to Table 1. The switches are numbered in the table as follows:

Layer 2+ switches:

 1 - AT-9408LC/SP

 2 - AT-9424T/GB

 3 - AT-9424T/SP

Basic Layer 3 switches:

 4 - AT-9424T

 5 - AT-9424Ts

 6 - AT-9424Ts/XP

 7 - AT-9448T/SP

 8 - AT-9448Ts/XP

The Stack column lists the features supported in a stack of Basic Layer 3 switches and the AT-StackXG Stacking Module. For more information, refer to “Stacking” on page 44.

(Y = supported feature)

Table 1. AT-9400 Switch Features

AT-S63 Management Software Features Guide

Layer 2+ Switches

(Version 2.2.0)

Basic Layer 3 Switches

(Version 3.0.0)

Stack

12345678 -

Basic Operations

Local management YYYYYYYY Y

Remote Telnet

YYYYYYYY Y

management

Remote Secure Shell

YYYYYYYY

management

Remote web browser

YYYYYYYY

management

TCP/IP pings YYYYYYYY Y

Enhanced stacking YYYYYYYY

Simple Network Time

YYYYYYYY Y

Protocol (SNTP)

SNMPv1 and SNMPv2 YYYYYYYY

Port statistics YYYYYYYY Y

Static port trunks YYYYYYYY Y

Link Aggregation Control

YYYYYYYY

Protocol (LACP) trunks

Port mirroring YYYYYYYY Y

Advanced Operations

File system YYYYYYYY

Event logs YYYYYYYY

TFTP client YYYYYYYY Y

Syslog client YYYYYYYY Y

Classifiers YYYYYYYY

Access control lists YYYYYYYY

Class of Service YYYYYYYY Y

Chapter 1: Overview

Table 1. AT-9400 Switch Features

Layer 2+ Switches

(Version 2.2.0)

Basic Layer 3 Switches

(Version 3.0.0)

12345678 -

Quality of Service YYYYYYYY

Denial of service defensesYYYYYYYY

Snooping Protocols

Internet Group

YYYYYYYY Management Protocol (IGMP) snooping

Multicast Listener

YYYYYYYY Discovery (MLD) snooping

Router Redundancy

YYYYYYYY Protocol (RRP) snooping

Ethernet Protection

YYYYY

Switching Ring (EPSR) snooping

Stack

SNMPv3

SNMPv3 YYYYYYYY

Spanning Tree Protocols

Spanning Tree Protocol

YYYYYYYY Y (STP)

Rapid Spanning Tree

YYYYYYYY Y Protocol (RSTP)

Multiple Spanning Tree

YYYYYYYY Protocol (MSTP)

Virtual LANs

Port-based and tagged

YYYYYYYY Y VLANs

Table 1. AT-9400 Switch Features

AT-S63 Management Software Features Guide

Layer 2+ Switches

(Version 2.2.0)

Basic Layer 3 Switches

(Version 3.0.0)

12345678 -

802.1Q-compliant and

YYYYYYYY non-802.1Q-compliant multiple VLAN modes

GARP VLAN Registration

YYYYYYYY Protocol

Protected ports VLANs YYYYYYYY

MAC address-based

YYYYY

VLANs

Internet Protocol Routing

Internet Protocol version 4

YYYYY

packet routing

One routing interface

YYYYYYYY Y

Stack

Virtual Router Redundancy

YYYYY

Protocol

BOOTP and DHCP clientsYYYYYYYY Y

BOOTP relay agent YYYYY

Port Security

MAC address-based port

YYYYYYYY security

802.1x port-based network

YYYYYYYY access control

Management Security

Encryption keys YYYYYYYY

Public Key Infrastructure

YYYYYYYY (PKI) certificates and Secure Sockets Layer (SSL) protocol

Chapter 1: Overview

Table 1. AT-9400 Switch Features

Layer 2+ Switches

(Version 2.2.0)

Basic Layer 3 Switches

(Version 3.0.0)

12345678 -

Remote Secure Shell

YYYYYYYY

management

TACACS+ and RADIUS

YYYYYYYY

authentication

Management access

YYYYYYYY

control list

1. Basic Layer 3 switches using version 3.0.0 of the management software and the AT-StackXG Stacking Module.

2. The only accessible file system in a stack is on the master switch.

3. The master switch has the only active event logs in a stack.

4. Used to assign the switch or stack an IP configuration.

Stack

AT-S63 Management Software

The AT-9400 Switch is managed with the AT-S63 Management Software. The software comes preinstalled on the unit with default settings for all the operating parameters of the switch. If the default settings are adequate for your network, you can use the switch as an unmanaged unit.

Note

The default settings are listed in Appendix A, “AT-S63 Management Software Default Settings” on page 439.

You can access the management software on the switch several different ways. You can manage the switch locally (out-of-band) using the Terminal Port on the front panel or over a network (in-band) using a Telnet or Secure Shell client, or a web browser. For further information, refer to “Management Access Methods” on page 41.

AT-S63 Management Software Features Guide

The management software has three management interfaces -- a menus interface, a command line interface, and a web browser interface. You can use any of the interfaces to perform basic configuration procedures. But some of the newer and more complex features, such as Virtual Router Redundancy Protocol (VRRP), must be configured with the command line interface. For more information, refer to “Management Interfaces and Features” on page 36.

There are two current versions of the management software, Version 2.2.0 and Version 3.0.0. Version 2.2.0 is for the Layer 2+ switches:

 AT-9408LC/SP

 AT-9424T/GB

 AT-9424T/SP

Version 3.0.0 is for the Basic Layer 3 switches:

 AT-9424T

 AT-9424Ts

 AT-9424Ts/XP

 AT-9448T/SP

 AT-9448Ts/XP

Note

Do not install version 3.0.0 on a Layer 2+ switch.

Chapter 1: Overview

Management Interfaces and Features

The AT-S63 Management Software has three management interfaces:

 Menus interface

 Command line interface

 Web browser interface

You can use the menus and command line interfaces from a local management session through the Terminal Port on the switch or remotely with a Telnet or Secure Shell client. The web browser interface is used from remote HTTP and HTTPS sessions using a web browser.

You can configure all the features and parameters of the switch from the command line interface. However, the menus interface and the web browser interface are limited in the number of functions that you can perform. For example, you can configure the basic port settings (e.g., speed and duplex mode) for any interface, but VRRP can only be configured using the command line interface.

Table 2 lists the functions supported by the three management interfaces.

Note

A stack of AT-9400 Basic Layer 3 Switches and the AT-StackXG Stacking Module must be configured from the command line interface.

(Y = supported feature)

Table 2. Management Interfaces and Features

Command Line

Interface

Menus Interface

Web Browser

Interface

Basic Operations

Switch’s name, location, and

YYY

contact

Manager and operator passwords Y Y Y

Date and time (manual and SNTP) Y Y Y

Rebooting a switch Y Y Y

TCP/IP pings Y Y Y

AT-S63 Management Software Features Guide

Table 2. Management Interfaces and Features

Command Line

Interface

Menus Interface

Web Browser

Interface

Enhanced stacking Y Y Y

SNMPv1 and SNMPv2

YYY

community strings

Port parameters Y Y Y

Port statistics Y Y Y

MAC address table Y Y Y

Static MAC addresses Y Y Y

Static port trunks Y Y Y

Link Aggregation Control Protocol

(LACP) trunks

Port mirroring Y Y Y

Baud rate of the Terminal Port Y Y

Management console timer Y Y

Tel n et s e rv e r Y Y

Console startup mode Y Y

Advanced Operations

File system and configuration files Y Y

Format flash memory Y

File uploads and downloads Y Y

Event logs Y Y

Syslog client Y Y Y

Classifiers Y Y Y

Access control lists Y Y Y

Class of Service Y Y Y

Quality of Service Y Y Y

Denial of service defenses Y Y Y

Chapter 1: Overview

Table 2. Management Interfaces and Features

Command Line

Interface

Menus Interface

Web Browser

Interface

Snooping Protocols

Internet Group Management

YYY

Protocol (IGMP) snooping

Multicast Listener Discovery

(MLD) snooping

Router Redundancy Protocol

(RRP) snooping

Ethernet Protection Switching

Ring (EPSR) snooping

SNMPv3

SNMPv3 Y Y Y

Spanning Tree Protocols

Spanning Tree Protocol (STP) Y Y Y

Rapid Spanning Tree Protocol

YYY

(RSTP)

Multiple Spanning Tree Protocol

YYY

(MSTP)

Virtual LANs

Port-based and tagged VLANs Y Y Y

802.1Q-compliant and

YYY non-802.1Q-compliant multiple VLAN modes

GARP VLAN Registration Protocol Y Y Y

Protected ports VLANs Y Y

MAC address-based VLANs Y Y

AT-S63 Management Software Features Guide

Table 2. Management Interfaces and Features

Command Line

Interface

Menus Interface

Internet Protocol Routing

Routing interfaces Y Y

Static routes Y

Routing Information Protocol (RIP) Y

Address Resolution Protocol

(ARP) table

BOOTP and DHCP clients Y Y

BOOTP relay agent Y

Virtual Router Redundancy

Protocol

Port Security

Web Browser

Interface

MAC address-based port security Y Y Y

802.1x port-based network access

YYY

control

Management Security

Web server Y Y

Encryption keys Y Y

Public Key Infrastructure (PKI)

certificates and Secure Sockets Layer (SSL) protocol

Secure Shell server Y Y Y

TACACS+ and RADIUS

YYY

authentication

Management access control list Y Y Y

1. From the web browser interface you can view the files in the file system of the switch and on a compact flash card, but you cannot: copy, rename, or delete them; change directories on a compact flash card; or create a new switch configuration file.

