Allied Telesis EX 3.11 Vista Manager Software User Guide

: June 13, 2024
: Allied Telesis

Table of Contents

Introduction
Overview
Configuring STOAT
Monitoring STOAT
Device discovery and removing a switch from a stack
References
Read User Manual Online (PDF format)
Download This Manual (PDF format)

Technical Guide

Device Discovery using STOAT
Feature Overview and Configuration Guidealliedtelesis.com

Introduction

Together, Vista Manager EX 3.11 and AlliedWare Plus software version 5.5.3-1 support AMF Plus Device Discovery using the STOAT (Standardized Topology Organizer and Transport) discovery protocol. STOAT learns about network devices and their links, and Vista Manager EX, using it’s AMF Plus Device Discovery feature, can then access this information so they can be displayed on the network map.
STOAT is designed to gather topology information about networks. It standardizes the output of various discovery protocols into a common format and transports the resulting topology data to a central point for use by Vista Manager EX.
Using LLDP and DHCP Snooping, STOAT can discover and gather information about devices in the local network. These devices may include IP cameras, IP phones, PCs, laptops, Wi-fi access points, printers, and so on. LLDP is limited to discovering devices directly connected to the STOAT device, however DHCP Snooping can discover devices one or more hops away.
The STOAT Collector provides Vista Manager EX with a near real-time stream of topology updates, allowing a responsive and accurate view of the network.
This document describes using STOAT Device Discovery with Vista Manager EX and STOAT Device Discovery from the AlliedWare Plus CLI.

Products and software version that apply to this guide
This guide applies to all AlliedWare Plus™ products that are AMF capable, running version 5.5.3-1 or later, and Vista Manager EX version 3.11 or later.
For the latest information, see the following documents:

These documents are available from the above links on our website at alliedtelesis.com.

Related documents
See the following documents for more detailed information:

For more information about DHCP, see the DHCP Snooping Feature Overview and Configuration Guide.
For more information about PKI, see the Public Key Infrastructure (PKI) Feature Overview and Configuration Guide.
For more information about LLDP, see the LLDP Feature Overview and Configuration Guide.

Licensing
An active AMF Plus license is required.

Overview

Vista Manager EX creates an integrated map using information from AMF and other plug-ins such as AWC and SNMP. Device Discovery using STOAT enhances the topology information present in the integrated map by providing Vista Manager EX with additional information about devices, and the links between them.
STOAT devices add information about themselves to the topology in addition to information from the following discovery protocols:

LLDP
DHCP Snooping

Device discovery
Devices with the STOAT feature enabled record information about themselves and their network interfaces. This information includes details about:

Hostname
Manufacturer and model name
Software, hardware, and firmware revision
Switch ports, including aggregator and VLAN configuration
Eth ports
IPv4 and IPv6 addresses

This data is imported into Vista Manager EX to give an optimal view of the network.

LLDP
When STOAT devices are enabled to use LLDP, they utilize LLDP to discover adjacent STOAT devices and store the link adjacencies in the topology. Additionally, STOAT will discover other adjacent devices capable of LLDP and LLDP-MED, recording the advertised information and link adjacencies in the topology.
The information advertised will depend on the adjacent device and its configuration, but it can contain:

Port ID
Port description
Chassis ID
System name
System description
System capabilities supported and enabled.
Management addresses
MED device type
MED hardware, firmware, and software revisions
MED serial number
MED manufacturer name
MED model name
MED asset ID

DHCP Snooping
When STOAT devices are enabled to use DHCP Snooping, they utilize the local DHCP Snooping database as a source of information to discover devices, and they record this information in the topology.
This information can contain:

IP address
MAC address
Hostname
DHCP request options, and their values
Ingress VLAN and port of the DHCP request

Devices in a STOAT network
STOAT incorporates a key feature wherein topology information is transported to a central point within the network. This enables Vista Manager EX to effectively utilize the information. To accomplish this, STOAT has 3 roles: Collector, Source, and non-STOAT device.

Collector – a STOAT device that has been configured to receive topology information from other STOAT devices.
Source – a STOAT device that has been configured with the destination address of a Collector, to send its topology information to.
non-STOAT device – a device that you want STOAT to discover.

