Allied Telesis Computer Hardware x900 User Manual

Network Resiliency Solutions  
x900 Advanced Gigabit Layer 3+ Expandable Switches  
Tested Solution: VCStack + Link Aggregation  
Prior to the advent of theVirtual Chassis Stacking (VCStack) solution, high availability in enterprise networks was achieved by  
provisioning redundant links (with STP) and redundant routers (withVRRP). In normal operation, bandwidth and routing power would  
sit idle in the network.  
AlliedTelesis now provides a truly resilient network. In normal operation, all bandwidth and all routing power in the network are fully  
available for use all the time. If a link or device fails, some of the bandwidth or forwarding power will be lost, but the network will still  
be fully operational and all remaining resources will continue to be fully utilized.  
Servers  
8600  
x900  
8000S  
CORE  
8000S  
Stack  
1 Gigabit link  
10/100 link  
Link aggregation  
EDGE  
Diagram 1: VCStack + Link Aggregation  
Key Benefits of the solution  
Full bandwidth utilization and maximum availability  
The key advantage comes from configuring the links from the edge to the core using 802.3ad link aggregation.This is possible  
becauseVCS supports link aggregation on ports across different virtual chassis members, providing:  
Full network bandwidth, as both ports are active; no links are blocked, as some would be with spanning tree.  
Minimal network disruption if a link fails.The process within a switch when an aggregated link fails is very simple and the virtual  
chassis almost instantly adapts its data forwarding on the loss of the link.  
Allied Telesis  
 
NETWORK RESILIENCY SOLUTIONS |VCStack + Link aggregation  
x900 Configuration  
All log messages are sent to a syslog server. Higher-severity  
log messages are also buffered on the switch itself  
log buffered level errors  
log host 192.168.10.11  
log host 192.168.10.11 level debugging  
access-list 1 permit 192.168.10.13  
snmp-server enable trap auth nsm  
snmp-server community public ro 1  
snmp-server host 192.168.10.13 version 2c public  
Allow read-only SNMP monitoring from one management  
station  
A resiliency link backs up the dedicated stacking link. If the  
stacking link fails, communication is maintained to allow  
graceful reconfiguration  
stack resiliencylink eth0  
stack 1 priority 1  
Use priority to pre-elect theVCStack master switch  
CreateVLANs.VLAN 169 for servers, andVLANs 170-172  
for connectivity to edge switches  
vlan database  
vlan 169-172 state enable  
interface port1.0.1  
switchport  
switchport mode access  
switchport access vlan 169  
static-channel-group 1  
interface port2.0.1  
switchport  
switchport mode access  
switchport access vlan 169  
static-channel-group 1  
Create link aggregation groups across theVCStack  
members for resiliency. One for servers, and three for  
edge switches  
interface port1.0.3  
switchport  
switchport mode access  
switchport access vlan 170  
static-channel-group 2  
interface port2.0.3  
switchport  
switchport mode access  
switchport access vlan 170  
static-channel-group 2  
interface port1.0.5  
switchport  
switchport mode access  
switchport access vlan 171  
static-channel-group 3  
Allied Telesis  
 
NETWORK RESILIENCY SOLUTIONS |VCStack + Link aggregation  
interface port2.0.5  
switchport  
switchport mode access  
switchport access vlan 171  
static-channel-group 3  
interface port1.0.7  
switchport  
switchport mode access  
switchport access vlan 172  
static-channel-group 4  
Create link aggregation groups across theVCStack  
members for resiliency. One for servers, and three for  
edge switches  
interface port2.0.7  
switchport  
switchport mode access  
switchport access vlan 172  
static-channel-group 4  
interface vlan169  
ip address 192.168.169.1/24  
interface vlan170  
ip address 192.168.170.1/24  
ip dhcp-relay server-address 192.168.169.254  
Assign an IP address to eachVLAN. Configure DHCP relay  
to forward DHCP requests to the server  
interface vlan171  
ip address 192.168.171.1/24  
ip dhcp-relay server-address 192.168.169.254  
interface vlan172  
ip address 192.168.172.1/24  
ip dhcp-relay server-address 192.168.169.254  
Configure a default route to external networks  
ip route 0.0.0.0/0 192.168.169.254  
ntp server 192.168.10.11  
end  
Configure NTP (NetworkTime Protocol) with the IP  
address of the NTP server  
Allied Telesis  
 