Chapter 1: Overview

2. You cannot upload or download files to a compact flash card with the web browser interface. Also, the interface does not support switch-to-switch uploads.

3. You cannot modify the event log full action from the web browser interface.

4. You can view the encryption keys from the web browser interface, but you cannot create or delete them.

5. You can view the PKI certificates and the SSL and PKI settings from the web browser interface, but you cannot create or delete certificates; create or delete certificate enrollment requests; or change the settings.

Management Access Methods

You can access the AT-S63 Management Software on the switch several ways:

 Local session

 Remote Telnet session

 Remote Secure Shell (SSH) session

 Remote web browser (HTTP or HTTPS) session

 Remote SNMP session

AT-S63 Management Software Features Guide

Local

Management

Sessions

Remote Telnet

Sessions

Remote Secure

Shell (SSH)

Sessions

You establish a local management session to the switch by connecting a terminal or a PC with a terminal emulator program to the Terminal Port on the front panel using the management cable included with the unit. A local management session must be performed at the switch, hence the name “local.”

The switch does not need an Internet Protocol (IP) configuration for local management. You can use either the command line interface or the menus interface from a local management session. The web browser interface is not available from this type of management session.

Note

In most cases, the initial management session of a switch must be a local management session.

The AT-S63 Management Software comes with a Telnet server for remote management of the unit from a Telnet client on your network using the menus interface or the command line interface.

Also included in the AT-S63 Management Software is a Secure Shell (SSH) server for remote management from a SSH client on your network. An SSH management session is similar to a Telnet management session except it uses encryption to protect the management sessions from snooping.

Remote Web

Browser Session

The AT-S63 Management Software also comes with a web browser server and a web browser interface for remote management using a web browser at a workstation on your network. A web browser session can be either non-encrypted (HTTP) or encrypted (HTTPS).

Chapter 1: Overview

Remote SNMP

Management

You can also remotely configure the switch using a Simple Network Management Protocol (SNMP) application, such as AT-View. This management method requires an understanding of management information base (MIB) objects.

The AT-S63 Management Software supports the following MIBs:

 SNMP MIB-II (RFC 1213)

 Bridge MIB (RFC 1493)

 Interface Group MIB (RFC 2863)

 Ethernet MIB (RFC 1643)

 Remote Network MIB (RFC 1757)

 Allied Telesis managed switch MIBs

The Allied Telesis managed switch MIBs (atistackinfo.mib and atistackswitch.mib) are available from the Allied Telesis web site.

Note

The switch must have an IP address for remote Telnet, SSH, or SNMP management. For background information, refer to “IP Configuration” on page 46.

Manager Access Levels

The AT-S63 Management Software has two manager access levels of manager and operator. The manager access level lets you view and configure the operating parameters, while the operator access level only lets you only view the parameters settings.

You log in by entering the appropriate username and password when you start a management session. To log in as a manager, type “manager” as the login name. The default password is “friend.” The username for operator is “operator” and the default password is also “operator.” The usernames and passwords are case sensitive.

There can be only one manager session on a switch at a time. However, there can be up to nine simultaneous operator sessions if there is no active manager session, or eight operator sessions if there is an active manager session.

AT-S63 Management Software Features Guide

Chapter 1: Overview

Installation and Management Configurations

The AT-9400 Switches can be installed in three configurations.

Stand-alone

Switch

Enhanced

Stacking

All the AT-9400 Switches can be installed and operated as managed or unmanaged, stand-alone Gigabit Ethernet switches. Stand-alone switches are managed by initiating a local or remote session on the unit.

You can simplify the management of the switches in your network by connecting them together into an enhanced stack. What this feature does is it allows you to quickly and easily transition during a management session between the different switches in the network. When you are finished managing one switch in an enhanced stack, you can redirect the session to another unit without having to end the initial session.

It is important to note, however, that even through the switches of an enhanced stack can be managed from the same management session, they operate as independent units, just like stand-alone switches, and are configured individually.

Other highlights to the enhanced stacking feature are:

 The switches are connected by a common virtual LAN.

 The devices can be located across a large geographical area.

 All AT-9400 Switches support this feature.

For more information, refer to Chapter 2, “Enhanced Stacking” on page

55.

Stacking Three models in the AT-9400 Basic Layer 3 Series support a third

installation configuration called stacking. Built with the AT-StackXG Stacking Module, a stack merges and synchronizes the network operations of two or more AT-9400 Switches to form a single, logical unit so that network functions, like the spanning tree protocols, virtual LANs, and static port trunks, can span all the Gigabit Ethernet ports of the units in the stack.

There are two principal advantages of a stack over stand-alone switches. First, you can configure the switches of a stack simultaneously from the same management session, rather than individually from different sessions, simplifying management.

A stack also offers more flexibility in customizing the features of the switches for your network. For instance, the ports of a static port trunk on a stand-alone switch must be members of the same switch, while the ports of a static trunk on a stack can be selected from different switches in the same stack.

AT-S63 Management Software Features Guide

Here are the main points of stacking:

 The AT-9400 Gigabit Ethernet Switches operate as a single, logical

unit where functions such as port trunks and port mirrors, can span all of the devices in the stack.

 The switches are managed as a unit.

 The switches share a common MAC address table.

 The switches must be installed in the same wiring closet in the same

equipment rack.

 The switches are cabled together with the AT-StackXG Stacking

Module.

 This stack feature is only supported on the AT-9424Ts, AT-9424Ts/XP,

and AT-9448Ts/XP Switches.

For more information on stacking, refer to Chapter 1, Overview in the AT-S63 Stack Command Line Interface User’s Guide.

Chapter 1: Overview

IP Configuration

Do you intend to remotely manage the switch with a Telnet or Secure Shell client, or a web browser? Or, will the management software be accessing application servers on your network, like a Simple Network Network Time Protocol server for setting its date and time, or a TFTP server for uploading or downloading files? If so, then the switch will need an IP configuration.

To assign an IP configuration to the switch, you need to create a routing interface. This takes planning because there are number of factors that have to be taken into account. For example, you need to know if the switch is an AT-9400 Layer 2+ Switch, which supports only one routing interface, or an AT-9400 Basic Layer 3 Switch, which supports more than one routing interface. If the answer is the latter, you also have to consider whether your plans include implementing Internet Protocol version 4 packet routing on the switch. Furthermore, since routing interfaces are assigned to virtual LANs (VLANs), you might need to create one or more VLANs on the switch.

For background information, refer to “Routing Interfaces and Management Features” on page 318 in Chapter 27, “Internet Protocol Version 4 Packet Routing” on page 299. If your plans include implementing IPv4 packet routing, you should probably read that entire chapter. For background information on VLANs, refer to Chapter 22, “Port-based and Tagged VLANs” on page 247.

Redundant Twisted Pair Ports

Several AT-9400 Switches have twisted pair ports and GBIC or SFP slots that are paired together. The twisted pair ports are identified with the letter “R” for “Redundant” as part of their number on the front faceplate of the unit. The switch models with paired ports and slots are listed in Table 3.

