Allied Telesis AT-S63 User Manual

613-001022 Rev. CManagement SoftwareAT-S63◆Features GuideFor Stand-alone AT-9400 Switchesand AT-9400Ts StacksAT-S63 Version 2.2.0 for AT-9400 Layer 2+

Contents10Section VIII: Port Security ...413Chapter 35: MAC Address-

Chapter 5: MAC Address Table100 Section I: Basic Operations

Section I: Basic Operations 101Chapter 6Static Port TrunksThis chapter describes static port trunks. Sections in the chapter include: “Supported Plat

Chapter 6: Static Port Trunks102 Section I: Basic OperationsSupported PlatformsRefer to Table 33 and Table 34 for the AT-9400 Switches and the managem

AT-S63 Management Software Features GuideSection I: Basic Operations 103OverviewA static port trunk is a group of two to eight ports that function as

Chapter 6: Static Port Trunks104 Section I: Basic OperationsLoad Distribution MethodsThis section discusses the load distribution methods of static po

AT-S63 Management Software Features GuideSection I: Basic Operations 105A similar method is used for the two load distribution methods that employ bot

Chapter 6: Static Port Trunks106 Section I: Basic OperationsGuidelinesHere are the guidelines to static trunks: Allied Telesis recommends limiting st

Section I: Basic Operations 107Chapter 7LACP Port TrunksThis chapter explains Link Aggregation Control Protocol (LACP) port trunks. Sections in the ch

Chapter 7: LACP Port Trunks108 Section I: Basic OperationsSupported PlatformsRefer to Table 35 and Table 36 for the AT-9400 Switches and the managemen

AT-S63 Management Software Features GuideSection I: Basic Operations 109OverviewLACP (Link Aggregation Control Protocol) port trunks perform the same

AT-S63 Management Software Features Guide11Chapter 39: PKI Certificates and SSL ...

Chapter 7: LACP Port Trunks110 Section I: Basic OperationsLACP System PriorityIt is possible for two devices interconnected by an aggregate trunk to e

AT-S63 Management Software Features GuideSection I: Basic Operations 111Adminkey ParameterThe adminkey is a hexadecimal value from 1 to FFFF that iden

Chapter 7: LACP Port Trunks112 Section I: Basic OperationsLoad Distribution MethodsThe load distribution method determines the manner in which the swi

AT-S63 Management Software Features GuideSection I: Basic Operations 113GuidelinesThe following guidelines apply to creating aggregators: LACP must b

Chapter 7: LACP Port Trunks114 Section I: Basic Operations When creating a new aggregator, you can specify either a name for the aggregator or an adm

Section I: Basic Operations 115Chapter 8Port MirrorThis chapter explains the port mirror feature. Sections in the chapter include: “Supported Platfor

Chapter 8: Port Mirror116 Section I: Basic OperationsSupported PlatformsRefer to Table 37 and Table 38 for the AT-9400 Switches and the management int

AT-S63 Management Software Features GuideSection I: Basic Operations 117OverviewThe port mirror feature allows for the unobtrusive monitoring of ingre

Chapter 8: Port Mirror118 Section I: Basic Operations

Section I: Basic Operations 119Chapter 9Link-flap ProtectionThis chapter explains link-flap protection. The sections in this chapter include: “Suppor

Contents12Internet Protocol Version 4 Packet Routing...

Chapter 9: Link-flap Protection120 Section I: Basic OperationsSupported PlatformsRefer to Table 39 and Table 40 for the AT-9400 Switches and the manag

AT-S63 Management Software Features GuideSection I: Basic Operations 121OverviewA port that is unable to maintain a reliable connection to a network n

Chapter 9: Link-flap Protection122 Section I: Basic OperationsGuidelinesHere are the guidelines to link-flap protection: The rate and duration are se

AT-S63 Management Software Features GuideSection I: Basic Operations 123Configuring the FeatureHere are the commands that are used to configure the li

Chapter 9: Link-flap Protection124 Section I: Basic Operations

Section II: Advanced Operations 125Section IIAdvanced OperationsThis section contains the following chapters: Chapter 10, ”File System” on page 127

126 Section II: Advanced Operations

Section II: Advanced Operations 127Chapter 10File SystemThe chapter explains the switch’s file system and contains the following sections: “Overview”

Chapter 10: File System128 Section II: Advanced OperationsOverviewThe AT-9400 Switch has a file system in flash memory for storing system files. You c

AT-S63 Management Software Features GuideSection II: Advanced Operations 129File Naming ConventionsThe flash memory file system is a flat file system—

AT-S63 Management Software Features Guide13Appendix D: MIB Objects ...

Chapter 10: File System130 Section II: Advanced OperationsUsing Wildcards to Specify Groups of FilesYou can use the asterisk character (*) as a wildca

Section II: Advanced Operations 131Chapter 11Event Logs and the Syslog ClientThis chapter describes how to monitor the activity of a switch by viewing

Chapter 11: Event Logs and the Syslog Client132 Section II: Advanced OperationsSupported PlatformsRefer to Table 42 and Table 43 for the AT-9400 Switc

AT-S63 Management Software Features GuideSection II: Advanced Operations 133OverviewA managed switch is a complex piece of computer equipment that inc

Chapter 11: Event Logs and the Syslog Client134 Section II: Advanced OperationsSyslog ClientThe management software features a syslog client to send e

Section II: Advanced Operations 135Chapter 12ClassifiersThis chapter explains classifiers for access control lists and Quality of Service policies. Th

Chapter 12: Classifiers136 Section II: Advanced OperationsSupported PlatformsRefer to Table 44 and Table 45 for the AT-9400 Switches and the managemen

AT-S63 Management Software Features GuideSection II: Advanced Operations 137OverviewA classifier defines a traffic flow. A traffic flow consists of pa

Chapter 12: Classifiers138 Section II: Advanced Operationsis dictated by the QoS policy, as explained in Chapter 15, “Quality of Service” on page 165.

AT-S63 Management Software Features GuideSection II: Advanced Operations 139Classifier CriteriaThe components of a classifier are defined in the follo

Contents14

Chapter 12: Classifiers140 Section II: Advanced OperationsFigure 5. User Priority and VLAN Fields within an Ethernet FrameYou can identify a traffic f

AT-S63 Management Software Features GuideSection II: Advanced Operations 141Observe the following guidelines when using this variable: When selecting

Chapter 12: Classifiers142 Section II: Advanced OperationsObserve these guidelines when using this criterion: The Protocol variable must be left blan

AT-S63 Management Software Features GuideSection II: Advanced Operations 143Observe this guideline when using these criteria: The Protocol variable m

Chapter 12: Classifiers144 Section II: Advanced OperationsGuidelinesFollow these guidelines when creating a classifier: Each classifier represents a

Section II: Advanced Operations 145Chapter 13Access Control ListsThis chapter describes access control lists (ACL) and how they can improve network se

Chapter 13: Access Control Lists146 Section II: Advanced OperationsSupported PlatformsRefer to Table 46 and Table 47 for the AT-9400 Switches and the

AT-S63 Management Software Features GuideSection II: Advanced Operations 147OverviewAn access control list is a filter that controls the ingress traff

Chapter 13: Access Control Lists148 Section II: Advanced Operations4. Finally, if a packet does not meet the criteria of any ACLs on a port, it is acc

AT-S63 Management Software Features GuideSection II: Advanced Operations 149Parts of an ACLAn ACL must have the following information: Name - An ACL

15Figure 1: AT-StackXG Stacking Module...

Chapter 13: Access Control Lists150 Section II: Advanced OperationsGuidelinesHere are the rules to creating ACLs: Ports can have multiple permit and

AT-S63 Management Software Features GuideSection II: Advanced Operations 151ExamplesThis section contains several examples of ACLs. In this example, p

Chapter 13: Access Control Lists152 Section II: Advanced OperationsTo deny traffic from several subnets on the same port, you can create multiple clas

AT-S63 Management Software Features GuideSection II: Advanced Operations 153The same result can be achieved by assigning the classifiers to different

Chapter 13: Access Control Lists154 Section II: Advanced OperationsIn this example, the traffic on ports 14 and 15 is restricted to packets from the s

AT-S63 Management Software Features GuideSection II: Advanced Operations 155The next example limits the ingress traffic on port 17 to IP packets from

Chapter 13: Access Control Lists156 Section II: Advanced Operations

Section II: Advanced Operations 157Chapter 14Class of ServiceThis chapter describes the Class of Service (CoS) feature. Sections in the chapter includ

Chapter 14: Class of Service158 Section II: Advanced OperationsSupported PlatformsRefer to Table 48 and Table 49 for the AT-9400 Switches and the mana

AT-S63 Management Software Features GuideSection II: Advanced Operations 159OverviewWhen a port on an Ethernet switch becomes oversubscribed—its egres

Figures16Figure 51: Example of a Tagged VLAN...

Chapter 14: Class of Service160 Section II: Advanced OperationsFor example, when a tagged packet with a priority level of 3 enters a port on the switc

AT-S63 Management Software Features GuideSection II: Advanced Operations 161Note that because all ports must use the same priority-to-egress queue map

Chapter 14: Class of Service162 Section II: Advanced OperationsSchedulingA switch port needs a mechanism that specifies the order of transmittal of th

AT-S63 Management Software Features GuideSection II: Advanced Operations 163Table 52 shows an example.In this example, the port transmits a maximum nu

Chapter 14: Class of Service164 Section II: Advanced OperationsQ6 15Q7 0Table 53. Example of a Weight of Zero for Priority Queue 7 (Continued)Port Egr

Section II: Advanced Operations 165Chapter 15Quality of ServiceThis chapter describes Quality of Service (QoS). Sections in the chapter include: “Sup

Chapter 15: Quality of Service166 Section II: Advanced OperationsSupported PlatformsRefer to Table 54 and Table 55 for the AT-9400 Switches and the ma

AT-S63 Management Software Features GuideSection II: Advanced Operations 167OverviewQuality of Service allows you to prioritize traffic and/or limit t

Chapter 15: Quality of Service168 Section II: Advanced OperationsThe QoS functionality described in this chapter sorts packets into various flows, acc

AT-S63 Management Software Features GuideSection II: Advanced Operations 169ClassifiersClassifiers identify a particular traffic flow, and range from

17Table 1: Basic Operations ...