Allied Telesis EX 3 11 Vista Manager Software - STOAT

What are STOAT devices?
STOAT devices are AlliedWare Plus devices that have been configured with STOAT. It is possible for a STOAT device to be both a Collector and Source simultaneously.
What are non-STOAT devices?
A non-STOAT device is simply any device that does not have STOAT configured. So this could include:

Allied Telesis AlliedWare Plus device that supports STOAT, but doesn’t have it configured
Allied Telesis AlliedWare Plus device running a release that pre-dates STOAT
Allied Telesis non-AlliedWare Plus device (WebSmart switch, unmanaged switch, Access Point, etc.)
Third-party vendor switch
Printer
Laptop
Camera
Smart coffee machine
And any other networked device that supports LLDP or DHCP.

How to connect your STOAT devices
Flat Collector network
The simplest form of a STOAT network has a single Collector, that all other STOAT nodes have configured as a destination. This is the preferred layout for networks with a small number of STOAT devices (e.g., 50 or fewer) or in larger networks where the Collector is a powerful device such as a Virtual AMF Appliance (VAA).

Allied Telesis EX 3 11 Vista Manager Software - STOAT
devices

Hierarchical Collector Network
Larger or more complex STOAT networks may require a hierarchy of Collectors. Arranging the Collectors in a hierarchy allows some of the work of the top Collector to be distributed more evenly across the network.
A hierarchical network also allows a hierarchy of Vista Manager EX instances. This may be useful in scenarios involving large networks with multiple branch offices, where the primary Vista Manager EX instance located at a central site can have comprehensive visibility, while additional Vista Manager EX instances co-located with the branch offices can solely observe the topology of their respective branch office.

Allied Telesis EX 3 11 Vista Manager Software - Collector
Network

Redundant Collector network
Each STOAT source can be configured with multiple destinations. This allows the construction of STOAT networks with redundant Collectors.
Care should be taken when configuring multiple destinations, as each additional destination increases the workload of the STOAT source.

Allied Telesis EX 3 11 Vista Manager Software - STOAT
source

Configuring STOAT

To configure a STOAT network, you can perform the following general steps:

“Enable the STOAT service and STOAT discovery protocols” on page 9
“Configure a STOAT Collector” on page 10
“Configure STOAT Sources” on page 11
“Enable LLDP on non-STOAT devices” on page 11

Enable the STOAT service and STOAT discovery protocols
Step 1: Enable the STOAT service
awplus(config)# service stoat
Step 2: Enable discovery via LLDP
Enable LLDP on all interfaces:
awplus(config)# lldp run
Enable LLDP as a STOAT discovery protocol:
awplus(config)# stoat discovery lldp
Step 3: Enable discovery via DHCP Snooping
If the device supports DHCP Snooping, STOAT can use it as a discovery protocol.
Enable the DHCP Snooping service:
awplus(config)# service dhcp-snooping
Enable DHCP Snooping on all required VLANs:
awplus(config)# interface
awplus(config-if)# ip dhcp snooping
If you are using an external DHCP server, mark the ports towards that server as trusted:
awplus(config)# interface
awplus(config-if)# ip dhcp snooping trust
Enable DHCP Snooping as a STOAT discovery protocol:
awplus(config)# stoat discovery dhcp-snooping

For more information about DHCP Snooping, see the DHCP Snooping Feature Overview and Configuration Guide.

Configure a STOAT Collector
Select a device to be the STOAT Collector. This should be a powerful device that is currently located in the network.

Step 1: Enable a device to be a STOAT Collector
awplus(config)# service dhcp-snooping
Step 2: Generate a number of STOAT keys
These keys match the number of sources that will connect to this Collector.

Allied Telesis EX 3 11 Vista Manager Software - STOAT
keys

Note: Store the generated output in a safe place, you will need it later, see “Configure STOAT Sources” on page 11.

We recommended all Sources use unique keys, however it is possible for multiple Sources to share the same key.
Consider configuring the Collector expiry-period to adjust the time for the Collector to determine dead sources. While the default of 60 seconds is recommended for most networks, if you face frequent disappearance and reappearance of large network segments in Vista Manager EX, increasing the expiry-period may be worth considering:
awplus(config)# stoat collector expiry-period <10-300>

Step 3: Configure trustpoint (Optional)