Table 3 Twisted Pair Ports Matched with GBIC and

Model Ports and Slots

AT-9424T/GB 23R with GBIC slot 23

AT-9424T/SP 23R with SFP slot 23

AT-S63 Management Software Features Guide

SFP Slots

24R with GBIC slot 24

24R with SFP slot 24

AT-9424T, AT-9424Ts and AT-9424Ts/XP

21R with SFP slot 21 22R with SFP slot 22 23R with SFP slot 23 24R with SFP slot 24

AT-9448T/SP 45R with SFP slot 45

46R with SFP slot 46 47R with SFP slot 47 48R with SFP slot 48

Follow these guidelines when using these ports and slots:

 Only one port in a pair — either the twisted pair port or the companion

GBIC or SFP module — can be active at a time.

 The twisted pair port is the active port when its GBIC or SFP slot is

empty, or when a GBIC or SFP module is installed but has not established a link to an end node.

 The twisted pair port automatically changes to the redundant status

mode when a GBIC or SFP module establishes a link with an end node.

 A twisted pair port automatically transitions back to the active status

when the link is lost on the GBIC or SFP module.

 A twisted pair port and a GBIC or SFP module share the same

configuration settings, including port settings, VLAN assignments, access control lists, and spanning tree.

 The only exception to shared settings is port speed. If you disable

Auto-Negotiation on a twisted pair port and set the speed and duplex mode manually, the speed reverts to Auto-Negotiation when a GBIC or SFP module establishes a link with an end node.

Chapter 1: Overview

Note

These guidelines do not apply to the SFP slots on the AT-9408LC/SP switch and the XFP slots on the AT-9424Ts/XP and AT-9448Ts/XP switches.

AT-S63 Management Software Features Guide

History of New Features

The following sections contain the history of new features in the AT-S63 Management Software.

Version 3.0.0 Table 4 lists the new features in version 3.0.0 of the AT-S63 Management

Software.

Table 4. New Features in AT-S63 Version 3.0.0

Feature Change

Stacking with the AT-StackXG Stacking Module

Virtual Router Redundancy Protocol (VRRP)

Ethernet Protection Switching Ring (EPSR) snooping

Internet Protocol version 4 packet routing

802.1x port-based network access control

New feature. For information, refer to Chapter 1, Overview in the

AT-S63 Stack Command Line Interface User’s Guide.

New feature. For information, refer to Chapter 29, “Virtual Router Redundancy Protocol” on page

337.

New feature. For information, refer to Chapter 18, “Ethernet Protection Switching Ring Snooping” on page 187.

Added the following new features:

 Split horizon with poison

reverse

 Auto-summarization of routes

 DHCP/BOOTP relay

Added the following authentication methods:

 EAP-TLS (Extensible

Authentication Protocol Transport Layer Security)

 EAP-TTLS (Extensible

Authentication Protocol Tunneled Transport Layer Security)

 PEAP (Protected Extensible

Authentication Protocol)

Chapter 1: Overview

Version 2.1.0 Table 5 lists the new features in version 2.1.0.

Table 5. New Features in AT-S63 Version 2.1.0

Feature Change

Internet Protocol version 4 packet routing

Added the following new features:

 Equal Cost Multi-path (ECMP)

for supporting multiple routes in the routing table to the same remote destination.

 Variable length subnet masks

for the IP addresses of routing interfaces and static and dynamic routes.

Version 2.0.0 Table 6 lists the new feature in version 2.0.0 of the AT-S63 Management

Software.

Table 6. New Features in AT-S63 Version 2.0.0

Feature Change

Internet Protocol version 4 packet routing with:

 Routing interfaces

 Static routes

New feature.

 Router Information Protocol

(RIP) versions 1 and 2

AT-S63 Management Software Features Guide

Version 1.3.0 Table 7 lists the new features in version 1.3.0 of the AT-S63 Management

Software.

Table 7. New Features in AT-S63 Version 1.3.0

Feature Change

802.1x Port-based Network Access Control

Added the following new features:

 Guest VLAN. For background

information, see “Guest VLAN” on page 372.

 VLAN Assignment and Secure

VLAN for supporting dynamic VLAN assignments from a RADIUS authentication server for supplicant accounts. For background information, see “Supplicant and VLAN Associations” on page 370.

 MAC address-based

authentication as an alternative to 802.1x username and password authentication. For background information, refer to “Authentication Modes” on page 360.

Management Access Control List Simplified the menu interface for

managing the access control entries in the Management ACL.

Chapter 1: Overview

Version 1.2.0 Table 8 lists the new features in version 1.2.0.

Table 8. New Features in AT-S63 Version 1.2.0

Feature Change

MAC Address Table Added the following new

parameters to the CLI commands for displaying and deleting specific types of MAC addresses in the MAC address table:

 STATIC, STATICUNICAST,

and, STATICMULTICAST for displaying and deleting static unicast and multicast MAC addresses.

 DYNAMIC,

DYNAMICUNICAST, and, DYNAMICMULTICAST for displaying and deleting dynamic unicast and multicast MAC addresses.

Quality of Service Added the following new

parameters to QoS flow groups, traffic classes, and policies:

 ToS parameter for replacing

the Type of Service field of IPv4 packets.

 Move ToS to Priority

parameter for replacing the value in the 802.1p priority field with the value in the ToS priority field in IPv4 packets.

 Move Priority to ToS

parameter for replacing the value in the ToS priority field with the 802.1p priority field in IPv4 packets.

 Send to Mirror Port parameter

for copying traffic to a destination mirror port (policies only)

MLD Snooping New feature.

MAC Address-based VLANs New feature.

AT-S63 Management Software Features Guide

Table 8. New Features in AT-S63 Version 1.2.0 (Continued)

Feature Change

802.1x Port-based Network Access Control

Added a new parameter to authenticator ports:

 Supplicant Mode for

supporting multiple supplicant accounts on an authenticator port. For background information, see “Authenticator Ports with Single and Multiple Supplicants” on page 363.

Chapter 1: Overview

Chapter 2 Enhanced Stacking

This chapter contains the following sections:

 “Supported Platforms” on page 56

 “Overview” on page 57

 “Master and Slave Switches” on page 58

 “Common VLAN” on page 59

 “Master Switch and the Local Interface” on page 60

 “Slave Switches” on page 61

 “Enhanced Stacking Compatibility” on page 62

 “Enhanced Stacking Guidelines” on page 63

 “General Steps” on page 64

Section I: Basic Operations 55

Chapter 2: Enhanced Stacking

Supported Platforms

This feature is supported on the following AT-9400 Switches:

 Layer 2+ Models

 Basic Layer 3 Models

 Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module

– AT-9408LC/SP

– AT-9424T/GB

– AT-9424T/SP

– AT-9424T

– AT-9424Ts

– AT-9424Ts/XP

– AT-9448T/SP

– AT-9448Ts/XP

– Not supported

This feature can be managed from all three management interfaces in the AT-S63 Management Software:

 Command line interface

 Menus interface

 Web browser interface

56 Section I: Basic Operations

Overview

AT-S63 Management Software Features Guide

Having to manage a large number of network devices typically involves starting a separate management session on each device. This usually means having to end one management session in order to start a new session on another unit.

The enhanced stacking feature can simplify this task because it allows you to easily transition among the different AT-9400 Switches in your network from just one management session. This reduces the need of having to end a management session when you need to manage another switch.

It should be noted that the individual switches of an enhanced stack function autonomously. They do not form what is commonly referred to as a “virtual stack,” where the switches act as a logical unit. Rather, each switch in an enhanced stack functions independently of the others.

Note

Starting with version 2.0.0 of the AT-S63 Management Software, several significant changes have been made to the implementation of the enhanced stacking feature. Allied Telesis recommends reviewing the information in this section before using this feature, even if you are familiar with it from earlier versions of the AT-S63 Management Software or from other Allied Telesis Ethernet switches that support this feature.

Section I: Basic Operations 57

Chapter 2: Enhanced Stacking

Master and Slave Switches

An enhanced stack must have at least one master switch. This switch is your management access point to the switches of a stack. After you have started a local or remote management session on a master switch, you can redirect the session to any of the other switches.

The other switches in the stack are known as slave switches. They can be managed through the master switch or directly, such as from a local management session.

An enhanced stack can have more than one master switch. Multiple master switches can lessen the impact on your network management should you need to remove a master switch from the network, such as for maintenance purposes.

58 Section I: Basic Operations

Common VLAN

AT-S63 Management Software Features Guide

A master switch searches for the other switches in an enhanced stack by sending out a broadcast packet out a local subnet. (The designation of this subnet is explained in “Master Switch and the Local Interface,” next.) Since a broadcast packet cannot cross a router or a VLAN boundary, you must connect the switches of an enhanced stack with a common VLAN. The VLAN acts as the transfer path for the broadcast packets from the master switch to the slave switches and also serves as the path for other management packets.