Chapter 15: Quality of Service170 Section II: Advanced OperationsFlow GroupsFlow groups group similar traffic flows together, and allow more specific

AT-S63 Management Software Features GuideSection II: Advanced Operations 171Traffic ClassesTraffic classes are the central component of the QoS soluti

Chapter 15: Quality of Service172 Section II: Advanced OperationsPoliciesQoS policies consist of a collection of user defined traffic classes. A polic

AT-S63 Management Software Features GuideSection II: Advanced Operations 173QoS Policy GuidelinesFollowing is a list of QoS policy guidelines: A clas

Chapter 15: Quality of Service174 Section II: Advanced OperationsPacket ProcessingYou can use the switch’s QoS tools to perform any combination of the

AT-S63 Management Software Features GuideSection II: Advanced Operations 175Both the VLAN tag User Priority and the traffic class / flow group priorit

Chapter 15: Quality of Service176 Section II: Advanced OperationsReplacing PrioritiesThe traffic class or flow group priority (if set) determines the

AT-S63 Management Software Features GuideSection II: Advanced Operations 177DiffServ DomainsDifferentiated Services (DiffServ) is a method of dividing

Chapter 15: Quality of Service178 Section II: Advanced OperationsTo use the QoS tool set to configure a DiffServ domain:1. As packets come into the do

AT-S63 Management Software Features GuideSection II: Advanced Operations 179ExamplesThe following examples demonstrate how to implement QoS in three s

Tables18Table 50: Default Mappings of IEEE 802.1p Priority Levels to Priority Queues ...

Chapter 15: Quality of Service180 Section II: Advanced OperationsFigure 14. QoS Voice Application ExampleThe parts of the policies are: Classifier -

AT-S63 Management Software Features GuideSection II: Advanced Operations 181 Traffic Class - No action is taken by the traffic class, other than to s

Chapter 15: Quality of Service182 Section II: Advanced OperationsFigure 15. QoS Video Application ExampleThe parts of the policies are: Classifier -

AT-S63 Management Software Features GuideSection II: Advanced Operations 183packets so they leave containing the new level, you would change option 5,

Chapter 15: Quality of Service184 Section II: Advanced OperationsPolicyComponentHierarchyThe purpose of this example is to illustrate the hierarchy of

AT-S63 Management Software Features GuideSection II: Advanced Operations 185Figure 17. Policy Component Hierarchy ExampleCreate Classifier01 - Classif

Chapter 15: Quality of Service186 Section II: Advanced Operations

Section II: Advanced Operations 187Chapter 16Group Link ControlThis chapter explains group link control. The sections in this chapter include: “Suppo

Chapter 16: Group Link Control188 Section II: Advanced OperationsSupported PlatformsRefer to Table 56 and Table 57 for the AT-9400 Switches and the ma

AT-S63 Management Software Features GuideSection II: Advanced Operations 189OverviewGroup link control is designed to improve the effectiveness of the

AT-S63 Management Software Features Guide19Table 110: Support for 802.1x Port-based Network Access Control ...

Chapter 16: Group Link Control190 Section II: Advanced OperationsIn the first diagram a server with two teamed network adapter cards is connected to d

AT-S63 Management Software Features GuideSection II: Advanced Operations 191But if the failure occurred further upstream between switches 1 and 3, the

Chapter 16: Group Link Control192 Section II: Advanced OperationsFigure 20. Group Link Control Example 3When a link on an upstream port is reestablish

AT-S63 Management Software Features GuideSection II: Advanced Operations 193Figure 21. Group Link Control Example 4 Switch 1NetworkSwitch 3Switch 2

Chapter 16: Group Link Control194 Section II: Advanced OperationsIf connectivity is lost on both ports 17 and 20, the downstream ports 24 and 25 are d

AT-S63 Management Software Features GuideSection II: Advanced Operations 195This is illustrated in this figure. Switch 1 and switch 3 are connected wi

Chapter 16: Group Link Control196 Section II: Advanced OperationsIn this example the primary and backup trunks have four links each.Figure 24. Group L

AT-S63 Management Software Features GuideSection II: Advanced Operations 197GuidelinesHere are the guidelines to group link control: The switch or st

Chapter 16: Group Link Control198 Section II: Advanced OperationsConfiguring the FeatureHere are a few examples on how to configure the feature. The f

AT-S63 Management Software Features GuideSection II: Advanced Operations 199awplus(config-if)# interface 8awplus(config-if)# group link control upstre

Copyright  2009 Allied Telesis, Inc. All rights reserved. No part of this publication may be reproduced without prior written permission from Allied

Tables20

Chapter 16: Group Link Control200 Section II: Advanced Operations

Section II: Advanced Operations 201Chapter 17Denial of Service DefensesThis chapter explains the defense mechanisms in the management software that ca

Chapter 17: Denial of Service Defenses202 Section II: Advanced OperationsSupported PlatformsRefer to Table 60 and Table 61 for the AT-9400 Switches an

AT-S63 Management Software Features GuideSection II: Advanced Operations 203OverviewThe AT-S63 Management Software can help protect your network again

Chapter 17: Denial of Service Defenses204 Section II: Advanced OperationsSYN Flood AttackIn this type of attack, an attacker sends to a victim a large

AT-S63 Management Software Features GuideSection II: Advanced Operations 205Smurf AttackThis DoS attack is instigated by an attacker sending a ICMP Ec

Chapter 17: Denial of Service Defenses206 Section II: Advanced OperationsLand AttackIn this attack, an attacker sends a bogus IP packet where the sour

AT-S63 Management Software Features GuideSection II: Advanced Operations 2072. If the source IP address is not local to the network, it discards the p

Chapter 17: Denial of Service Defenses208 Section II: Advanced OperationsTeardrop AttackAn attacker sends an IP packet in several fragments with a bog

AT-S63 Management Software Features GuideSection II: Advanced Operations 209Ping of Death AttackThe attacker sends an oversized, fragmented ICMP Echo

21PrefaceThis guide describes the features of the AT-9400 Layer 2+ and Basic Layer 3 Gigabit Ethernet Switches and the AT-S63 Management Software.This

Chapter 17: Denial of Service Defenses210 Section II: Advanced OperationsIP Options AttackIn the basic scenario of an IP attack, an attacker sends pac

AT-S63 Management Software Features GuideSection II: Advanced Operations 211Mirroring TrafficThe Land, Teardrop, Ping of Death, and IP Options defense

Chapter 17: Denial of Service Defenses212 Section II: Advanced OperationsDenial of Service Defense GuidelinesBelow are guidelines to observe when usin

Section II: Advanced Operations 213Chapter 18Power Over EthernetThis chapter contains background information on Power over Ethernet (PoE) for the AT-9

Chapter 18: Power Over Ethernet214 Section II: Advanced OperationsSupported PlatformsRefer to Table 62 and Table 63 for the AT-9400 Switch and the man

AT-S63 Management Software Menus User’s GuideSection II: Advanced Operations 215OverviewPower over Ethernet (PoE) is a mechanism for supplying power t

Chapter 18: Power Over Ethernet216 Section II: Advanced OperationsPower BudgetingThe AT-9424T/POE Switch has a maximum power budget of 380 watts. The

AT-S63 Management Software Menus User’s GuideSection II: Advanced Operations 217Port PrioritizationPort prioritization is used to control which ports

Chapter 18: Power Over Ethernet218 Section II: Advanced OperationsPoE Device ClassesThe IEEE 802.3af standard specifies four levels of classes for pow

Section III: Snooping Protocols 219Section IIISnooping ProtocolsThe chapters in this section contain overview information on the snooping protocols. T

Preface22How This Guide is OrganizedThis guide has the following sections and chapters: Section I: Basic OperationsChapter 1, “Overview” on page 33Ch

220 Section III: Snooping Protocols

Section III: Snooping Protocols 221Chapter 19Internet Group Management Protocol SnoopingThis chapter explains the Internet Group Management Protocol (

Chapter 19: Internet Group Management Protocol Snooping222 Section III: Snooping ProtocolsSupported PlatformsRefer to Table 64 and Table 65 for the AT

AT-S63 Management Software Features GuideSection III: Snooping Protocols 223OverviewIPv4 routers use IGMP to create lists of nodes that are members of

Chapter 19: Internet Group Management Protocol Snooping224 Section III: Snooping ProtocolsWithout IGMP snooping a switch would have to flood multicast

Section III: Snooping Protocols 225Chapter 20 Internet Group Management Protocol Snooping QuerierThis chapter explains IGMP snooping querier and conta

Chapter 20: Internet Group Management Protocol Snooping Querier226 Section III: Snooping ProtocolsSupported PlatformsRefer to Table 66 and Table 67 fo

AT-S63 Management Software Features GuideSection III: Snooping Protocols 227OverviewMulticast routers are essential for IP multicasting. They send out

Chapter 20: Internet Group Management Protocol Snooping Querier228 Section III: Snooping ProtocolsFigure 25. IGMP Snooping Querier Example 1The next e

AT-S63 Management Software Features GuideSection III: Snooping Protocols 229Figure 26. IGMP Snooping Querier Example 2 Multicast source:IP address: 1

AT-S63 Management Software Features Guide23Chapter 23, “Ethernet Protection Switching Ring Snooping” on page 243 Section IV: SNMPv3Chapter 24, “SNMPv

Chapter 20: Internet Group Management Protocol Snooping Querier230 Section III: Snooping ProtocolsGuidelinesThe guidelines for IGMP snooping querier a

AT-S63 Management Software Features GuideSection III: Snooping Protocols 231Configuring the FeatureThe procedures in this section illustrate how to us

Chapter 20: Internet Group Management Protocol Snooping Querier232 Section III: Snooping Protocols5. To confirm that IGMP snooping and IGMP snooping q

AT-S63 Management Software Features GuideSection III: Snooping Protocols 2332. To enable IGMP snooping:awplus(config)# ip igmp snooping3. To enable IG

Chapter 20: Internet Group Management Protocol Snooping Querier234 Section III: Snooping Protocols

Section III: Snooping Protocols 235Chapter 21Multicast Listener Discovery SnoopingThis chapter explains Multicast Listener Discovery (MLD) snooping:

Chapter 21: Multicast Listener Discovery Snooping236 Section III: Snooping ProtocolsSupported PlatformsRefer to Table 68 and Table 69 for the AT-9400

AT-S63 Management Software Features GuideSection III: Snooping Protocols 237OverviewMLD snooping performs the same function as IGMP snooping. The swit

Chapter 21: Multicast Listener Discovery Snooping238 Section III: Snooping Protocols

Section III: Snooping Protocols 239Chapter 22 Router Redundancy Protocol SnoopingThis chapter explains Router Redundancy Protocol (RRP) snooping and c

Preface24Appendix B, “SNMPv3 Configuration Examples” on page 543Appendix C, “Features and Standards” on page 549Appendix D, “MIB Objects” on page 557

Chapter 22: Router Redundancy Protocol Snooping240 Section III: Snooping ProtocolsSupported PlatformsRefer to Table 70 and Table 71 for the AT-9400 Sw

AT-S63 Management Software Features GuideSection III: Snooping Protocols 241OverviewThe Router Redundancy Protocol (RRP) allows multiple routers to sh

Chapter 22: Router Redundancy Protocol Snooping242 Section III: Snooping ProtocolsGuidelinesThe following guidelines apply to the RRP snooping feature

Section III: Snooping Protocols 243Chapter 23Ethernet Protection Switching Ring SnoopingThis chapter has the following sections: “Supported Platforms

Chapter 23: Ethernet Protection Switching Ring Snooping244 Section III: Snooping ProtocolsSupported PlatformsRefer to Table 72 and Table 73 for the AT

AT-S63 Management Software Features GuideSection III: Snooping Protocols 245OverviewEthernet Protection Switching Ring is a feature found on selected

Chapter 23: Ethernet Protection Switching Ring Snooping246 Section III: Snooping ProtocolsAfter creating the VLANs, you activate EPSR snooping by spec

AT-S63 Management Software Features GuideSection III: Snooping Protocols 247RestrictionsEPSR snooping has three important restrictions. All the restri

Chapter 23: Ethernet Protection Switching Ring Snooping248 Section III: Snooping ProtocolsFigure 29. Double Fault Condition in EPSR SnoopingNow assume

AT-S63 Management Software Features GuideSection III: Snooping Protocols 249GuidelinesThe guidelines to EPSR snooping are: The AT-9400 Switch can sup

AT-S63 Management Software Features Guide25Product DocumentationFor overview information on the features of the AT-9400 Switches and the AT-S63 Manage

Chapter 23: Ethernet Protection Switching Ring Snooping250 Section III: Snooping Protocols

Section IV: SNMPv3 251Section IVSNMPv3The chapter in this section contains overview information on SNMPv3. The chapter is: Chapter 24, ”SNMPv3” on pa

252 Section IV: SNMPv3

Section IV: SNMPv3 253Chapter 24SNMPv3This chapter provides a description of the AT-S63 implementation of the SNMPv3 protocol. The following sections

Chapter 24: SNMPv3254 Section IV: SNMPv3Supported PlatformsRefer to Table 74 and Table 75 for the AT-9400 Switches and the management interfaces that

AT-S63 Management Software Features GuideSection IV: SNMPv3 255OverviewThe SNMPv3 protocol builds on the existing SNMPv1 and SNMPv2c protocol implemen

Chapter 24: SNMPv3256 Section IV: SNMPv3SNMPv3 Authentication ProtocolsThe SNMPv3 protocol supports two authentication protocols—HMAC-MD5-96 (MD5) and

AT-S63 Management Software Features GuideSection IV: SNMPv3 257SNMPv3 Privacy ProtocolAfter you have configured an authentication protocol, you have t

Chapter 24: SNMPv3258 Section IV: SNMPv3SNMPv3 MIB ViewsThe SNMPv3 protocol allows you to configure MIB views for users and groups. The MIB tree is de

AT-S63 Management Software Features GuideSection IV: SNMPv3 259After you specify a MIB subtree view you have the option of further restricting a view

Preface26Where to Go FirstAllied Telesis recommends that you read Chapter 1, “Overview” on page 33 in this guide before you begin to manage the switch

Chapter 24: SNMPv3260 Section IV: SNMPv3SNMPv3 Storage TypesEach SNMPv3 table entry has its own storage type. You can choose between nonvolatile stora

AT-S63 Management Software Features GuideSection IV: SNMPv3 261SNMPv3 Message NotificationWhen you generate an SNMPv3 message from the switch, there a

Chapter 24: SNMPv3262 Section IV: SNMPv3SNMPv3 Tables The SNMPv3 configuration is neatly divided into configuring SNMPv3 user information and configur

AT-S63 Management Software Features GuideSection IV: SNMPv3 263 Configure SNMPv3 Notify Table Configure SNMPv3 Target Address Table Configure SNMPv

Chapter 24: SNMPv3264 Section IV: SNMPv3 “SNMPv3 Target Parameters Table” on page 265 “SNMPv3 Community Table” on page 265SNMPv3 UserTableThe Config

AT-S63 Management Software Features GuideSection IV: SNMPv3 265SNMPv3 NotifyTableThe Configure SNMPv3 Notify Table menu allows you to define the type

Chapter 24: SNMPv3266 Section IV: SNMPv3SNMPv3 Configuration ExampleYou may want to have two classes of SNMPv3 users—Managers and Operators. In this s

Section V: Spanning Tree Protocols 267Section VSpanning Tree ProtocolsThe section has the following chapters: Chapter 25, “Spanning Tree and Rapid Sp

268 Section V: Spanning Tree Protocols

Section V: Spanning Tree Protocols 269Chapter 25Spanning Tree and Rapid Spanning Tree ProtocolsThis chapter provides background information on the Spa

AT-S63 Management Software Features Guide27Starting a Management SessionFor instructions on how to start a local or remote management session on the A

Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols270 Section V: Spanning Tree ProtocolsSupported PlatformsRefer to Table 76 and Table 77 for

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 271OverviewThe performance of a Ethernet network can be negatively impacte

Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols272 Section V: Spanning Tree ProtocolsBridge Priority and the Root BridgeThe first task tha

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 273Path Costs andPort CostsAfter the root bridge has been selected, the br

Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols274 Section V: Spanning Tree ProtocolsTable 80 lists the STP port costs with Auto-Detect wh

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 275Table 83. Port Priority Value IncrementsIncrementBridge Priority Increm

Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols276 Section V: Spanning Tree ProtocolsForwarding Delay and Topology ChangesIf there is a ch

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 277seconds and the default is two seconds. Consequently, if the AT-9400 Sw

Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols278 Section V: Spanning Tree ProtocolsFigure 34. Edge PortA port can be both a point-to-poi

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 279Mixed STP and RSTP NetworksRSTP IEEE 802.1w is fully compliant with STP

Preface28Document ConventionsThis document uses the following conventions:NoteNotes provide additional information.CautionCautions inform you that per

Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols280 Section V: Spanning Tree ProtocolsSpanning Tree and VLANsThe STP and RSTP implementatio

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 281RSTP BPDU GuardThis feature monitors RSTP edge ports on stand-alone swi

Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols282 Section V: Spanning Tree Protocols BPDU guard is supported only on RSTP. It is not sup

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 283RSTP Loop GuardAlthough RSTP is intended to detect and prevent the form

Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols284 Section V: Spanning Tree ProtocolsThis feature is supported on the base ports of the sw

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 285Figure 38. Loop Guard Example 2But if loop guard is enabled on port 14

Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols286 Section V: Spanning Tree ProtocolsIn the first example the root bridge stops transmitti

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 287Figure 41. Loop Guard Example 5 Switch 3Switch 1Old root bridgeRSTP s

Chapter 25: Spanning Tree and Rapid Spanning Tree Protocols288 Section V: Spanning Tree Protocols

Section V: Spanning Tree Protocols 289Chapter 26Multiple Spanning Tree ProtocolThis chapter provides background information on the Multiple Spanning T

AT-S63 Management Software Features Guide29Contacting Allied TelesisThis section provides Allied Telesis contact information for technical support and

Chapter 26: Multiple Spanning Tree Protocol290 Section V: Spanning Tree ProtocolsSupported PlatformsRefer to Table 84 and Table 85 for the AT-9400 Swi

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 291OverviewAs mentioned in Chapter 25, ”Spanning Tree and Rapid Spanning T

Chapter 26: Multiple Spanning Tree Protocol292 Section V: Spanning Tree ProtocolsMultiple Spanning Tree Instance (MSTI)The individual spanning trees i

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 293Figure 42. VLAN Fragmentation with STP or RSTPBlocked PortFAULTRPSMASTE

Chapter 26: Multiple Spanning Tree Protocol294 Section V: Spanning Tree ProtocolsFigure 43 illustrates the same two AT-9400 Switches and the same two

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 295A MSTI can contain more than one VLAN. This is illustrated in Figure 44

Chapter 26: Multiple Spanning Tree Protocol296 Section V: Spanning Tree ProtocolsMSTI GuidelinesThe following are several guidelines to keep in mind a

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 297VLAN and MSTI AssociationsPart of the task to configuring MSTP involves

Chapter 26: Multiple Spanning Tree Protocol298 Section V: Spanning Tree ProtocolsPorts in Multiple MSTIsA port can be a member of more than one MSTI a

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 299Multiple Spanning Tree RegionsAnother important concept of MSTP is regi

3Preface ...

