Page 1 Summit 300-48 Switch Software User Guide Software Version 6.2a Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 http://www.extremenetworks.com Published: September 2003 Part number: 123007-00 Rev. 01...
Page 2 ©2003 Extreme Networks, Inc. All rights reserved. Extreme Networks, ExtremeWare, Alpine, and BlackDiamond are registered trademarks of Extreme Networks, Inc. in the United States and certain other jurisdictions. ExtremeWare Vista, ExtremeWorks, ExtremeAssist, ExtremeAssist1, ExtremeAssist2, PartnerAssist, Extreme Standby Router Protocol, ESRP, SmartTraps, Summit, Summit1, Summit4, Summit4/FX, Summit7i, Summit24, Summit48, Summit Virtual Chassis, SummitLink, SummitGbX, SummitRPS and the Extreme Networks logo are trademarks of Extreme Networks, Inc.,...
Page 3: Table Of Contents
Contents Preface Introduction Conventions Related Publications Chapter 1 ExtremeWare Overview Summary of Features Unified Access Virtual LANs (VLANs) Spanning Tree Protocol Quality of Service Load Sharing ESRP-Aware Switches Software Licensing Security Licensing Obtaining a Security License Security Features Under License Control Software Factory Defaults Chapter 2 Accessing the Switch...
Page 4 Accessing ExtremeWare Vista Navigating ExtremeWare Vista Saving Changes Filtering Information Do a GET When Configuring a VLAN Sending Screen Output to Extreme Networks Using the Simple Network Time Protocol Configuring and Using SNTP SNTP Configuration Commands SNTP Example Chapter 4...
Page 5 Contents Port Numbering Enabling and Disabling Switch Ports Configuring Switch Port Speed and Duplex Setting Switch Port Commands Load Sharing on the Switch Load-Sharing Algorithms Configuring Switch Load Sharing Load-Sharing Example Verifying the Load-Sharing Configuration Switch Port-Mirroring Port-Mirroring Commands Port-Mirroring Example Extreme Discovery Protocol EDP Commands Chapter 5...
Page 6 Contents Configuring Wireless Port Interfaces Managing Wireless Clients Show Commands Event Logging and Reporting Chapter 7 Unified Access Security Overview of Security User Access Security Authentication Privacy Cipher Suites Network Security Policies Policy Design Policy Examples Policies and RADIUS Support RADIUS Attributes CLI Commands for Security on the Switch Security Profile Commands...
Page 7 Contents Chapter 10 Access Policies Overview of Access Policies Access Control Lists Rate Limits Using Access Control Lists Access Masks Access Lists Rate Limits How Access Control Lists Work Access Mask Precedence Numbers Specifying a Default Rule The permit-established Keyword Adding Access Mask, Access List, and Rate Limit Entries Deleting Access Mask, Access List, and Rate Limit Entries Verifying Access Control List Configurations...
Page 8 Contents Port Statistics Port Errors Port Monitoring Display Keys Setting the System Recovery Level Logging Local Logging Remote Logging Logging Configuration Changes Logging Commands RMON About RMON RMON Features of the Switch Configuring RMON Event Actions Chapter 13 Spanning Tree Protocol (STP) Overview of the Spanning Tree Protocol Spanning Tree Domains Defaults...
Page 9 Contents Resetting and Disabling Router Settings Configuring DHCP/BOOTP Relay Verifying the DHCP/BOOTP Relay Configuration UDP-Forwarding Configuring UDP-Forwarding UDP-Forwarding Example ICMP Packet Processing UDP-Forwarding Commands Appendix A Safety Information Important Safety Information Power Power Cord Connections Lithium Battery Appendix B Supported Standards Appendix C Software Upgrade and Boot Options Downloading a New Image...
Page 10 Contents Debug Tracing TOP Command Contacting Extreme Technical Support Index Index of Commands Summit 300-48 Switch Software User Guide...
Page 11 Figures Example of a port-based VLAN on the Summit 300-48 switch Single port-based VLAN spanning two switches Two port-based VLANs spanning two switches Physical diagram of tagged and untagged traffic Logical diagram of tagged and untagged traffic Sample integrated wired and wireless network Permit-established access list example topology Access control list denies all TCP and UDP traffic Access list allows TCP traffic...
Page 12 Figures Summit 300-48 Switch Software User Guide...
Page 13 Tables Notice Icons Text Conventions ExtremeWare Summit 300-48 Factory Defaults Command Syntax Symbols Line-Editing Keys Common Commands Default Accounts DNS Commands Ping Command Parameters SNMP Configuration Commands RADIUS Commands Multiselect List Box Key Definitions Greenwich Mean Time Offsets SNTP Configuration Commands Switch Port Commands Switch Port-Mirroring Configuration Commands EDP Commands...