Here are several things to keep in mind as you plan the common VLAN of your enhanced stack:

 Any valid VLAN name and VLAN identifier (VID) can be used for the

common VLAN, but it should be the same on all the switches in the stack.

 A slave switch of an enhanced stack can be indirectly connected to the

master switch through other switches, provided there is an uninterrupted path of the common VLAN from the slave switch to the master switch.

 The Default_VLAN can be used as the common VLAN.

 The common VLAN does not have to be dedicated solely to the

enhanced stacking feature.

For background information on port-based and tagged virtual LANs, refer to “Overview” on page 249.

Section I: Basic Operations 59

Chapter 2: Enhanced Stacking

Master Switch and the Local Interface

Before a switch can function as the master switch of an enhanced stack, it needs to know which subnet is acting as the common subnet among the switches in the stack. It uses that information to know which subnet to send out its broadcast packets and to monitor for the management packets from the other switches and from remote management workstations.

Designating the common VLAN and subnet involves creating a routing interface on the master switch on the common subnet and designating it as the local interface. The concept of routing interfaces first appeared in the AT-9400 Switch with Layer 3 routing and the implementation of static routing and the Routing Information Protocol (RIP) version 1 and 2.

An interface represents a logical connection to a network or subnet local to the switch for purposes of routing packets. To configure an interface, you assign it an IP address and subnet mask appropriate to the subnet where it will route packets, and add it to the VLAN that contains the subnet.

For the most part, routing interfaces are limited to the IPv4 packet routing feature and are unnecessary beyond that feature. There are, however, a few exceptions. One is the enhanced stacking feature. The rule is that the master switch of an enhanced stack must have at least one interface and the interface must be assigned to the common subnet that interconnects the switches of the stack. Furthermore, the interface must be designated as the switch’s local interface. The act of designating an interface as the local interface tells the switch which interface and which subnet it should use for the enhanced stacking feature.

For background information on the IPv4 routing feature, refer Chapter 27, “Internet Protocol Version 4 Packet Routing” on page 299.

60 Section I: Basic Operations

Slave Switches

AT-S63 Management Software Features Guide

The slave switches of an enhanced stack must be connected to the master switch through a common VLAN. A slave switch can be connected indirectly to the master switch so long as there is an uninterrupted path of the common VLAN from the slave switch to the master switch.

A slave switch does not need a routing interface on the common VLAN if you use the Default_VLAN (VID 1) as the common VLAN. A routing interface in the common VLAN is required if you use any other VLAN other than the Default_VLAN as the common VLAN of the switches in the stack.

The routing interface in the common VLAN on a slave switch does not have to be designated as the local interface. The only circumstance in which you might want to designate a local interface on a slave switch is if you want to be able to remotely manage the device independently of the enhanced stack. However, for the switch to remain part of an enhanced stack, the interface designated as the local interface must be in the common VLAN.

Section I: Basic Operations 61

Chapter 2: Enhanced Stacking

Enhanced Stacking Compatibility

This version of enhanced stacking is compatible with earlier AT-S63 versions and the enhanced stacking feature in the AT-8000 Series, AT-8400 Series, and AT-8500 Series Switches. As such, an enhanced stack can consist of various switch models, though the following issues need to be considered when building this type of enhanced stack:

 The management VLAN of an AT-8000 Series, AT-8400 Series, or

AT-8500 Series Switch must be assigned to the common VLAN that interconnects the switches of the stack. For instructions on how to select the management VLAN on an AT-8000 Series, AT-8400 Series, or AT-8500 Series switch, refer to the appropriate user’s guide.

 Though the master switch of an enhanced stack can be any switch

that supports this feature, Allied Telesis recommends choosing the AT-9400 Switch to perform that role. To use an AT-8000 Series, AT-8400 Series, or AT-8500 Series switch as the master switch, you must assign it an IP address that is part of the same common subnet that interconnects the switches of the stack. For instructions on how to assign an IP address to an AT-8000 Series, AT-8400 Series, or AT-8500 Series switch, refer to the appropriate user’s guide.

62 Section I: Basic Operations

Enhanced Stacking Guidelines

Here are the guidelines to using the enhanced stacking feature:

 There can be up to 24 switches in an enhanced stack.

 The switches in an enhanced stack must be connected with a common

port-based or tagged VLAN. The VLAN must have the same name and VLAN identifier (VID) on each switch, and the switches must be connected using tagged or untagged ports of the VLAN.

 A slave switch can be connected indirectly to the master switch

through other switches so long as there is an uninterrupted path of the common VLAN from the master switch to the slave switch.

 You must add a routing interface to the common VLAN on the master

switch and designate it as the master switch’s local interface.

 You do not need to create a routing interface in the common VLAN on

the slave switches if you use the Default_VLAN (VID 1) as the common VLAN of the switches of a stack. However, a routing interface is required if you use any other VLAN as the common VLAN. However, you do not have to designate it as the local interface.

AT-S63 Management Software Features Guide

 You can create different stacks by connecting different groups of

switches with different common VLANs and subnets.

 An enhanced stack must have at least one master switch. You

designate the master by changing its stacking status to Master.

 An enhanced stack can consist of other Allied Telesis switches that

support this feature, including the AT-8000, AT-8400, AT-8500, and AT-9400 Switches. For more information, refer to “Enhanced Stacking Compatibility” on page 62.

 In order to manage the stack remotely using a Telnet or SSH client or a

web browser, the remote management workstation must reach the master switch through the subnet of the switch’s local interface.

 The IP address 172.16.16.16 is reserved for the enhanced stacking

feature and must not be assigned to any device on your network.

Section I: Basic Operations 63

Chapter 2: Enhanced Stacking

General Steps

Here are the basic steps to implementing the enhanced stacking feature on the AT-9400 Switches in your network:

1. Select a switch to act as the master switch of the enhanced stack. This can be any Allied Telesis switch that supports this feature. In a stack with different switch models, Allied Telesis recommends using an AT-9400 Switch as the master switch. For further information, refer to “Enhanced Stacking Compatibility” on page 62.

2. On the switch chosen to be the master switch, change its stacking status to Master.

3. Create a common port-based or tagged VLAN on each switch and connect the devices using twisted pair or fiber optic ports of the VLAN. As mentioned earlier, the slaves switches can be connected indirectly through other switches to the master switch, so long as there is an uninterrupted path of the common VLAN to the master switch. This step is not necessary if you use the Default_VLAN (VID 1) as the common VLAN.

4. On the master switch, assign a routing interface to the common VLAN.

5. On the master switch designate the interface assigned to the common VLAN as the local interface.

6. On the slave switches, add a routing interface to the common VLAN. You do not need to designate it as the local interface. This step is not necessary if you use the Default_VLAN (VID 1) as the common VLAN.

Note

The initial configuration of the enhanced stacking feature on a master switch must be performed through a local management session.

64 Section I: Basic Operations

Chapter 3 SNMPv1 and SNMPv2c

This chapter describes SNMPv1 and SNMPv2c community strings for SNMP management of the switch. Sections in the chapter include:

 “Supported Platforms” on page 66

 “Overview” on page 67

 “Community String Attributes” on page 68

 “Default SNMP Community Strings” on page 70

Section I: Basic Operations 65

Chapter 3: SNMPv1 and SNMPv2c

Supported Platforms

This feature is supported on all AT-9400 Switches:

 Layer 2+ Models

 Basic Layer 3 Models

 Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module

– AT-9408LC/SP

– AT-9424T/GB

– AT-9424T/SP

– AT-9424T

– AT-9424Ts

– AT-9424Ts/XP

– AT-9448T/SP

– AT-9448Ts/XP

– Not supported

This feature can be managed from all three management interfaces in the AT-S63 Management Software:

 Command line interface

 Menus interface

 Web browser interface

66 Section I: Basic Operations

Overview

AT-S63 Management Software Features Guide

You can manage a switch by viewing and changing the management information base (MIB) objects on the device with the Simple Network Management Program (SNMP). The AT-S63 Management Software supports SNMPv1, SNMPv2c, and SNMPv3. This chapter explains SNMPv1 and SNMPv2c. For information on SNMPv3, refer to Chapter 19, ”SNMPv3” on page 197.

To manage a switch using an SNMP application program, you must do the following:

 Activate SNMP management on the switch. The default setting for

SNMP management is disabled.

 Load the Allied Telesis MIBs for the switch onto your management

workstation containing the SNMP application program. The MIBs are available from the Allied Telesis web site at www.alliedtelesis.com.