Preface30

Chapter 26: Multiple Spanning Tree Protocol300 Section V: Spanning Tree ProtocolsFigure 45 illustrates the concept of regions. It shows one MSTP regio

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 301The same is true for any ports connected to bridges running the single-

Chapter 26: Multiple Spanning Tree Protocol302 Section V: Spanning Tree ProtocolsCommon andInternalSpanning Tree(CIST)MSTP has a default spanning tree

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 303Summary of GuidelinesCareful planning is essential for the successful i

Chapter 26: Multiple Spanning Tree Protocol304 Section V: Spanning Tree ProtocolsNoteThe AT-S63 MSTP implementation complies fully with the new IEEE 8

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 305Associating VLANs to MSTIsAllied Telesis recommends that you assign all

Chapter 26: Multiple Spanning Tree Protocol306 Section V: Spanning Tree ProtocolsFigure 47. CIST and VLAN Guideline - Example 2When port 4 on switch B

AT-S63 Management Software Features GuideSection V: Spanning Tree Protocols 307Connecting VLANs Across Different RegionsSpecial consideration needs to

Chapter 26: Multiple Spanning Tree Protocol308 Section V: Spanning Tree ProtocolsAnother approach is to group those VLANs that need to span regions in

Section VI: Virtual LANs 309Section VIVirtual LANsThe chapters in this section discuss the various types of virtual LANs supported by the AT-9400 Swit

Section I: Basic Operations 31Section IBasic OperationsThe chapters in this section contain background information on basic switch features. The chapt

310 Section VI: Virtual LANs

Section VI: Virtual LANs 311Chapter 27 Port-based and Tagged VLANsThis chapter contains overview information about port-based and tagged virtual LANs

Chapter 27: Port-based and Tagged VLANs312 Section VI: Virtual LANsSupported PlatformsRefer to Table 86 and Table 87 for the AT-9400 Switches and the

AT-S63 Management Software Features GuideSection VI: Virtual LANs 313OverviewA VLAN is a group of ports on an Ethernet switch that form a logical Ethe

Chapter 27: Port-based and Tagged VLANs314 Section VI: Virtual LANsManagement Software. You can change the VLAN memberships through the management sof

AT-S63 Management Software Features GuideSection VI: Virtual LANs 315Port-based VLAN OverviewAs explained in “Overview” on page 313, a VLAN consists o

Chapter 27: Port-based and Tagged VLANs316 Section VI: Virtual LANsthree AT-9400 Switches, you would assign the Marketing VLAN on each switch the same

AT-S63 Management Software Features GuideSection VI: Virtual LANs 317Guidelines toCreating a Port-based VLANBelow are the guidelines to creating a por

Chapter 27: Port-based and Tagged VLANs318 Section VI: Virtual LANsPort-basedExample 1Figure 49 illustrates an example of one AT-9424T/SP Gigabit Ethe

AT-S63 Management Software Features GuideSection VI: Virtual LANs 319In the example, each VLAN has one port connected to the router. The router interc

32 Section I: Basic Operations

Chapter 27: Port-based and Tagged VLANs320 Section VI: Virtual LANsThe table below lists the port assignments for the Sales, Engineering, and Producti

AT-S63 Management Software Features GuideSection VI: Virtual LANs 321Tagged VLAN OverviewThe second type of VLAN supported by the AT-S63 Management So

Chapter 27: Port-based and Tagged VLANs322 Section VI: Virtual LANs Port VLAN IdentifierNoteFor explanations of VLAN name and VLAN identifier, refer

AT-S63 Management Software Features GuideSection VI: Virtual LANs 323Tagged VLANExampleFigure 51 illustrates how tagged ports can be used to interconn

Chapter 27: Port-based and Tagged VLANs324 Section VI: Virtual LANsThe port assignments for the VLANs are as follows:This example is nearly identical

Section VI: Virtual LANs 325Chapter 28GARP VLAN Registration ProtocolThis chapter describes the GARP VLAN Registration Protocol (GVRP) and contains th

Chapter 28: GARP VLAN Registration Protocol326 Section VI: Virtual LANsSupported PlatformsRefer to Table 88 and Table 89 for the AT-9400 Switches and

AT-S63 Management Software Features GuideSection VI: Virtual LANs 327OverviewThe GARP VLAN Registration Protocol (GVRP) allows network devices to shar

Chapter 28: GARP VLAN Registration Protocol328 Section VI: Virtual LANsFigure 52 provides an example of how GVRP works.Figure 52. GVRP Example Switche

AT-S63 Management Software Features GuideSection VI: Virtual LANs 329as an tagged dynamic GVRP port. If the port is already a member of the VLAN, then

33Chapter 1OverviewThis chapter has the following sections: “Layer 2+ and Basic Layer 3 Switches” on page 34 “AT-S63 Management Software” on page 40

Chapter 28: GARP VLAN Registration Protocol330 Section VI: Virtual LANsGuidelinesFollowing are guidelines to observe when using this feature: GVRP is

AT-S63 Management Software Features GuideSection VI: Virtual LANs 331GVRP and Network SecurityGVRP should be used with caution because it can expose y

Chapter 28: GARP VLAN Registration Protocol332 Section VI: Virtual LANsGVRP-inactive Intermediate SwitchesIf two GVRP-active devices are separated by

AT-S63 Management Software Features GuideSection VI: Virtual LANs 333Generic Attribute Registration Protocol (GARP) OverviewThe following is a technic

Chapter 28: GARP VLAN Registration Protocol334 Section VI: Virtual LANsGARP architecture is shown in Figure 53. Figure 53. GARP Architecture The GARP

AT-S63 Management Software Features GuideSection VI: Virtual LANs 335Figure 54. GID Architecture GARP registers and deregisters attribute values throu

Chapter 28: GARP VLAN Registration Protocol336 Section VI: Virtual LANsTo control the applicant state machine, an applicant administrative control par

Section VI: Virtual LANs 337Chapter 29Multiple VLAN ModesThis chapter describes the multiple VLAN modes. This chapter contains the following sections:

Chapter 29: Multiple VLAN Modes338 Section VI: Virtual LANsSupported PlatformsRefer to Table 90 and Table 91 for the AT-9400 Switches and the manageme

AT-S63 Management Software Features GuideSection VI: Virtual LANs 339OverviewThe multiple VLAN modes are designed to simplify the task of configuring

Chapter 1: Overview34Layer 2+ and Basic Layer 3 SwitchesThe switches in the AT-9400 Gigabit Ethernet Series are divided into two groups: Layer 2+ Swi

Chapter 29: Multiple VLAN Modes340 Section VI: Virtual LANs802.1Q- Compliant Multiple VLAN ModeIn this mode, each port is placed into a separate VLAN

AT-S63 Management Software Features GuideSection VI: Virtual LANs 341This highly segmented configuration is useful in situations where traffic generat

Chapter 29: Multiple VLAN Modes342 Section VI: Virtual LANsNon-802.1Q Compliant Multiple VLAN ModeUnlike the 802.1Q-compliant VLAN mode, which isolate

Section VI: Virtual LANs 343Chapter 30 Protected Ports VLANsThis chapter explains protected ports VLANs. It contains the following sections: “Support

Chapter 30: Protected Ports VLANs344 Section VI: Virtual LANsSupported PlatformsRefer to Table 93 and Table 94 for the AT-9400 Switches and the manage

AT-S63 Management Software Features GuideSection VI: Virtual LANs 345OverviewThe purpose of a protected ports VLAN is to allow multiple ports on the s

Chapter 30: Protected Ports VLANs346 Section VI: Virtual LANsTo create a protected ports VLAN, you perform many of the same steps that you do when you

AT-S63 Management Software Features GuideSection VI: Virtual LANs 347GuidelinesFollowing are the guidelines for implementing protected ports VLANS: A

Chapter 30: Protected Ports VLANs348 Section VI: Virtual LANs

Section VI: Virtual LANs 349Chapter 31MAC Address-based VLANsThis chapter contains overview information about MAC address-based VLANs. Sections in the

AT-S63 Management Software Features Guide35Multiple manager sessionsYYYYYY YTCP/IP pings YYYYYYYYY YEnhanced stacking YYYYYYYYYSimple Network Time Pro

Chapter 31: MAC Address-based VLANs350 Section VI: Virtual LANsSupported PlatformsRefer to Table 95 and Table 96 for the AT-9400 Switches and the mana

AT-S63 Management Software Features GuideSection VI: Virtual LANs 351OverviewAs explained in “Overview” on page 313, VLANs are a means for creating in

Chapter 31: MAC Address-based VLANs352 Section VI: Virtual LANsEgress PortsImplementing a MAC address-based VLAN involves more than entering the MAC a

AT-S63 Management Software Features GuideSection VI: Virtual LANs 353The community characteristic of egress ports relieves you from having to map each

Chapter 31: MAC Address-based VLANs354 Section VI: Virtual LANsIf security is a major concern for your network, you might not want to assign a port as

AT-S63 Management Software Features GuideSection VI: Virtual LANs 355VLANs That Span SwitchesTo create a MAC address-based VLAN that spans switches, y

Chapter 31: MAC Address-based VLANs356 Section VI: Virtual LANsTable 99. Example of a MAC Address-based VLAN Spanning SwitchesSwitch A Switch BVLAN Na

AT-S63 Management Software Features GuideSection VI: Virtual LANs 357VLAN HierarchyThe switch’s management software employs a VLAN hierarchy when hand

Chapter 31: MAC Address-based VLANs358 Section VI: Virtual LANsSteps to Creating a MAC Address-based VLANHere are the three main steps to creating a M

AT-S63 Management Software Features GuideSection VI: Virtual LANs 359GuidelinesFollow these guidelines when implementing a MAC address-based VLAN: MA

Chapter 1: Overview36Class of Service YYYYYYYYY YQuality of Service YYYYYYYYY YGroup link control YYYYYY YDenial of service defensesYYYYYYYYYPower ove

Chapter 31: MAC Address-based VLANs360 Section VI: Virtual LANs Egress ports cannot be part of a static or LACP trunk. Since this type of VLAN does

Section VII: Internet Protocol Routing 361Section VIIInternet Protocol RoutingThis section has the following chapters: Chapter 32, “Internet Protocol

362 Section VII: Internet Protocol Routing

363Chapter 32Internet Protocol Version 4 Packet RoutingThis chapter describes Internet Protocol version 4 (IPv4) packet routing on the AT-9400 Basic L

Chapter 32: Internet Protocol Version 4 Packet Routing364 Section VII: RoutingSupported PlatformsRefer to Table 100 and Table 101 for the AT-9400 Swit

AT-S63 Management Software Features GuideSection VII: Routing 365Features” on page 384 and “AT-9408LC/SP AT-9424T/GB, and AT-9424T/SP Switches” on pag

Chapter 32: Internet Protocol Version 4 Packet Routing366 Section VII: RoutingOverviewThis section contains an overview of the IPv4 routing feature on

AT-S63 Management Software Features GuideSection VII: Routing 367At the end of this overview are two examples that illustrate the sequence of commands