NETWORK RESILIENCY SOLUTIONS |VCStack + Link aggregation  
8600 Configuration  
To enable secure HTTP management to use certificates, a  
distinguished name is required and system security must  
be enabled  
set system distinguished="cn=switch1, o=alliedtelesis, c=nz"  
enable system security  
Storm control is configured to prevent downstream loops  
from affecting the inner layers of the network  
set switch port=1-24 bclimit=3000 mclimit=3000 dlflimit=3000  
create vlan="edge" vid=171  
add vlan="171" port=1-26  
By default, all ports are put intoVLAN 171  
enable stp="default"  
set stp="default" mode=rapid  
disable stp="default" port=1-24  
Spanning tree needs to be disabled on the edge-facing  
ports, as it cannot co-exist with 802.1x authentication  
The two gigabit ports are aggregated together to create a  
resilient link to the network core  
create switch trunk=aggregation port=25-26 speed=1000m  
802.1x authentication is enabled on all the client-facing  
ports. Clients cannot access the network without being  
authenticated  
enable portauth=8021x  
enable portauth=8021x port=1-24 type=authenticator  
enable dhcpsnooping  
enable dhcpsnooping arpsecurity  
enable dhcpsnooping log=arpsecurity  
set dhcpsnooping port=25 trusted=yes  
set dhcpsnooping port=26 trusted=yes  
DHCP snooping guards against rogue server attacks, server  
exhaustion attacks, arp poisoning attacks and IP spoofing  
attacks. Any ARP poisoning attempt will be logged  
enable ip  
Attach a management IP address toVLAN171, and provide  
a default gateway address  
add ip int=vlan171 ip=192.168.171.34  
add ip route=0.0.0.0 interface=vlan171 nexthop=192.168.171.1  
The Radius server is used for authenticating management  
sessions and also for authenticating 802.1x clients.  
add radius server=192.168.10.34 secret="testing123-2"  
port=1812 accport=1813  
add switch l3filter match=dipaddress dclass=host  
add switch l3filter=1 entry dipaddress=192.168.171.34  
action=deny  
add switch l3filter match=none import=true  
add switch l3filter=2 entry iport=26 action=nodrop  
add switch l3filter=2 entry iport=25 action=nodrop  
Management access is ONLY possible via the core-  
connected aggregated link. Access via insecure methods  
Telnet and HTTP are blocked  
disable telnet server  
Allied Telesis  
 
NETWORK RESILIENCY SOLUTIONS |VCStack + Link aggregation  
enable ssh server serverkey=1 hostkey=0 expirytime=1  
logintimeout=60  
add pki certificate="cer_name" location=cer_name.cer trust=true  
set http server security=on sslkey=2 port=443  
Remote management sessions must use SSH and/or  
HTTPS  
All log messages are sent to a syslog server.  
Higher-severity log messages are also buffered on the  
switch itself  
create log output=1 destination=syslog server=192.168.10.11  
secure=yes message=20  
add log output=1 filter=1 severity=>1  
enable snmp  
enable snmp authenticate_trap  
Allow read-only SNMP monitoring from one management  
station. Send traps to that same management station  
create snmp community=public  
enable snmp community=public trap  
add snmp community=public manager=192.168.10.13  
add snmp community=public traphost=192.168.10.13  
enable ntp  
add ntp peer=192.168.10.3  
System time is provided from an NTP server  
Allied Telesis  
 