To manage a switch using SNMP, you need to know the IP address of the switch or of the master switch of an enhanced stack and at least one of the switch’s community strings.

You can configure SNMPv1 and SNMPv2c with the SNMPv3 Table menus described in Chapter 19, ”SNMPv3” on page 197. However, the SNMPv3 Table menus require a much more extensive configuration.

Section I: Basic Operations 67

Chapter 3: SNMPv1 and SNMPv2c

Community String Attributes

A community string has attributes for controlling who can use the string and what the string will allow a network management to do on the switch. The community string attributes are defined below:

Community

String Name

A community string must have a name of one to eight alphanumeric characters. Spaces are allowed.

Access Mode This attribute defines the permissions of a community string. There are

two access modes: Read and Read/Write. A community string with an access mode of Read can only be used to view but not change the MIB objects on a switch. A community string with a Read/Write access can be used to both view the MIB objects and change them.

Operating Status A community string can be enabled or disabled. When disabled, no one

can use it to access the switch. You might disable a community string if you suspect someone is using it for unauthorized access to the device. When a community string is enabled, then it is available for use.

Open or Closed

Access Status

This feature controls which management stations on your network can use a community string. An open access status permits any network manager who knows the community string to use it. A closed access status restricts the string to those network managers who work at particular workstations, identified by their IP addresses. You specify the workstations by assigning the IP addresses of the workstations to the community string. A closed community string can have up to eight IP addresses of management workstations.

If you decide to activate SNMP management on the switch, it is a good idea to assign a closed status to all community strings that have a Read/ Write access mode and then assign the IP addresses of your management workstations to those strings. This helps reduce the chance of someone gaining management access to a switch through a community string and making unauthorized configuration changes.

Trap Receivers A trap is a signal sent to one or more management workstations by the

switch to indicate the occurrence of a particular operating event on the device. There are numerous operating events that can trigger a trap. For instance, resetting the switch or the failure of a cooling fan are two examples of occurrences that cause a switch to send a trap to the management workstations. You can use traps to monitor activities on the switch.

Trap receivers are the devices, typically management workstations or servers, that you want to receive the traps sent by the switch. You specify the trap receivers by their IP addresses. You assign the IP addresses to

68 Section I: Basic Operations

AT-S63 Management Software Features Guide

the community strings.

Each community string can have up to eight trap IP addresses.

It does not matter which community strings you assign your trap receivers. When the switch sends a trap, it looks at all the community strings and sends the trap to all trap receivers on all community strings. This is true even for community strings that have a access mode of only Read.

If you are not interested in receiving traps, then you do not need to enter any IP addresses of trap receivers.

Section I: Basic Operations 69

Chapter 3: SNMPv1 and SNMPv2c

Default SNMP Community Strings

The AT-S63 Management Software provides two default community strings: public and private. The public string has an access mode of just Read and the private string has an access mode of Read/Write. If you activate SNMP management on the switch, you should delete or disable the private community string, which is a standard community string in the industry, or change its status from open to closed to prevent unauthorized changes to the switch.

70 Section I: Basic Operations

Chapter 4 MAC Address Table

This chapter contains background information about the MAC address table.This chapter contains the following section:

 “Overview” on page 72

Section I: Basic Operations 71

Chapter 4: MAC Address Table

Overview

The AT-9400 Switch has a MAC address table with a storage capacity of 16,000 entries. The table stores the MAC addresses of the network nodes connected to its ports and the port number where each address was learned.

The switch learns the MAC addresses of the end nodes by examining the source address of each packet received on a port. It adds the address and port on which the packet was received to the MAC table if the address has not already been entered in the table. The result is a table that contains all the MAC addresses of the devices that are connected to the switch’s ports.

When the switch receives a packet, it also examines the destination address and, by referring to its MAC address table, determines the port where the destination node is connected. It then forwards the packet to the appropriate port and on to the end node. This increases network bandwidth by limiting each frame to the appropriate port when the intended end node is located, freeing the other switch ports for receiving and transmitting other packets.

If the switch receives a packet with a destination address that is not in the MAC address table, it floods the packet to all the ports on the switch, excluding the port where the packet was received. If the ports have been grouped into virtual LANs, the switch floods the packet only to those ports that belong to the same VLAN from where the packet originated. This prevents packets from being forwarded onto inappropriate LAN segments and increases network security. When the destination node responds, the switch adds its MAC address and port number to the table.

If the switch receives a packet with a destination address that is on the same port on which the packet was received, it discards the packet without forwarding it on to any port. Because both the source node and the destination node for the packet are located on the same port on the switch, there is no reason for the switch to forward the packet. This too increases network performance by preventing frames from being forwarded unnecessarily to other network devices.

The type of MAC address described above is referred to as a dynamic MAC address. Dynamic MAC addresses are addresses that the switch learns by examining the source MAC addresses of the frames received on the ports.

Dynamic MAC addresses are not stored indefinitely in the MAC address table. The switch deletes a dynamic MAC address from the table if it does not receive any frames from the node after a specified period of time. The switch assumes that the node with that MAC address is no longer active and that its MAC address can be purged from the table. This prevents the

72 Section I: Basic Operations

AT-S63 Management Software Features Guide

MAC address table from becoming filled with addresses of nodes that are no longer active.

The period of time that the switch waits before purging an inactive dynamic MAC address is called the aging time. This value is adjustable on the AT-9400 Switch. The default value is 300 seconds (5 minutes).

The MAC address table can also store static MAC addresses. A static MAC address is a MAC address of an end node that you assign to a switch port manually. A static MAC address remains in the table indefinitely and is never deleted, even when the end node is inactive.

You might need to enter static MAC addresses of end nodes the switch does not learn in its normal dynamic learning process, or if you want a MAC address to remain permanently in the table, even when the end node is inactive.

Section I: Basic Operations 73

Chapter 4: MAC Address Table

74 Section I: Basic Operations

Chapter 5 Static Port Trunks

This chapter describes static port trunks. Sections in the chapter include:

 “Supported Platforms” on page 76

 “Overview” on page 77

 “Load Distribution Methods” on page 78

 “Guidelines” on page 80

Section I: Basic Operations 75

Chapter 5: Static Port Trunks

Supported Platforms

This feature is supported on all AT-9400 Switches:

 Layer 2+ Models

 Basic Layer 3 Models

 Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module

– AT-9408LC/SP

– AT-9424T/GB

– AT-9424T/SP

– AT-9424T

– AT-9424Ts

– AT-9424Ts/XP

– AT-9448T/SP

– AT-9448Ts/XP

– Supported

This feature can be managed from all three management interfaces:

 Command line interface

 Menus interface

 Web browser interface

76 Section I: Basic Operations

Overview

AT-S63 Management Software Features Guide

A static port trunk is a group of two to eight ports that function as a single virtual link between the switch and another device. Traffic is distributed across the ports to improve performance and enhance reliability by reducing the reliance on a single physical link.

A static port trunk is easy to configure. You simply designate the ports of the trunk and the management software automatically groups them together. You can also control how traffic is distributed over the trunk ports, as described in “Load Distribution Methods” on page 78. The example in Figure 1 illustrates a static port trunk of four links between two AT-9400 Switches.

1357911

2 4 6 8 10 12

1357911

2 4 6 8 10 12

13 15 17 19 21 23R

14 16 18 20 22 24R

13 15 17 19 21 23R

14 16 18 20 22 24R

Gigabit Ethernet Switch

23 24

1000 LINK / ACT

AT-9424T/SP

STATUS

TERMINAL

PORT

FAULT

SFP

MASTER

L/A

RPS

POWER

Gigabit Ethernet Switch

AT-9424T/SP

STATUS

TERMINAL

PORT

FAULT

SFP

MASTER

L/A

RPS

POWER

PORT ACTIVITY

L/A

1000 LINK / ACT

CLASS 1

LASER PRODUCT

SFP

CLASS 1

LASER PRODUCT

SFP

10/100 LINK / ACT

D/C

HDX /

COL

FDX

1 3 5 7 9 11 13 15 17 19 21 23R

L/A

D/C

L/A

D/C

2 4 6 8 10 12 14 16 18 20 22 24R

PORT ACTIVITY

L/A

1000 LINK / ACT

10/100 LINK / ACT

D/C

HDX /

COL

FDX

1357911131517192123R

L/A

D/C

L/A

D/C

2 4 6 8 10 12 14 16 18 20 22 24R

Figure 1. Static Port Trunk Example

Redundancy and link backup are not supported in a static trunk. If a link is lost on a port, the trunk’s total bandwidth is reduced. Although the traffic carried by the lost link is shifted to one of the remaining ports in the trunk, the bandwidth remains reduced until the lost link is reestablished or another port is added to the trunk.