Chapter 32: Internet Protocol Version 4 Packet Routing368 Section VII: RoutingRouting InterfacesThe IPv4 packet routing feature on the switch is built

AT-S63 Management Software Features GuideSection VII: Routing 369NoteRouting interfaces can be configured from either the command line interface or th

AT-S63 Management Software Features Guide37Table 4. SNMPv3Layer 2+ Switches Basic Layer 3 Switches08LC 24GB 24SP 24T24T POE24Ts 24XP 48SP 48XP StackSN

Chapter 32: Internet Protocol Version 4 Packet Routing370 Section VII: Routingthe other interfaces in the same VLAN must be assigned manually. For exa

AT-S63 Management Software Features GuideSection VII: Routing 371Interface NamesMany of the IPv4 routing commands have a parameter for an interface na

Chapter 32: Internet Protocol Version 4 Packet Routing372 Section VII: RoutingStatic RoutesIn order for the switch to route an IPv4 packet to a remote

AT-S63 Management Software Features GuideSection VII: Routing 373The commands for managing static routes are ADD IP ROUTE, DELETE IP ROUTE, and SET IP

Chapter 32: Internet Protocol Version 4 Packet Routing374 Section VII: RoutingRouting Information Protocol (RIP)A switch can automatically learn route

AT-S63 Management Software Features GuideSection VII: Routing 375NoteA RIP version 2 password is sent in plaintext. The AT-S63 Management Software doe

Chapter 32: Internet Protocol Version 4 Packet Routing376 Section VII: RoutingDefault RoutesA default route is a “match all” destination entry in the

AT-S63 Management Software Features GuideSection VII: Routing 377Equal-cost Multi-path (ECMP) RoutingWhen there are multiple routes in the routing tab

Chapter 32: Internet Protocol Version 4 Packet Routing378 Section VII: RoutingECMP also applies to default routes. This enables the switch to store up

AT-S63 Management Software Features GuideSection VII: Routing 379Routing TableThe switch maintains its routing information in a table of routes that t

Chapter 1: Overview38GARP VLAN Registration ProtocolYYYYYYYYYProtected ports VLANsYYYYYYYYYMAC address-based VLANsYYYYYYTable 6. Virtual LANsLayer 2+

Chapter 32: Internet Protocol Version 4 Packet Routing380 Section VII: RoutingRoute Selection ProcessHere is the route selection process the switch go

AT-S63 Management Software Features GuideSection VII: Routing 381Address Resolution Protocol (ARP) TableThe switch maintains an ARP table of IP addres

Chapter 32: Internet Protocol Version 4 Packet Routing382 Section VII: RoutingInternet Control Message Protocol (ICMP)ICMP allows routers to send erro

AT-S63 Management Software Features GuideSection VII: Routing 383Time to Live Exceeded (11) If the TTL field in a packet falls to zero the switch will

Chapter 32: Internet Protocol Version 4 Packet Routing384 Section VII: RoutingRouting Interfaces and Management FeaturesRouting interfaces are primary

AT-S63 Management Software Features GuideSection VII: Routing 385As an example, assume you decided not to implement the IPv4 routing feature on a swit

Chapter 32: Internet Protocol Version 4 Packet Routing386 Section VII: RoutingPinging a RemoteDeviceThis function is used to validate the existence of

AT-S63 Management Software Features GuideSection VII: Routing 387Local InterfaceThe local interface is used with the enhanced stacking feature. It is

Chapter 32: Internet Protocol Version 4 Packet Routing388 Section VII: RoutingAT-9408LC/SP AT-9424T/GB, and AT-9424T/SP SwitchesThe AT-9408LC/SP, AT-9

AT-S63 Management Software Features GuideSection VII: Routing 389NoteThe AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP Switches do not use the ARP table

AT-S63 Management Software Features Guide39Table 8. Port SecurityLayer 2+ Switches Basic Layer 3 Switches08LC 24GB 24SP 24T24T POE24Ts 24XP 48SP 48XP

Chapter 32: Internet Protocol Version 4 Packet Routing390 Section VII: RoutingRouting Command ExampleThis section contains an example of the IPv4 rout

AT-S63 Management Software Features GuideSection VII: Routing 391Creating theVLANsThe first step is to create the VLANs for the local subnets on the s

Chapter 32: Internet Protocol Version 4 Packet Routing392 Section VII: Routingcommand.Adding a StaticRoute andDefault RouteBuilding on our example, as

AT-S63 Management Software Features GuideSection VII: Routing 393Adding RIP Rather than adding the static routes to remote destinations, or perhaps to

Chapter 32: Internet Protocol Version 4 Packet Routing394 Section VII: RoutingNon-routing Command ExampleThis example illustrates how to assign an IP

AT-S63 Management Software Features GuideSection VII: Routing 395The following command creates a default route for the example and specifies the next

Chapter 32: Internet Protocol Version 4 Packet Routing396 Section VII: RoutingUpgrading from AT-S63 Version 1.3.0 or EarlierWhen the AT-9400 Switch ru

397Chapter 33BOOTP Relay AgentThis chapter has the following sections: “Supported Platforms” on page 398 “Overview” on page 399 “Guidelines” on pag

Chapter 33: BOOTP Relay Agent398 Section VII: RoutingSupported PlatformsRefer to Table 104 and Table 105 for the AT-9400 Switches and the management i

AT-S63 Management Software Features GuideSection VII: Routing 399OverviewThe AT-S63 Management Software comes with a BOOTP relay agent for relaying BO

Contents4Chapter 2: AT-9400Ts Stacks ...

Chapter 1: Overview40AT-S63 Management SoftwareThe AT-9400 Switch is managed with the AT-S63 Management Software. The software comes preinstalled on t

Chapter 33: BOOTP Relay Agent400 Section VII: RoutingA routing interface that receives a BOOTP reply from a server inspects the broadcast flag field i

AT-S63 Management Software Features GuideSection VII: Routing 401GuidelinesThese guidelines apply to the BOOTP relay agent: A routing interface funct

Chapter 33: BOOTP Relay Agent402 Section VII: Routing

403Chapter 34Virtual Router Redundancy ProtocolThe chapter has the following sections: “Supported Platforms” on page 404 “Overview” on page 405 “Ma

Chapter 34: Virtual Router Redundancy Protocol404 Section VII: RoutingSupported PlatformsRefer to Table 106 and Table 107 for the AT-9400 Switches and

AT-S63 Management Software Features GuideSection VII: Routing 405OverviewThis chapter describes the Virtual Router Redundancy Protocol (VRRP) of the A

Chapter 34: Virtual Router Redundancy Protocol406 Section VII: RoutingMaster SwitchThe virtual router has a virtual MAC address known by all the switc

AT-S63 Management Software Features GuideSection VII: Routing 407Backup SwitchesAll the other switches participating in the virtual router are designa

Chapter 34: Virtual Router Redundancy Protocol408 Section VII: RoutingInterface MonitoringThe virtual router can monitor certain interfaces to change

AT-S63 Management Software Features GuideSection VII: Routing 409Port MonitoringPort monitoring is the process of detecting the failure of ports that

AT-S63 Management Software Features Guide41Management InterfacesThe AT-S63 Management Software has four management interfaces: Standard command line

Chapter 34: Virtual Router Redundancy Protocol410 Section VII: RoutingVRRP on the SwitchVRRP is disabled by default. When a virtual router is created

AT-S63 Management Software Features GuideSection VII: Routing 411prevents a switch from inadvertently backing up another switch. The authentication ty

Chapter 34: Virtual Router Redundancy Protocol412 Section VII: Routing

Section VIII: Port Security 413Section VIIIPort SecurityThe chapters in this section contain overview information on the port security features of the

414 Section VIII: Port Security

Section VIII: Port Security 415Chapter 35MAC Address-based Port SecurityThe sections in this chapter include: “Supported Platforms” on page 416 “Ove

Chapter 35: MAC Address-based Port Security416 Section VIII: Port SecuritySupported PlatformsRefer to Table 108 and Table 109 for the AT-9400 Switches

AT-S63 Management Software Features GuideSection VIII: Port Security 417OverviewYou can use this feature to enhance the security of your network by co

Chapter 35: MAC Address-based Port Security418 Section VIII: Port SecuritySecured This security level uses only static MAC addresses assigned to a por

AT-S63 Management Software Features GuideSection VIII: Port Security 419Invalid Frames and Intrusion ActionsWhen a port receives an invalid frame, it

Chapter 1: Overview42In other cases, a management interface might support only part of a function. For example, you can set a switch or stack’s name,

Chapter 35: MAC Address-based Port Security420 Section VIII: Port SecurityGuidelinesThe following guidelines apply to MAC address-based port security:

Section VIII: Port Security 421Chapter 36802.1x Port-based Network Access ControlThe sections in this chapter are: “Supported Platforms” on page 422

Chapter 36: 802.1x Port-based Network Access Control422 Section VIII: Port SecuritySupported PlatformsRefer to Table 110 and Table 111 for the AT-9400

AT-S63 Management Software Features GuideSection VIII: Port Security 423OverviewThe AT-S63 Management Software has several different methods for prote

Chapter 36: 802.1x Port-based Network Access Control424 Section VIII: Port Security Authentication server - The authentication server is the network

AT-S63 Management Software Features GuideSection VIII: Port Security 425Authentication ProcessBelow is a brief overview of the authentication process

Chapter 36: 802.1x Port-based Network Access Control426 Section VIII: Port SecurityPort RolesPart of the task of implementing this feature is specifyi

AT-S63 Management Software Features GuideSection VIII: Port Security 427Assigning unique username and password combinations to your network users and

Chapter 36: 802.1x Port-based Network Access Control428 Section VIII: Port SecurityNoteA supplicant connected to an authenticator port set to force-au

AT-S63 Management Software Features GuideSection VIII: Port Security 429Authenticator Ports with Single and Multiple SupplicantsAn authenticator port

AT-S63 Management Software Features Guide43Baud rate of the Terminal Port Y Y Y Y YManagement console timer Y Y Y Y YTelnet server YYY YYConsole start

Chapter 36: 802.1x Port-based Network Access Control430 Section VIII: Port SecurityFigure 57. Authenticator Port in Single Operating Mode with a Singl