NETWORK RESILIENCY SOLUTIONS |VCStack + Link aggregation  
8000S Configuration  
interface range ethernet 1/e(1-24),2/e(1-24)  
Broadcast and multicast limiting prevent downstream loops  
port storm-control broadcast enable  
from affecting the inner layers of the network  
port storm-control include-multicast  
exit  
interface range ethernet 1/e(1-24),2/e(1-24)  
spanning-tree portfast  
spanning-tree guard root  
exit  
The client-facing ports are configured as portfast so there  
is no delay in connectivity when client devices attach. Root  
guard protects against STP spoofing attacks  
interface range ethernet 1/e(1-24),2/e(1-24)  
Port security guards against MAC spoofing attacks, and  
limits the ability for intruders to connect to the network  
port security mode max-addresses  
port security max 3  
port security discard trap 60  
exit  
vlan database  
default-vlan vlan 170  
exit  
By default, all ports are put intoVLAN 170  
Two gigabit ports, one from each stack member, are  
aggregated together to create a resilient link to the  
network core  
interface range ethernet 1/g1,2/g1  
channel-group 1 mode on  
exit  
dot1x system-auth-control  
interface range ethernet 1/e(1-24),2/e(1-14)  
dot1x single-host-violation discard trap 30  
dot1x re-authentication  
802.1x authentication is enabled on all the client-facing  
ports. Clients cannot access the network without being  
authenticated  
dot1x port-control auto  
exit  
ip dhcp snooping  
ip dhcp snooping vlan 170  
interface port-channel 1  
ip dhcp snooping trust  
exit  
DHCP snooping guards against rogue server and server  
exhaustion attacks  
interface vlan 170  
ip address 192.168.170.45 255.255.0.0  
exit  
Attach a management IP address toVLAN170, and provide  
a default gateway  
ip default-gateway 192.168.170.1  
Allied Telesis  
 
NETWORK RESILIENCY SOLUTIONS |VCStack + Link aggregation  
radius-server host 192.168.10.34 auth-port 1812 acct-port 1813  
key testing123-2  
aaa authentication login default radius local  
aaa authentication dot1x default radius  
The Radius server is used for authenticating management  
sessions and also for authenticating 802.1x clients  
management access-list mlist  
deny service telnet  
deny service http  
Management access is ONLY possible via the core-  
connected aggregated link. Access via insecure methods  
Telnet and HTTP are blocked  
permit port-channel 1  
exit  
management access-class mlist  
Remote management sessions must use SSH and/or  
HTTPS  
ip ssh server  
ip https server  
All log messages are sent to a syslog server.  
Higher-severity log messages are also buffered on the  
switch itself  
logging 192.168.10.11  
logging buffered errors  
Allow read-only SNMP monitoring from one management  
station. Send traps to that same management station  
snmp-server community public ro 192.168.10.13 view Default  
snmp-server host 192.168.10.13 public traps 2  
sntp client enable vlan 170  
clock source sntp  
sntp unicast client enable  
sntp server 192.168.10.3  
System time is provided from an SNTP server  
line console  
autobaud  
exit  
The console port can auto-detect the terminal data rate  
Allied Telesis  
 
NETWORK RESILIENCY SOLUTIONS |VCStack + Link aggregation  
About AlliedTelesis  
AlliedTelesis is a world class leader in delivering IP/Ethernet network solutions to the  
global market place.We create innovative, standards-based IP networks that seamlessly  
connect you with voice, video and data services.  
Enterprise customers can build complete end-to-end networking solutions through a  
single vendor, with core to edge technologies ranging from powerful 10 Gigabit Layer 3  
switches right through to media converters.  
AlliedTelesis also offer a wide range of access, aggregation and backbone solutions for  
Service Providers. Our products range from industry leading media gateways which  
allow voice, video and data services to be delivered to the home and business, right  
through to high-end chassis-based platforms providing significant network infrastructure.  
AlliedTelesis' flexible service and support programs are tailored to meet a wide range  
of needs, and are designed to protect your AlliedTelesis investment well into the future.  
USA Headquarters | 19800 North Creek Parkway | Suite 100 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895  
European Headquarters |Via Motta 24 | 6830 Chiasso | Switzerland | T: +41 91 69769.00 | F: +41 91 69769.11  
Asia-Pacific Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830  
© 2008 AlliedTelesis Inc.All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners. 617-000170 Rev. L  
 

Acer Computer Monitor P215H User Manual
AC International Styling Iron AC8PROS User Manual
Allied Telesis Network Card AT AR750S User Manual
Altec Lansing Speaker CD408 16T User Manual
Altinex Network Card MT103 115 User Manual
Amana Dishwasher L0503010 User Manual
ATN Binoculars MO 4 User Manual
Avocent Switch CPS1610 CPS User Manual
Axis Communications Security Camera 216FD FD V User Manual
Axis Communications Security Camera p1357 e User Manual