Network equipment vendors tend to employ different techniques for static trunks on their products. Consequently, a static trunk on one device might not be compatible with the same feature on a device from a different manufacturer. For this reason, static trunks are typically employed only between devices from the same vendor.

Section I: Basic Operations 77

Chapter 5: Static Port Trunks

Load Distribution Methods

This section discusses load distribution methods and applies to both static and LACP port trunks.

One of the steps to creating a static or LACP port trunk is selecting a load distribution method, which determines how the switch distributes the traffic load across the ports in the trunk. The AT-S63 Management Software offers the following load distribution methods:

 Source MAC Address (Layer 2)

 Destination MAC Address (Layer 2)

 Source MAC Address / Destination MAC Address (Layer 2)

 Source IP Address (Layer 3)

 Destination IP Address (Layer 3)

 Source IP Address / Destination IP Address (Layer 3)

The load distribution methods examine the last three bits of a packet’s MAC or IP address and compare the bits against mappings assigned to the ports in the trunk. The port mapped to the matching bits is selected as the transmission port for the packet.

In cases where you select a load distribution that employs either a source or destination address but not both, only the last three bits of the designated address are used in selecting a transmission port in a trunk. If you select one of the two load distribution methods that employs both source and destination addresses, port selection is achieved through an XOR operation of the last three bits of both addresses.

As an example, assume you created a static or LACP aggregate trunk of Ports 7 to 14 on a switch. The table below shows the mappings of the switch ports to the possible values of the last three bits of a MAC or IP address.

Last 3 Bits 000

(0)

001 (1)

010 (2)

011 (3)

100 (4)

101 (5)

110 (6)

111 (7)

Trunk Ports 7891011121314

Assume you selected source MAC address as the load distribution method and that the switch needed to transmit over the trunk a packet with a source MAC address that ended in 9. The binary equivalent of 9 is 1001, making the last three bits of the address 001. An examination of the table above indicates that the switch would use Port 8 to transmit the frame because that port is mapped to the matching bits.

78 Section I: Basic Operations

AT-S63 Management Software Features Guide

A similar method is used for the two load distribution methods that employ both the source and destination addresses. Only here the last three bits of both addresses are combined by an XOR process to derive a single value which is then compared against the mappings of the bits to ports. The XOR rules are as follows:

0 XOR 0 = 0 0 XOR 1 = 1 1 XOR 0 = 1 1 XOR 1 = 0

As an example, assume you had selected source and destination MAC addresses for the load distribution method in our previous example, and that a packet for transmission over the trunk had a source MAC address that ended in 9 and a destination address that ended in 3. The binary values would be:

9 = 1001 3 = 0011

Applying the XOR rules above on the last three bits would result in 010, or

2. A examination of the table above shows that the packet would be transmitted from port 9.

Port trunk mappings on the AT-9400 Switch can consist of up to eight ports. This corresponds to the maximum number of ports allowed in a static trunk and the maximum number of active ports in an LACP trunk. Inactive ports in an LACP trunk are not applied to the mappings until they transition to the active status.

You can assign different load distribution methods to different static trunks on the same switch. The same is true for LACP aggregators. However, it should be noted that all aggregate trunks within an LACP aggregator must use the same load distribution method.

The load distribution methods assume that the final three bits of the source and/or destination addresses of the packets from the network nodes are varied enough to support efficient distribution of the packets over the trunk ports. A lack of variation can result in one or more ports in a trunk being used more than others, with the potential loss of a trunk’s efficiency and performance.

Section I: Basic Operations 79

Chapter 5: Static Port Trunks

Guidelines

The following guidelines apply to static trunks:

 Allied Telesis recommends limiting static port trunks to Allied Telesis

network devices to ensure compatibility.

 A static trunk can have up to eight ports.

 Stand-alone switches can support up to six static and LACP trunks at a

time (for example, four static trunks and two LACP trunks). An LACP trunk is countered against the maximum number of trunks only when it is active.

 Stacks of AT-9400 Basic Layer 3 Switches and the AT-StackXG

Stacking Module can support up to six static port trunks.

 The ports of a static trunk must be of the same type of either twisted

pair or fiber optic ports.

 The ports of a trunk can be either consecutive (for example Ports 5-9)

or nonconsecutive (for example, ports 4, 8, 11, 20).

 The ports of static port trunks on stand-alone switches or switches in

an enhanced stack must be from the same switch.

 The ports of a static port trunk in a stack of AT-9400 Basic Layer 3

Switches and the AT-StackXG Stacking Module can be from different switches in the same stack.

 Before creating a port trunk, examine the speed, duplex mode, flow

control, and back pressure settings of the lowest number port to be in the trunk. Verify that its settings are correct for the device to which the trunk will be connected. When you create a static port trunk, the management software copies the current settings of the lowest numbered port in the trunk to the other ports, because all ports in a static trunk must have the same settings. For example, if you create a port trunk consisting of ports 5 to 8, the parameter settings for port 5 are copied to ports 6, 7, and 8 so that all the ports of the trunk have the same settings.

 After creating a port trunk, do not change the speed, duplex mode,

flow control, or back pressure of any port in the trunk without also changing the other ports.

 A port can belong to only one static trunk at a time.

 A port cannot be a member of a static trunk and an LACP trunk at the

same time.

 The ports of a static trunk must be untagged members of the same

VLAN. A trunk cannot consist of untagged ports from different VLANs.

 The switch selects the lowest numbered port in the trunk to handle

broadcast packets and packets of unknown destination. For example, a trunk of ports 11 to 15 would use port 11 for broadcast packets.

80 Section I: Basic Operations

Chapter 6 LACP Port Trunks

This chapter explains Link Aggregation Control Protocol (LACP) port trunks. Sections in the chapter include:

 “Supported Platforms” on page 82

 “Overview” on page 83

 “LACP System Priority” on page 87

 “Adminkey Parameter” on page 88

 “LACP Port Priority Value” on page 88

 “Load Distribution Methods” on page 89

 “Guidelines” on page 90

Section I: Basic Operations 81

Chapter 6: LACP Port Trunks

Supported Platforms

This feature is supported on the following AT-9400 Switches:

 Layer 2+ Models

 Basic Layer 3 Models

 Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module

– AT-9408LC/SP

– AT-9424T/GB

– AT-9424T/SP

– AT-9424T

– AT-9424Ts

– AT-9424Ts/XP

– AT-9448T/SP

– AT-9448Ts/XP

– Not supported

This feature can be managed from two of the management interfaces:

 Command line interface

 Menus interface

82 Section I: Basic Operations

Overview

AT-S63 Management Software Features Guide

LACP (Link Aggregation Control Protocol) port trunks perform the same function as static trunks. They increase the bandwidth between network devices by distributing the traffic load over multiple physical links. The advantage of an LACP trunk over a static port trunk is its flexibility. While implementations of static trunking tend to be vendor specific, the implementation of LACP in the AT-S63 Management Software is compliant with the IEEE 802.3ad standard, making it interoperable with equipment from other vendors that also comply with the standard. Therefore, you can create an LACP trunk between an Allied Telesis device and network devices from other manufacturers.

Another advantage is that ports in an LACP trunk can function in a standby mode. This adds redundancy and resiliency to the trunk. If a link in a static trunk goes down, the overall bandwidth of the trunk is reduced until the link is reestablished or another port is added to the trunk. In contrast, an LACP trunk can automatically activate ports in a standby mode when an active link fails so that the maximum possible bandwidth of the trunk is maintained.

For example, assume you create an LACP trunk of ports 11 to 20 on a switch and the switch is using ports 11 to 18 as the active ports and ports 19 and 20 as reserve. If an active port loses its link, the switch automatically activates one of the reserve ports to maintain maximum bandwidth of the trunk.

The main component of an LACP trunk is an aggregator. An aggregator is a group of ports on the switch. The ports in an aggregator are further grouped into one or more trunks, referred to as aggregate trunks.

An aggregate trunk can consist of any number of ports on a switch, but only a maximum of eight ports can be active at a time. If an aggregate trunk contains more ports than can be active at one time, the extra ports are placed in a standby mode. Ports in the standby mode do not pass network traffic, but they do transmit and accept LACP data unit (LACPDU) packets, which the switch uses to search for LACP-compliant devices.