AT-S63 Management Software Features GuideSection VIII: Port Security 431Figure 58. Single Operating Mode with Multiple Clients Using the Piggy-back Fe

Chapter 36: 802.1x Port-based Network Access Control432 Section VIII: Port SecurityIf the clients are connected to an 802.1x-compliant device, such as

AT-S63 Management Software Features GuideSection VIII: Port Security 433Figure 60. Single Operating Mode with Multiple Clients Using the Piggy-back Fe

Chapter 36: 802.1x Port-based Network Access Control434 Section VIII: Port SecurityAn example of this authenticator operating mode is illustrated in F

AT-S63 Management Software Features GuideSection VIII: Port Security 435none, port 6 on switch A will discard the packets because switch B would not b

Chapter 36: 802.1x Port-based Network Access Control436 Section VIII: Port SecuritySupplicant and VLAN AssociationsOne of the challenges to managing a

AT-S63 Management Software Features GuideSection VIII: Port Security 437Single OperatingModeHere are the operating characteristics for the switch when

Chapter 36: 802.1x Port-based Network Access Control438 Section VIII: Port SecurityGuest VLANAn authenticator port in the unauthorized state typically

AT-S63 Management Software Features GuideSection VIII: Port Security 439RADIUS AccountingThe AT-S63 Management Software supports RADIUS accounting for

Chapter 1: Overview444. You cannot upload or download files to a compact flash card with the web browser windows. Also, that interface does not suppor

Chapter 36: 802.1x Port-based Network Access Control440 Section VIII: Port SecurityGeneral StepsHere are the general steps to implementing 802.1x Port

AT-S63 Management Software Features GuideSection VIII: Port Security 441GuidelinesThe following are general guidelines to using this feature: Ports o

Chapter 36: 802.1x Port-based Network Access Control442 Section VIII: Port Security An authenticator port cannot be part of a static port trunk, LACP

AT-S63 Management Software Features GuideSection VIII: Port Security 443Here are guidelines for adding VLAN assignments to supplicant accounts on a RA

Chapter 36: 802.1x Port-based Network Access Control444 Section VIII: Port Security

Section IX: Management Security 445Section IXManagement SecurityThe chapters in this section describe the management security features of the AT-9400

446 Section IX: Management Security

Section IX: Management Security 447Chapter 37Web ServerThe sections in this chapter are: “Supported Platforms” on page 448 “Overview” on page 449 “

Chapter 37: Web Server448 Section IX: Management SecuritySupported PlatformsRefer to Table 112 and Table 113 for the AT-9400 Switches and the manageme

AT-S63 Management Software Features GuideSection IX: Management Security 449OverviewThe AT-S63 Management Software has a web server and a special web

AT-S63 Management Software Features Guide45Multiple Spanning Tree Protocol (MSTP)YYYYTable 15. Management Interfaces for Spanning Tree ProtocolsStand-

Chapter 37: Web Server450 Section IX: Management SecurityConfiguring the Web Server for HTTPThe following steps configure the web server for non-secur

AT-S63 Management Software Features GuideSection IX: Management Security 451Configuring the Web Server for HTTPSThe following sections outline the ste

Chapter 37: Web Server452 Section IX: Management Security6. After receiving the certificates from the CA, download them into the switch’s file system

Section IX: Management Security 453Chapter 38Encryption KeysThe sections in this chapter are: “Supported Platforms” on page 454 “Overview” on page 4

Chapter 38: Encryption Keys454 Section IX: Management SecuritySupported PlatformsRefer to Table 114 and Table 115 for the AT-9400 Switches and the man

AT-S63 Management Software Features GuideSection IX: Management Security 455OverviewProtecting your managed switches from unauthorized management acce

Chapter 38: Encryption Keys456 Section IX: Management SecurityEncryption Key LengthWhen you create a key pair, you have to specify its length in bits.

AT-S63 Management Software Features GuideSection IX: Management Security 457Encryption Key GuidelinesObserve the following guidelines when creating an

Chapter 38: Encryption Keys458 Section IX: Management SecurityTechnical OverviewThe encryption feature provides the following data security services:

AT-S63 Management Software Features GuideSection IX: Management Security 459algorithm and key. For a given input block of plaintext ECB always produce

Chapter 1: Overview46Table 18. Management Interfaces for Port SecurityStand-alone Switches StacksSCL ACL M WB SCL ACL WBMAC address-based port securit

Chapter 38: Encryption Keys460 Section IX: Management Securitysecret. Only the decryption, or private key, needs to be kept secret. The other name for

AT-S63 Management Software Features GuideSection IX: Management Security 461 It is very hard to find another message and key which give the same hash

Chapter 38: Encryption Keys462 Section IX: Management SecurityA Diffie-Hellman algorithm requires more processing overhead than RSA-based key exchange

Section IX: Management Security 463Chapter 39PKI Certificates and SSLThe sections in this chapter are: “Supported Platforms” on page 464 “Overview”

Chapter 39: PKI Certificates and SSL464 Section IX: Management SecuritySupported PlatformsRefer to Table 116 and Table 117 for the AT-9400 Switches an

AT-S63 Management Software Features GuideSection IX: Management Security 465OverviewThis chapter describes the second part of the encryption feature o

Chapter 39: PKI Certificates and SSL466 Section IX: Management Securitynetwork equipment. With private CAs, companies can keep track of the certificat

AT-S63 Management Software Features GuideSection IX: Management Security 467Distinguished NamesPart of the task to creating a self-signed certificate

Chapter 39: PKI Certificates and SSL468 Section IX: Management SecurityIf your network has a Domain Name System and you mapped a name to the IP addres

AT-S63 Management Software Features GuideSection IX: Management Security 469SSL and Enhanced StackingSecure Sockets Layer (SSL) is supported in an enh

AT-S63 Management Software Features Guide47Management Access MethodsYou can access the AT-S63 Management Software on a switch several ways: Local ses

Chapter 39: PKI Certificates and SSL470 Section IX: Management SecurityGuidelinesThe guidelines for creating certificates are: A certificate can have

AT-S63 Management Software Features GuideSection IX: Management Security 471Technical OverviewThis section describes the Secure Sockets Layer (SSL) fe

Chapter 39: PKI Certificates and SSL472 Section IX: Management SecuritySSL uses asymmetrical (Public Key) encryption to establish a connection between

AT-S63 Management Software Features GuideSection IX: Management Security 473To verify the authenticity of a server, the server has a public and privat

Chapter 39: PKI Certificates and SSL474 Section IX: Management Securitythis, and other attacks, PKI provides a means for secure transfer of public key

AT-S63 Management Software Features GuideSection IX: Management Security 475Elements of aPublic KeyInfrastructureA public key infrastructure is a set

Chapter 39: PKI Certificates and SSL476 Section IX: Management SecurityCertificateValidationTo validate a certificate, the end entity verifies the sig

AT-S63 Management Software Features GuideSection IX: Management Security 477PKIImplementationThe following sections discuss the implementation of PKI

Chapter 39: PKI Certificates and SSL478 Section IX: Management Security

Section IX: Management Security 479Chapter 40Secure Shell (SSH)The sections in this chapter are: “Supported Platforms” on page 480 “Overview” on pag

Chapter 1: Overview48Remote SecureShell (SSH)SessionsThe AT-S63 Management Software also has a Secure Shell (SSH) server for remote management from SS

Chapter 40: Secure Shell (SSH)480 Section IX: Management SecuritySupported PlatformsRefer to Table 118 and Table 119 for the AT-9400 Switches and the

AT-S63 Management Software Features GuideSection IX: Management Security 481OverviewSecure management is increasingly important in modern networks, as

Chapter 40: Secure Shell (SSH)482 Section IX: Management SecuritySupport for SSHThe AT-S63 implementation of the SSH protocol is compliant with the SS

AT-S63 Management Software Features GuideSection IX: Management Security 483SSH ServerWhen the SSH server is enabled, connections from SSH clients are

Chapter 40: Secure Shell (SSH)484 Section IX: Management SecuritySSH ClientsThe SSH protocol provides a secure connection between the switch and SSH c

AT-S63 Management Software Features GuideSection IX: Management Security 485SSH and Enhanced StackingThe AT-S63 Management Software allows for encrypt

Chapter 40: Secure Shell (SSH)486 Section IX: Management SecurityBecause enhanced stacking does not allow for SSH encrypted management sessions betwee

AT-S63 Management Software Features GuideSection IX: Management Security 487SSH Configuration GuidelinesHere are the guidelines to configuring SSH: S

Chapter 40: Secure Shell (SSH)488 Section IX: Management SecurityGeneral Steps to Configuring SSHConfiguring the SSH server involves the following pro

Section IX: Management Security 489Chapter 41TACACS+ and RADIUS ProtocolsThis chapter describes the two authentication protocols TACACS+ and RADIUS. S

AT-S63 Management Software Features Guide49Manager Access LevelsThe AT-S63 Management Software has two manager access levels of manager and operator.

Chapter 41: TACACS+ and RADIUS Protocols490 Section IX: Management SecuritySupported PlatformsRefer to Table 120 and Table 121 for the AT-9400 Switche

AT-S63 Management Software Features GuideSection IX: Management Security 491OverviewTACACS+ and RADIUS are authentication protocols that can enhance t

Chapter 41: TACACS+ and RADIUS Protocols492 Section IX: Management SecurityWhen a network manager logs in to a switch to manage the device, the switch

AT-S63 Management Software Features GuideSection IX: Management Security 493GuidelinesHere are the main steps to using the TACACS+ or RADIUS client on

Chapter 41: TACACS+ and RADIUS Protocols494 Section IX: Management Securitymaximum length for a password is 16 alphanumeric characters and spaces.– T

AT-S63 Management Software Features GuideSection IX: Management Security 495NoteIf no authentication server responds or if no servers have been define

Chapter 41: TACACS+ and RADIUS Protocols496 Section IX: Management Security

Section IX: Management Security 497Chapter 42Management Access Control ListThis chapter explains how to restrict Telnet and web browser management acc

Chapter 42: Management Access Control List498 Section IX: Management SecuritySupported PlatformsRefer to Table 122 and Table 123 for the AT-9400 Switc

AT-S63 Management Software Features GuideSection IX: Management Security 499OverviewThis chapter explains how to restrict remote management access to

AT-S63 Management Software Features Guide5Load Distribution Methods...