Page 14 Tables Security Profile Command Property Values Per-Port LEDs Power Over Ethernet Configuration Commands PoE Show Commands FDB Configuration Commands Access Control List Configuration Commands Traffic Type and QoS Guidelines QoS Configuration Commands Traffic Groupings by Precedence 802.1p Priority Value-to-QoS Profile to Hardware Queue Default Mapping 802.1p Configuration Commands DiffServ Configuration Commands Default Code Point-to-QoS Profile Mapping...
Page 15: Preface
Preface This preface provides an overview of this guide, describes guide conventions, and lists other publications that may be useful. Introduction This guide provides the required information to install the Summit™ 300-48 switch and configure the ExtremeWare ™ software running on the Summit 300-48 switch. This guide is intended for use by network administrators who are responsible for installing and setting up network equipment.
Page 16: Related Publications
The publications related to this one are: • ExtremeWare Release Notes • Summit 300-48 Switch Release Notes Documentation for Extreme Networks products is available on the World Wide Web at the following location: • http://www.extremenetworks.com/ Summit 300-48 Switch Software User Guide...
Page 17: Extremeware Overview
ExtremeWare Overview This chapter describes the following topics: • Summary of Features on page 17 • Security Licensing on page 20 • Software Factory Defaults on page 20 ExtremeWare is the full-featured software operating system that is designed to run on the Summit 300-48 switch.
Page 18: Unified Access
ExtremeWare Overview • SSH2 connection • Simple Network Management Protocol (SNMP) support • Remote Monitoring (RMON) • Traffic mirroring for ports Unified Access The Summit 300-48 supports the Unified Access architecture, enabling wired and wireless applications across a completely integrated enterprise infrastructure. With the Altitude product line, the Summit 300-48 supports 802.11 WLAN connectivity.
Page 19: Quality Of Service
If Extreme switches running ESRP are connected to layer 2 switches that are not manufactured by Extreme Networks (or Extreme switches that are not running ExtremeWare 4.0 or above), the fail-over times seen for traffic local to the segment may appear longer, depending on the application involved and the FDB timer used by the other vendor’s layer 2 switch.
Page 20: Security Licensing
Certain additional ExtremeWare security features, such as the use of Secure Shell (SSH2) encryption, may be under United States export restriction control. Extreme Networks ships these security features in a disabled state. You can obtain information on enabling these features at no charge from Extreme Networks.
Page 21 Software Factory Defaults Table 3: ExtremeWare Summit 300-48 Factory Defaults (continued) Item Default Setting IP multicast routing Disabled IGMP Enabled IGMP snooping Disabled SNTP Disabled Disabled Port Mirroring Disabled Wireless Enabled NOTE For default settings of individual ExtremeWare features, see the applicable individual chapters in this guide.
Page 22 ExtremeWare Overview Summit 300-48 Switch Software User Guide...
Page 23: Accessing The Switch
Accessing the Switch This chapter describes the following topics: • Understanding the Command Syntax on page 23 • Line-Editing Keys on page 25 • Command History on page 26 • Common Commands on page 26 • Configuring Management Access on page 28 •...
Page 24: Syntax Helper
Accessing the Switch Syntax Helper The CLI has a built-in syntax helper. If you are unsure of the complete syntax for a particular command, enter as much of the command as possible and press [Return]. The syntax helper provides a list of options for the remainder of the command.
Page 25: Names
Line-Editing Keys Names All named components of the switch configuration must have a unique name. Names must begin with an alphabetical character and are delimited by whitespace, unless enclosed in quotation marks. Symbols You may see a variety of symbols shown as part of the command syntax. These symbols explain how to enter the command, and you do not type them as part of the command itself.
Page 26: Command History
Accessing the Switch Table 5: Line-Editing Keys (continued) Symbol Description [Ctrl] + W Deletes previous word. Insert Toggles on and off. When toggled on, inserts text and shifts previous text to right. Left Arrow Moves cursor to left. Right Arrow Moves cursor to right.
Page 27 Common Commands Table 6: Common Commands (continued) Command Description config sys-recovery-level [none | critical | all] Configures a recovery option for instances where an exception occurs in ExtremeWare. Specify one of the following: • none — Recovery without system reboot. •...
Page 28: Configuring Management Access
Accessing the Switch Table 6: Common Commands (continued) Command Description disable ssh2 Disables SSH2 access to the switch. disable telnet Disables Telnet access to the switch. enable bootp vlan [<name> | all] Enables BOOTP for one or more VLANs. enable cli-config-logging Enables the logging of CLI configuration commands to the Syslog for auditing purposes.
Page 29: User Account
Configuring Management Access User Account A user-level account has viewing access to all manageable parameters, with the exception of: • User account database. • SNMP community strings. A user-level account can use the command to test device reachability, and change the password ping assigned to the account name.