Only ports on a switch that are part of an aggregator transmit LACPDU packets. If a switch port that is part of an aggregator does not receive LACPDU packets from its corresponding port on the other device, it assumes that the other port is not part of an LACP trunk. Instead, it functions as a normal Ethernet port by forwarding network traffic. However, it does continue to send LACPDU packets. If it begins to receive LACPDU packets, it automatically transitions to an active or standby mode as part of an aggregate trunk.

Section I: Basic Operations 83

Chapter 6: LACP Port Trunks

If there will be more than one aggregate trunk on a switch, each trunk might require a separate aggregator or it might be possible to combine them into a common aggregator. The determining factor will be whether the trunks are going to the same device or different devices. If the trunks are going to the same device, each must have its own aggregator. If they are going to different devices, the trunks can be members of a common aggregator. In the latter situation, the switch will differentiate the individual aggregate trunks.

Here are two examples. Figure 2 illustrates the AT-9400 Switch with two LACP trunks, each containing three links. Because both aggregate trunks go to the same 802.3ad-compliant device, in this case another Gigabit Ethernet switch, each trunk requires a separate aggregator.

AT-9400 Switch

Aggregate Trunks

in Different Aggregators

802.3ad-compliant Ethernet Switch

Figure 2. Example of Multiple Aggregators for Multiple Aggregate Trunks

Ports 1 - 3

in Aggregator 1

1357911

2 4 6 8 10 12

Ports 12 -14

in Aggregator 2

13 15 17 19 21 23R

14 16 18 20 22 24R

Gigabit Ethernet Switch

23 24

1000 LINK / ACT

AT-9424T/SP

STATUS

TERMINAL

PORT

FAULT

SFP

MASTER

L/A

RPS

POWER

Fast Ethernet Switch

AT-8524M

MODE

STATUS

FAULT

MASTER

RPS

PWR

PORT ACTIVITY

L/A

1000 LINK / ACT

CLASS 1

LASER PRODUCT

SFP

10/100 LINK / ACT

D/C

HDX /

COL

FDX

1 3 5 7 9 11 13 15 17 19 21 23R

L/A

D/C

L/A

D/C

2 4 6 8 10 12 14 16 18 20 22 24R

LINK

MODE

LINK

MODE

84 Section I: Basic Operations

AT-S63 Management Software Features Guide

Here is how the example looks in a table format.

Aggregator Description

Aggregator Ports

Aggregate Trunk Ports

Aggregator 1 1-3 1-3

Aggregator 2 12-14 12-14

Caution

The example cited here illustrates a loop in a network. Avoid network loops to prevent broadcast storms.

If the aggregate trunks go to different devices, you can create one aggregator and the AT-9400 Switch will form the trunks for you automatically. This is illustrated in Figure 3 where the ports of two aggregate trunks on the AT-9400 Switch are members of the same aggregator. It is the switch that determines that there are actually two separate aggregate trunks.

Ports 1 - 3 and 12-14

in Aggregator 1

Aggregate Trunks

in Common Aggregator

802.3ad-compliant Ethernet Switch

AT-9400 Switch

1357911

24681012

13 15 17 19 21 23R

14 16 18 20 22 24R

LINK

MODE

LINK

MODE

Gigabit Ethernet Switch

PORT ACTIVITY

L/A

1000 LINK / ACT

STATUS

FAULT

MASTER

RPS

PWR

10/100 LINK / ACT

D/C

HDX /

COL

FDX

1 3 5 7 9 11 13 15 17 19 21 23R

L/A

D/C

L/A

D/C

2 4 6 8 10 12 14 16 18 20 22 24R

CLASS 1

LASER PRODUCT

SFP

Fast Ethernet Switch

AT-8524M

MODE

AT-9424T/SP

STATUS

TERMINAL

PORT

FAULT

SFP

1000 LINK / ACT

MASTER

L/A

23 24

RPS

POWER

802.3ad-compliant Server

Figure 3. Example of an Aggregator with Multiple Trunks

Section I: Basic Operations 85

Chapter 6: LACP Port Trunks

Here is how this example looks in table format.

Aggregator Description

Aggregator Ports

Aggregate Trunk Ports

Aggregator 1 1-3, 12-14 1-3

12-14

You could, if you wanted, create separate aggregators for the different aggregate trunks in the example above. But letting the switch make the determination for you whenever possible saves time later if you physically reassign ports to a different trunk connected to another device.

86 Section I: Basic Operations

LACP System Priority

It is possible for two devices interconnected by an aggregate trunk to encounter a conflict when they form the trunk. For example, the two devices might not support the same number of active ports in an aggregate trunk or might not agree on which ports are to be active and which are to be in standby.

If a conflict does occur, the two devices need a mechanism for resolving the problem and deciding whose LACP settings are to take precedence. This is the function of the system LACP priority value. A hexadecimal value of from 1 to FFFF, this parameter is used whenever the devices encounter a conflict creating a trunk. The lower the number, the higher the priority. The settings on the device with the higher priority take precedence over the settings on the other device. If both devices have the same system LACP priority value, the settings on the switch with the lowest MAC address take precedence.

This parameter can prove useful when connecting an aggregate trunk between the AT-9400 Switch and another 802.3ad-compliant device that does not have the same LACP trunking capabilities. If the other device’s capability is less than that of the AT-9400 Switch, you should give that device the higher priority so its settings are used by both devices when forming the trunk.

AT-S63 Management Software Features Guide

For example, an aggregate trunk of six links between an AT-9400 Switch and an 802.3ad-compliant device that supported up to four active links at one time could possibly result in a conflict. The AT-9400 Switch would try to use all six links as active, because it can handle up to eight active links in a trunk at one time, while the other device would want to use only four ports as active. By giving the other 802.3ad device the higher priority, the conflict is avoided because the AT-9400 Switch would use only four active links, as directed by the other 802.3ad-compliant device. The other ports would remain in the standby mode.

Section I: Basic Operations 87

Chapter 6: LACP Port Trunks

Adminkey Parameter

The adminkey is a hexadecimal value from 1 to FFFF that identifies an aggregator. Each aggregator on a switch must have a unique adminkey. The adminkey is restricted to a switch. Two aggregators on different switches can have the same adminkey without generating a conflict.

LACP Port Priority Value

The switch uses a port’s LACP priority to determine which ports are to be active and which in the standby mode in situations where the number of ports in the aggregate trunk exceeds the highest allowed number of active ports. This parameter is a hexadecimal value in a range of 1 to FFFF, based on the port number. For instance, the priority values for ports 2 and 11 are 0002 and 000B, respectively. The lower the number, the higher the priority. Ports with the highest priorities are designated as the active ports in an aggregate trunk.

For example, if both 802.3ad-compliant devices support up to eight active ports and there are a total of ten ports in the trunk, the eight ports with the highest priorities (lowest priority values) are designated as the active ports, and the others are placed in the standby mode. If an active link goes down on a active port, the standby port with the next highest priority is automatically activated to take its place.

The selection of the active links in an aggregate trunk is dynamic and will change as links are added, removed, lost or reestablished. For example, if an active port loses its link and is replaced by another port in the standby mode, the reestablishment of the link on the originally active port causes the port to return to the active state by virtue of having a higher priority value than the replacement port, which returns to the standby mode.

A port’s priority value is not adjustable.

Two conditions must be met in order for a port in an aggregate trunk to function in the standby mode. First, the number of ports in the trunk must exceed the highest allowed number of active ports and, second, the port must be receiving LACPDU packets from the other device. A port functioning in the standby mode does not forward network traffic, but does continue to send LACPDU packets. If a port that is part of an aggregator does not receive LACPDU packets, it functions as a normal Ethernet port and forwards network packets along with LACPDU packets.

88 Section I: Basic Operations

Load Distribution Methods

The load distribution method determines the manner in which the switch distributes the traffic across the active ports of an aggregate trunk. The method is assigned to an aggregator and applies to all aggregate trunks within it. If you want to assign different load distribution methods to different aggregate trunks, you must create a separate aggregator for each trunk. For further information, refer to “Load Distribution Methods” on page 78.

AT-S63 Management Software Features Guide

Section I: Basic Operations 89

Chapter 6: LACP Port Trunks

Guidelines

The following guidelines apply to creating aggregators:

 LACP must be activated on both the switch and the other device.

 The other device must be 802.3ad-compliant.

 An aggregator can consist of any number of ports.

 The AT-S63 Management Software supports up to eight active ports in

an aggregate trunk at a time.

 The AT-9400 Switch can support up to six static and LACP aggregate

trunks at a time (for example, four static trunks and two LACP trunks). An LACP trunk is countered against the maximum number of trunks only when it is active.