Chapter 1: Overview50Installation and Management ConfigurationsThe AT-9400 Switches can be installed in three configurations.Stand-aloneSwitchesAll th

Chapter 42: Management Access Control List500 Section IX: Management SecurityParts of a Management ACEAn ACE has the following three parts:  IP addre

AT-S63 Management Software Features GuideSection IX: Management Security 501GuidelinesBelow are guidelines for the management ACL: The default settin

Chapter 42: Management Access Control List502 Section IX: Management SecurityExamplesFollowing are several examples of ACEs.This ACE allows the manage

AT-S63 Management Software Features GuideSection IX: Management Security 503The two ACEs in this management ACL permit remote management from the mana

Chapter 42: Management Access Control List504 Section IX: Management Security

505Appendix AAT-S63 Management Software Default SettingsThis appendix lists the factory default settings for the AT-S63 Management Software. The featu

Appendix A: AT-S63 Management Software Default Settings506 “System Name, Administrator, and Comments Settings” on page 537 “Telnet Server” on page 5

AT-S63 Management Software Features Guide507Address Resolution Protocol CacheThe following table lists the ARP cache default setting.ARP Cache Setting

Appendix A: AT-S63 Management Software Default Settings508Boot Configuration FileThe following table lists the names of the default configuration file

AT-S63 Management Software Features Guide509BOOTP Relay AgentThe following table lists the default setting for the BOOTP relay agent.BOOTP Relay Agent

AT-S63 Management Software Features Guide51IP ConfigurationDo you intend to remotely manage the switch with a Telnet or Secure Shell client, or a web

Appendix A: AT-S63 Management Software Default Settings510Class of ServiceThe following table lists the default mappings of IEEE 802.1p priority level

AT-S63 Management Software Features Guide511Denial of Service DefensesThe following table lists the default settings for the Denial of Service prevent

Appendix A: AT-S63 Management Software Default Settings512802.1x Port-Based Network Access ControlThe following table describes the 802.1x Port-based

AT-S63 Management Software Features Guide513The following table lists the default settings for a supplicant port.VLAN Assignment EnabledSecure VLAN On

Appendix A: AT-S63 Management Software Default Settings514Enhanced StackingThe following table lists the enhanced stacking default setting.Enhanced St

AT-S63 Management Software Features Guide515Ethernet Protection Switching Ring (EPSR) SnoopingThe following table lists the EPSR default setting.EPSR

Appendix A: AT-S63 Management Software Default Settings516Event LogsThe following table lists the default settings for both the permanent and temporar

AT-S63 Management Software Features Guide517GVRPThis section provides the default settings for GVRP.GVRP Setting DefaultStatus DisabledGIP Status Enab

Appendix A: AT-S63 Management Software Default Settings518IGMP SnoopingThe following table lists the IGMP Snooping default settings.IGMP Snooping Sett

AT-S63 Management Software Features Guide519Internet Protocol Version 4 Packet RoutingThe following table lists the IPv4 packet routing default settin

Chapter 1: Overview52Configuration FilesStand-alone switches and stacks store their parameter settings in configuration files in their file systems. T

Appendix A: AT-S63 Management Software Default Settings520Link-flap ProtectionThe following table lists the default settings for link-flap protection.

AT-S63 Management Software Features Guide521MAC Address-based Port SecurityThe following table lists the MAC address-based port security default setti

Appendix A: AT-S63 Management Software Default Settings522MAC Address TableThe following table lists the default setting for the MAC address table.MAC

AT-S63 Management Software Features Guide523Management Access Control ListThe following table lists the default setting for the management access cont

Appendix A: AT-S63 Management Software Default Settings524Manager and Operator AccountThe following table lists the manager and operator account defau

AT-S63 Management Software Features Guide525Multicast Listener Discovery SnoopingThe following table lists the MLD Snooping default settings.MLD Snoop

Appendix A: AT-S63 Management Software Default Settings526Public Key InfrastructureThe following table lists the PKI default settings, including the g

AT-S63 Management Software Features Guide527Port SettingsThe following table lists the port configuration default settings.Port Configuration Setting

Appendix A: AT-S63 Management Software Default Settings528RJ-45 Serial Terminal PortThe following table lists the RJ-45 serial terminal port default s

AT-S63 Management Software Features Guide529Router Redundancy Protocol SnoopingThe following table lists the RRP Snooping default setting.RRP Snooping

AT-S63 Management Software Features Guide53Redundant Twisted Pair PortsSeveral AT-9400 Switches have twisted pair ports and GBIC or SFP slots that are

Appendix A: AT-S63 Management Software Default Settings530Server-based Authentication (RADIUS and TACACS+)This section describes the server-based auth

AT-S63 Management Software Features Guide531Simple Network Management ProtocolThe following table describes the SNMP default settings.SNMP Communities

Appendix A: AT-S63 Management Software Default Settings532Simple Network Time ProtocolThe following table lists the SNTP default settings.SNTP Setting

AT-S63 Management Software Features Guide533Spanning Tree Protocols (STP, RSTP, and MSTP)This section provides the spanning tree, STP RSTP, and MSTP,

Appendix A: AT-S63 Management Software Default Settings534MultipleSpanning TreeProtocolThe following table lists the MSTP default settings.Loop Guard

AT-S63 Management Software Features Guide535Secure Shell ServerThe following table lists the SSH default settings.The SSH port number is not adjustabl

Appendix A: AT-S63 Management Software Default Settings536Secure Sockets LayerThe following table lists the SSL default settings.SSL Setting DefaultMa

AT-S63 Management Software Features Guide537System Name, Administrator, and Comments SettingsThe following table describes the IP default settings.IP

Appendix A: AT-S63 Management Software Default Settings538Telnet ServerThe following table lists the Telnet server default settings.The Telnet port nu

AT-S63 Management Software Features Guide539Virtual Router Redundancy ProtocolThe following table lists the VRRP default setting.VRRP Setting DefaultS

Chapter 1: Overview54NoteThese guidelines do not apply to the SFP slots on the AT-9408LC/SP Switch and the XFP slots on the AT-9424Ts/XP and AT-9448Ts

Appendix A: AT-S63 Management Software Default Settings540VLANsThis section provides the VLAN default settings.VLAN Setting DefaultDefault VLAN Name D

AT-S63 Management Software Features Guide541Web ServerThe following table lists the web server default settings.Web Server Configuration Setting Defau

Appendix A: AT-S63 Management Software Default Settings542

543Appendix BSNMPv3 Configuration ExamplesThis appendix provides two examples of SNMPv3 configuration using the SNMPv3 Table menus and a worksheet to

Appendix B: SNMPv3 Configuration Examples544SNMPv3 Configuration Examples This appendix provides SNMPv3 configuration examples for the following type

AT-S63 Management Software Features Guide545Configure SNMPv3 SecurityToGroup TableUser Name:systemadmin24Security Model:v3Group Name: ManagersStorage

Appendix B: SNMPv3 Configuration Examples546Configure SNMPv3 View Table Menu View Name: internetView Subtree OID: 1.3.6.1 (or internet)Subtree Mask: V

AT-S63 Management Software Features Guide547Security ModelSecurity LevelRead View NameWrite View NameNotify View NameStorage TypeSNMPv3 SecurityToGrou

Appendix B: SNMPv3 Configuration Examples548Security ModelSecurity LevelStorage TypeSNMPv3 Parameters (Continued)

549Appendix CFeatures and StandardsThis appendix lists the features and standards of the AT-9400 Switch. Section include: ”10/100/1000Base-T Twisted

AT-S63 Management Software Features Guide55History of New FeaturesThe following sections outline the history of new features in the AT-S63 Management

Appendix C: Features and Standards55010/100/1000Base-T Twisted Pair PortsIEEE 802.1d BridgingIEEE 802.3 10Base-TIEEE 802.3u 100Base-TXIEEE 802.3ab 100

AT-S63 Management Software Features Guide551Fiber Optic Ports (AT-9408LC/SP Switch)IEEE 802.1d BridgingIEEE 802.3z 1000Base-SX— Head of Line Blocking—

Appendix C: Features and Standards552RFC 826 Address Resolution Protocol— Equal Cost Multi-path— Split Horizon and Split Horizon with Poison Reverse—

AT-S63 Management Software Features Guide553Management Access MethodsEnhanced StackingOut-of-band management (serial port) In-band management (over t

Appendix C: Features and Standards554Port SecurityIEEE 802.1x Port-based Network Access Control: Supports multiple supplicants per port and the follo

AT-S63 Management Software Features Guide555RFC 1757 RMON Groups 1, 2, 3, and 9Traffic ControlRFC 2386 Quality of Service featuring:— Layer 2, 3, and

Appendix C: Features and Standards556— MAC Address-based VLANs (Not supported on the AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP switches.)IEEE 802.3ac

557Appendix DMIB ObjectsThis appendix lists the SNMP MIB objects in the private Allied Telesis MIBs that apply to the AT-S63 Management Software and t

Appendix D: MIB Objects558Access Control ListsTable 31. Access Control Lists (AtiStackSwitch MIB)Object Name OIDatiStkSwACLConfigTable 1.3.6.1.4.1.207

AT-S63 Management Software Features Guide559Class of ServiceTable 32. CoS Scheduling (AtiStackSwitch MIB)Object Name OIDatiSwQoSGroup 1.3.6.1.4.1.207.

Chapter 1: Overview56already familiar with the commands in the AlliedWare Plus operating system, you may find this new interface more convenient to us

Appendix D: MIB Objects560Date, Time, and SNTP ClientTable 36. Date, Time, and SNTP Client (AtiStackSwitch MIB)Object Name OIDatiStkSysSystemTimeConfi

AT-S63 Management Software Features Guide561Denial of Service DefensesTable 37. LAN Address and Subnet Mask (AtiStackSwitch MIB)Object Name OIDatiStkD

Appendix D: MIB Objects562Enhanced StackingTable 39. Switch Mode and Discovery (AtiStackInfo MIB)Object Name OIDatiswitchEnhancedStackingInfo 1.3.6.1.