STOAT supports the use of trustpoints to establish full bi-directional trust between Sources and Collectors. STOAT can operate without trustpoints in a less secure mode of operation, however the use of trustpoints is highly recommended to ensure the security of the STOAT topology data.
Create a new self-signed trustpoint for the STOAT Collector:
awplus(config)# crypto pki trustpoint stoat-collector
awplus(ca-trustpoint)# enrollment selfsigned
awplus(ca-trustpoint)# end
awplus# crypto pki trustpoint stoat-collector authenticate
awplus# crypto pki trustpoint stoat-collector enroll
Alternatively you may create a CSR and use an external CA. See the Public Key Infrastructure (PKI) Feature Overview and Configuration Guide.
Configure the STOAT Collector to use the new trustpoint:
awplus(config)# stoat-collector trustpoint stoat-collector.
Export the trustpoint CA certificate (store the output safely, you will need it in a later step):
awplus# crypto pki export stoat-collector pem

Configure STOAT Sources
All STOAT devices, other than the Collector, will need to configure a destination to the Collector.
Step 1: Create a destination to the IP address or FQDN of the Collector
awplus(config)# stoat destination 192.168.55.3
awplus(config-stoat-dest)#
Step 2: Configure the key, using one of the keys you generated earlier
awplus(config-stoat-dest)# key F2jBktZRXBuiD1qG-zNPeDAuHv5k=
Step 3: Ensure the destination is not shutdown
awplus(config-stoat-dest)# no shutdown
Step 4: Configure trustpoint (Optional)
If you have configured a trustpoint for the Collector, you should now create a matching trustpoint on the Source, and configure the destination to use it. The destination will use the trustpoint to verify the service certificate presented by the Collector was signed by the CA contained within the configured trustpoint.

Create a new trustpoint to contain the Collector CA:
awplus(config)# crypto pki trustpoint stoat-collector
awplus(ca-trustpoint)# enrollment terminal
Authenticate the trustpoint using the CA certificate you exported earlier:
awplus# crypto pki authenticate stoat-collector
<paste the —-BEGIN CERTIFICATE—-text you recorded earlier here>
Configure the STOAT destination to use the new trustpoint:
awplus(config)# stoat destination 172.16.0.1
awplus(config-stoat-dest)# trustpoint stoat-collector
Optionally enable TLS name-check to verify the Collector’s server certificate contains the configured destination address. If you are unsure, skip this step.
awplus(config-stoat-dest)# name-check

Enable LLDP on non-STOAT devices
To get the best experience with STOAT, we recommend you enable LLDP on all non-STOAT devices you wish to discover. Additionally, for certain devices, when configuring the advertised LLDP TLVs, we recommend selecting all options in these cases.
For information on whether a specific Allied Telesis device supports LLDP and how to configure it, please consult the Document Library on our website: alliedtelesis.com.

Monitoring STOAT

You can use show commands to monitor the ongoing activities of STOAT:

To display STOAT sessions, use the command show stoat collector sessions:
To display a list of keys, use the command show stoat collector keys:
To display Source information, use the command show stoat destinations detail:

Device discovery and removing a switch from a stack

If you remove a switch from a stack and use it elsewhere, you have to clean it first.
Each switch in a stack has an ID number, which can be an integer between 1 and 8. The default on each switch is a stack ID of 1. The ID number of a stack member is an important identifier. All commands that are port or switch specific need to use the stack ID to identify which stack member the commands apply to.
If you remove a switch from a VCStack and want to use it elsewhere in the network, return it to its factory default state first. This is essential if you are using Vista Manager or Device Discovery using STOAT, but we recommend doing it in all cases.
If you want to remove a switch from a stack, use the following steps:

Shut down all stacking links to the switch you wish to remove from the stack. This is optional but recommended, especially if someone other than you will do the step of physically uncabling the switch.
Remove all of the cabling used for stacking links.
Re-cable the remaining stack members together correctly.
Log into the disconnected device through its console port. If you use SSH to connect, you will lose connectivity to the switch after resetting it.
Reset the switch to its factory default state, using either of the commands:
awplus# atmf cleanup
or
awplus# erase factory-default
These commands are synonyms and will erase all NVS, all flash contents except for the boot release, a GUI resource file, and any license files.
Reboot the switch.
If you want to use the switch as a standalone switch, disable stacking using the command no stack 1 enable and reboot the device.

NOTES:
If the full factory-default reset is inconvenient, it is important to change or delete the “stack virtualchassis-id” in the startup configuration.
For devices running AlliedWare Plus software version 5.5.3-0.x or later, reset the device unique-id using the privileged exec command unique-id to avoid serious network conflicts.

C613-22138-00 REV A