 The ports of an aggregate trunk must be the same medium type: all

twisted pair ports or all fiber optic ports.

 The ports of a trunk can be consecutive (for example ports 5-9) or

nonconsecutive (for example, ports 4, 8, 11, 20).

 A port can belong to only one aggregator at a time.

 A port cannot be a member of an aggregator and a static trunk at the

same time.

 The ports of an aggregate trunk must be untagged members of the

same VLAN.

 10/100/1000Base-TX twisted pair ports must be set to Auto-

Negotiation or 100 Mbps, full-duplex mode. LACP trunking is not supported in half-duplex mode.

 100Base-FX fiber optic ports must be set to full-duplex mode.

 You can create an aggregate trunk of transceivers with 1000Base-X

fiber optic ports.

 Only those ports that are members of an aggregator transmit LACPDU

packets.

 The load distribution method is applied at the aggregator level. To

assign different load distribution methods to aggregate trunks, you must create a separate aggregator for each trunk. For further information, refer to “Load Distribution Methods” on page 78.

 A member port of an aggregator functions as part of an aggregate

trunk only if it receives LACPDU packets from the remote device. If it does not receive LACPDU packets, it functions as a regular Ethernet port, forwarding network traffic while also continuing to transmit LACPDU packets.

 The port with the highest priority in an aggregate trunk carries

broadcast packets and packets with an unknown destination.

90 Section I: Basic Operations

AT-S63 Management Software Features Guide

 When creating a new aggregator, you can specify either a name for the

aggregator or an adminkey, but not both. If you specify a name, the adminkey is based on the operator key of the lowest numbered port in the aggregator. If you specify an adminkey, the default name is DEFAULT_AGG followed by the port number of the lowest numbered port in the aggregator. For example, an aggregator of ports 12 to 16 is assigned the default name DEFAULT_AGG12.

 Prior to creating an aggregate trunk between an Allied Telesis device

and another vendor’s device, refer to the vendor’s documentation to determine the maximum number of active ports the device can support in a trunk. If the number is less than eight, the maximum number for the AT-9400 Switch, you should probably assign it a higher system LACP priority than the AT-9400 Switch. If it is more than eight, assign the AT-9400 Switch the higher priority. This can help avoid a possible conflict between the devices if some ports are placed in the standby mode when the devices create the trunk. For background information, refer to “LACP System Priority” on page 87.

 LACPDU packets are transmitted as untagged packets.

Section I: Basic Operations 91

Chapter 6: LACP Port Trunks

92 Section I: Basic Operations

Chapter 7 Port Mirror

This chapter explains the port mirror feature. Sections in the chapter include:

 “Supported Platforms” on page 94

 “Overview” on page 95

 “Guidelines” on page 95

Section I: Basic Operations 93

Chapter 7: Port Mirror

Supported Platforms

This feature is supported on all AT-9400 Switches:

 Layer 2+ Models

 Basic Layer 3 Models

 Stack of Basic Layer 3 Switches and the AT-StackXG Stacking Module

– AT-9408LC/SP

– AT-9424T/GB

– AT-9424T/SP

– AT-9424T

– AT-9424Ts

– AT-9424Ts/XP

– AT-9448T/SP

– AT-9448Ts/XP

– Supported

This feature can be managed from all three management interfaces:

 Command line interface

 Menus interface

 Web browser interface

94 Section I: Basic Operations

Overview

Guidelines

AT-S63 Management Software Features Guide

The port mirror feature allows for the unobtrusive monitoring of ingress or egress traffic on one or more ports on a switch, without impacting network performance or speed. It copies the traffic from specified ports to another switch port where the traffic can be monitored with a network analyzer.

The port(s) whose traffic is mirrored is called the source port(s). The port where the traffic is copied to is referred to as the destination port.

Observe the following guidelines when creating a port mirror:

 A standalone switch can have only one destination port.

 A stack of Basic Layer 3 switches and the AT-StackXG Stacking

Module can have only one destination port.

 You can mirror more than one source port at a time. However, the

destination port may have to discard packets if the source ports are very active.

 In a stand-alone switch the source and destination ports must be

located on the same switch.

 For a stack of Basic Layer 3 switches and the AT-StackXG Stacking

Module, the destination and source ports of a port mirror can be located on different switches in the same stack.

 You can mirror the ingress or egress traffic of the source ports, or both.

 To create a mirror port for the Denial of Service defenses, specify only

the destination port for the mirrored traffic. The management software automatically determines the source ports.

Section I: Basic Operations 95

Chapter 7: Port Mirror

96 Section I: Basic Operations

Section II

Advanced Operations

This section contains the following chapters:

 Chapter 8, ”File System” on page 99

 Chapter 9, ”Event Logs and the Syslog Client” on page 105

 Chapter 10, ”Classifiers” on page 109

 Chapter 11, ”Access Control Lists” on page 119

 Chapter 12, “Class of Service” on page 131

 Chapter 13, ”Quality of Service” on page 139

 Chapter 14, ”Denial of Service Defenses” on page 161

Section II: Advanced Operations 97

98 Section II: Advanced Operations

Chapter 8 File System

The chapter explains the switch’s file system and contains the following sections:

 “Overview” on page 100

 “Boot Configuration Files” on page 101

 “File Naming Conventions” on page 102

 “Using Wildcards to Specify Groups of Files” on page 103

Section II: Advanced Operations 99

Chapter 8: File System

Overview

The AT-9400 Switch has a file system in flash memory for storing system files. You can view a list of the files as well as copy, rename, and delete files. For those AT-9400 Switches that support a compact flash memory card, you can perform the same functions on the files stored on a flash card, as well as copy files between the switch’s file system and a flash card.

The file system supports the following file types:

 Configuration files

 Public keys

 CA and self-signed certificates

 Certificate enrollment requests

 Event logs

For an explanation of a boot configuration file, refer to “Boot Configuration Files” on page 101.

Public encryption keys, public certificates, and certificate enrollment request files are related to the Secure Sockets Layer (SSL) certificates feature described in Chapter 33, “Encryption Keys” on page 387 and Chapter 34, “PKI Certificates and SSL” on page 397. Refer to those chapters for background information on those files.

Note

The certificate file, certificate enrollment request file, and key file are supported only on the version of AT-S63 Management Software that features SSL and PKI security.

Note

The file system may contain one or more ENC.UKF files. These are encryption key pairs. These files cannot be deleted, copied, or exported from the file system. For further information, refer to Chapter 33, “Encryption Keys” on page 387.

100 Section II: Advanced Operations

Allied Telesis AT-S63 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

Figures

Tables

Preface

How This Guide is Organized

Product Documentation

Where to Go First

Starting a Management Session

Document Conventions

Where to Find Web-based Guides

Contacting Allied Telesis

Online Support You can request technical support online by accessing the Allied Telesis

Section I

Basic Operations

Chapter 1

Overview

Layer 2+ and Basic Layer 3 Switches

AT-S63 Management Software

Management Interfaces and Features

Management Access Methods

Manager Access Levels

Installation and Management Configurations

Stacking

IP Configuration

Redundant Twisted Pair Ports

History of New Features

Version 3.0.0 Table 4 lists the new features in version 3.0.0 of the AT-S63 Management

Version 2.1.0 Table 5 lists the new features in version 2.1.0.

Version 2.0.0 Table 6 lists the new feature in version 2.0.0 of the AT-S63 Management

Version 1.3.0 Table 7 lists the new features in version 1.3.0 of the AT-S63 Management

Version 1.2.0 Table 8 lists the new features in version 1.2.0.

Chapter 2

Enhanced Stacking

Supported Platforms

Overview

Master and Slave Switches

Common VLAN

Master Switch and the Local Interface

Slave Switches

Enhanced Stacking Compatibility

Enhanced Stacking Guidelines

General Steps

Chapter 3

SNMPv1 and SNMPv2c

Supported Platforms

Overview

Community String Attributes

Access Mode This attribute defines the permissions of a community string. There are

Operating Status A community string can be enabled or disabled. When disabled, no one

Trap Receivers A trap is a signal sent to one or more management workstations by the

Default SNMP Community Strings

Chapter 4

MAC Address Table

Overview

Chapter 5

Static Port Trunks

Supported Platforms

Overview

Load Distribution Methods

Guidelines

Chapter 6

LACP Port Trunks

Supported Platforms

Overview

LACP System Priority

Adminkey Parameter

LACP Port Priority Value

Load Distribution Methods

Guidelines

Chapter 7

Port Mirror

Supported Platforms

Overview

Guidelines

Section II

Advanced Operations