AT-S63 Management Software Features Guide563GVRPTable 41. GVFP Switch Configuration (AtiStackSwitch MIB)Object Name OIDatiStkSwGVRPConfig 1.3.6.1.4.1.

Appendix D: MIB Objects564atiStkSwGVRPCountersPortNotListening 1.3.6.1.4.1.207.8.17.3.8.1.8atiStkSwGVRPCountersInvalidPort 1.3.6.1.4.1.207.8.17.3.8.1.

AT-S63 Management Software Features Guide565MAC Address TableTable 44. MAC Address Table (AtiStackSwitch MIB)Object Name OIDatiStkSwMacAddr2VlanTable

Appendix D: MIB Objects566Management Access Control ListTable 46. Management Access Control List Status (AtiStackSwitch MIB)Object Name OIDatiStkSwSys

AT-S63 Management Software Features Guide567MiscellaneousTable 48. System Reset (AtiStackSwitch MIB)Object Name OIDatiStkSwSysGroup 1.3.6.1.4.1.207.8.

Appendix D: MIB Objects568Port MirroringTable 51. Port Mirroring (AtiStackSwitch MIB)Object Name OIDatiStkSwPortMirroringConfig 1.3.6.1.4.1.207.8.17.2

AT-S63 Management Software Features Guide569Quality of ServiceTable 52. Flow Groups (AtiStackSwitch MIB)Object Name OIDatiStkSwQosFlowGrpTable 1.3.6.1

AT-S63 Management Software Features Guide57NoteThe new MODULE parameter can only be used on stacks that already have Version 4.0.0 or later. To update

Appendix D: MIB Objects570atiStkSwQosTrafficClassClassPriority 1.3.6.1.4.1.207.8.17.7.6.1.9atiStkSwQosTrafficClassRemarkPriority 1.3.6.1.4.1.207.8.17.

AT-S63 Management Software Features Guide571Port Configuration and StatusTable 55. Port Configuration and Status (AtiStackSwitch MIB)Object Name OIDa

Appendix D: MIB Objects572Spanning TreeTable 56. Spanning Tree (AtiStackSwitch MIB)Object Name OIDatiStkSwSysConfig 1.3.6.1.4.1.207.8.17.1.1atiStkSwSy

AT-S63 Management Software Features Guide573Static Port TrunkTable 57. Static Port Trunks (AtiStackSwitch MIB)Object Name OIDatiStkSwStaticTrunkTable

Appendix D: MIB Objects574VLANsThe objects in Table 58 display the specifications of the Default_VLAN.The objects in Table 59 display the names and VI

AT-S63 Management Software Features Guide575Table 61. PVID Table (AtiStackSwitch MIB)Object Name OIDatiStkSwPort2VlanTable 1.3.6.1.4.1.207.8.17.3.2ati

Appendix D: MIB Objects576

577IndexNumerics802.1p priority level in classifiers 139802.1Q-compliant VLAN mode 340802.1x Port-based Network Access Controlauthentication process 4

Index578protocols 140source MAC addresses 139TCP flags 143TCP source and destination ports 143UDP source and destination ports 143VLAN ID 140Common an

AT-S63 Management Software Features Guide579Hhello time 276history of new features 55HMAC authentication algorithm 461HMAC-MD5-96 (MD5) authentication

Chapter 1: Overview58Version 3.0.0 Table 21 lists the new features in version 3.0.0 of the AT-S63 Management Software.Table 21. New Features in AT-S63

Index580module ID numbersdescribed 74MSTI priority 301MSTI. See Multiple Spanning Tree Instances (MSTI)MSTP. See Multiple Spanning Tree Protocol (MSTP

AT-S63 Management Software Features Guide581loop guard 283supported platforms 270redundant twisted pair ports 53regional root 301regions 299revision n

Index582static module ID numbersdescribed 74static port trunksdescribedguidelines 106load distribution methods 104supported platforms 102static routes

AT-S63 Management Software Features Guide59Version 2.1.0 Table 22 lists the new features in version 2.1.0.Version 2.0.0 Table 23 lists the new feature

Contents6Replacing Priorities...

Chapter 1: Overview60Version 1.3.0 Table 24 lists the new features in version 1.3.0 of the AT-S63 Management Software.Table 24. New Features in AT-S63

AT-S63 Management Software Features Guide61Version 1.2.0 Table 25 lists the new features in version 1.2.0.Table 25. New Features in AT-S63 Version 1.2

Chapter 1: Overview62802.1x Port-based Network Access ControlAdded a new parameter to authenticator ports: Supplicant Mode for supporting multiple su

63Chapter 2AT-9400Ts StacksThis chapter has the following sections: “Supported Platforms” on page 64 “Introduction” on page 65 “AT-S63 Management S

Chapter 2: AT-9400Ts Stacks64 Section I: Basic OperationsSupported PlatformsTable 26 and Table 27 list the AT-9400 Switches and the management interfa

AT-S63 Management Software Features GuideSection I: Basic Operations 65IntroductionThe switches in the AT-9400 Series are divided into the Layer 2+ gr

Chapter 2: AT-9400Ts Stacks66 Section I: Basic OperationsAT-S63 Management SoftwareStacking requires Version 3.0.0 or later of the AT-S63 Management S

AT-S63 Management Software Features GuideSection I: Basic Operations 67AT-StackXG Stacking ModuleTo be part of a stack, the AT-9400Ts Switch must have

Chapter 2: AT-9400Ts Stacks68 Section I: Basic OperationsMaximum Number of Switches in a StackStacks of the 24-port AT-9424Ts Switch or the AT-9424Ts/

AT-S63 Management Software Features GuideSection I: Basic Operations 69Enhanced StackingIf you have prior experience with Allied Telesis products, you

AT-S63 Management Software Features Guide7Chapter 23: Ethernet Protection Switching Ring Snooping ...

Chapter 2: AT-9400Ts Stacks70 Section I: Basic OperationsStack TopologyThe switches of an AT-9400Ts Stack are cabled with the AT-StackXG Stacking Modu

AT-S63 Management Software Features GuideSection I: Basic Operations 71Figure 3. Duplex-ring TopologyBoth topologies offer the same in terms of networ

Chapter 2: AT-9400Ts Stacks72 Section I: Basic OperationsDiscovery ProcessWhen the switches of a stack are powered on or reset, they synchronize their

AT-S63 Management Software Features GuideSection I: Basic Operations 73Master and Member SwitchesThe activities of the devices of a stack are coordina

Chapter 2: AT-9400Ts Stacks74 Section I: Basic OperationsModule ID NumbersThe switches of a stack are identified by module ID numbers. Each switch mus

AT-S63 Management Software Features GuideSection I: Basic Operations 75Stack Configuration FilesThe parameter settings of a stack are stored in the ac

Chapter 2: AT-9400Ts Stacks76 Section I: Basic Operations If the switch determines that its ID number is set to STATIC with the value 1, then it know

AT-S63 Management Software Features GuideSection I: Basic Operations 77MAC Address TablesThe MAC address tables of the switches in a stack are all the

Chapter 2: AT-9400Ts Stacks78 Section I: Basic OperationsStack IP AddressIf you do not intend to use the packet routing feature, you must still assign

AT-S63 Management Software Features GuideSection I: Basic Operations 79Upgrading the AT-S63 Management SoftwareThe AT-9400 Switch must have Version 3.

Contents8Associating VLANs to MSTIs...

Chapter 2: AT-9400Ts Stacks80 Section I: Basic Operations

Section I: Basic Operations 81Chapter 3Enhanced StackingThis chapter contains the following sections: “Supported Platforms” on page 82 “Overview” on

Chapter 3: Enhanced Stacking82 Section I: Basic OperationsSupported PlatformsTable 29 and Table 30 list the AT-9400 Switches and the management interf

AT-S63 Management Software Features GuideSection I: Basic Operations 83OverviewHaving to manage a large number of network devices typically involves s

Chapter 3: Enhanced Stacking84 Section I: Basic OperationsMaster and Slave SwitchesAn enhanced stack must have at least one master switch. This switch

AT-S63 Management Software Features GuideSection I: Basic Operations 85Common VLANA master switch searches for the other switches in an enhanced stack

Chapter 3: Enhanced Stacking86 Section I: Basic OperationsMaster Switch and the Local InterfaceBefore a switch can function as the master switch of an

AT-S63 Management Software Features GuideSection I: Basic Operations 87Slave SwitchesThe slave switches of an enhanced stack must be connected to the

Chapter 3: Enhanced Stacking88 Section I: Basic OperationsEnhanced Stacking CompatibilityThis version of enhanced stacking is compatible with earlier

AT-S63 Management Software Features GuideSection I: Basic Operations 89Enhanced Stacking GuidelinesHere are the guidelines to using the enhanced stack

AT-S63 Management Software Features Guide9Section VII: Internet Protocol Routing ...361C

Chapter 3: Enhanced Stacking90 Section I: Basic OperationsGeneral StepsHere are the basic steps to implementing the enhanced stacking feature on the A

Section I: Basic Operations 91Chapter 4SNMPv1 and SNMPv2cThis chapter describes SNMPv1 and SNMPv2c community strings for SNMP management of the switch

Chapter 4: SNMPv1 and SNMPv2c92 Section I: Basic OperationsSupported PlatformsRefer to Table 31 and Table 32 for the AT-9400 Switches and the manageme

AT-S63 Management Software Features GuideSection I: Basic Operations 93OverviewYou can manage a switch by viewing and changing the management informat

Chapter 4: SNMPv1 and SNMPv2c94 Section I: Basic OperationsCommunity String AttributesA community string has attributes for controlling who can use th

AT-S63 Management Software Features GuideSection I: Basic Operations 95the community strings.Each community string can have up to eight trap IP addres

Chapter 4: SNMPv1 and SNMPv2c96 Section I: Basic OperationsDefault SNMP Community StringsThe AT-S63 Management Software provides two default community

Section I: Basic Operations 97Chapter 5MAC Address TableThis chapter contains background information about the MAC address table.This chapter contains

Chapter 5: MAC Address Table98 Section I: Basic OperationsOverviewThe AT-9400 Switch has a MAC address table with a storage capacity of 16,000 entries

AT-S63 Management Software Features GuideSection I: Basic Operations 99no longer active.The period of time a switch waits before purging inactive dyna