Page 30: Creating A Management Account
Accessing the Switch Changing the Default Password Default accounts do not have passwords assigned to them. Passwords must have a minimum of four characters and can have a maximum of 12 characters. NOTE User names and passwords are case-sensitive. To add a password to the default admin account, follow these steps: 1 Log in to the switch using the name admin.
Page 31: Domain Name Service Client Services
Domain Name Service Client Services Viewing Accounts To view the accounts that have been created, you must have administrator privileges. Use the following command to see the accounts: show accounts Deleting an Account To delete a account, you must have administrator privileges. To delete an account, use the following command: delete account <username>...
Page 32: Checking Basic Connectivity
Accessing the Switch Checking Basic Connectivity The switch offers the following commands for checking basic connectivity: • ping • traceroute Ping command enables you to send Internet Control Message Protocol (ICMP) echo messages to a ping remote IP device. The command is available for both the user and administrator privilege level.
Page 33 Checking Basic Connectivity uses the specified source address in the ICMP packet. If not specified, the address of the • from transmitting interface is used. configures the switch to trace up to the time-to-live number of the switch. • • uses the specified UDP port number.
Page 34 Accessing the Switch Summit 300-48 Switch Software User Guide...
Page 35: Overview
Managing the Switch This chapter describes the following topics: • Overview on page 35 • Using the Console Interface on page 36 • Using Telnet on page 36 • Using Secure Shell 2 (SSH2) on page 39 • Using SNMP on page 40 •...
Page 36: Using The Console Interface
Managing the Switch Using the Console Interface The CLI built into the switch is accessible by way of the 9-pin, RS-232 port labeled console, located on the front of the Summit 300-48 switch. After the connection has been established, you will see the switch prompt and you can log in. Using Telnet Any workstation with a Telnet facility should be able to communicate with the switch over a TCP/IP network.
Page 37 Using Telnet You can enable BOOTP on a per-VLAN basis by using the following command: enable bootp vlan [<name> | all] By default, BOOTP is disabled on the default VLAN. To enable the forwarding of BOOTP and Dynamic Host Configuration Protocol (DHCP) requests, use the following command: enable bootprelay If you configure the switch to use BOOTP, the switch IP address is not retained through a power cycle,...
Page 38: Disconnecting A Telnet Session
Managing the Switch When you have successfully logged in to the switch, the command-line prompt displays the name of the switch in its prompt. 5 Assign an IP address and subnetwork mask for the default VLAN by using the following command: config vlan <name>...
Page 39: Controlling Telnet Access
Because SSH2 is currently under U.S. export restrictions, you must first obtain a security-enabled version of the ExtremeWare software from Extreme Networks before you can enable SSH2. The procedure for obtaining a security-enabled version of the ExtremeWare software is described in Chapter 1.
Page 40: Using Snmp
Each Network Manager provides its own user interface to the management facilities. The following sections describe how to get started if you want to use an SNMP manager. It assumes you are already familiar with SNMP management. Extreme Networks products support SNMP v1 and SNMP v2C.
Page 41: Supported Mibs
Using SNMP Supported MIBs In addition to private MIBs, the switch supports the standard MIBs listed in Appendix B. Configuring SNMP Settings The following SNMP parameters can be configured on the switch: • Authorized trap receivers — An authorized trap receiver can be one or more network management stations on your network.
Page 42: Displaying Snmp Settings
Managing the Switch Table 10: SNMP Configuration Commands (continued) Command Description config snmp sysname <string> Configures the name of the switch. A maximum of 32 characters is allowed. The default sysname is the model name of the device (for example, Summit 300-48). The sysname appears in the switch prompt.
Page 43: Authenticating Users
Authenticating Users Authenticating Users ExtremeWare provides a Radius client to authenticate switch admin users who login to the switch: RADIUS Client Remote Authentication Dial In User Service (RADIUS, RFC 2138) is a mechanism for authenticating and centrally administrating access to network nodes. The ExtremeWare RADIUS client implementation allows authentication for Telnet or console access to the switch.
Page 44 Managing the Switch Table 11: RADIUS Commands (continued) Command Description show radius Displays the current RADIUS client configuration and statistics. unconfig radius {server [primary | secondary]} Unconfigures the radius client configuration. RADIUS RFC 2138 Attributes The RADIUS RFC 2138 optional attributes supported are as follows: •...
Page 45 Building on this example configuration, you can use RADIUS to perform per-command authentication to differentiate user capabilities. To do so, use the Extreme-modified RADIUS Merit software that is available from the Extreme Networks web server at http://www.extremenetworks.com/extreme/support/otherapps.htm or by contacting Extreme ™...
Page 46 Managing the Switch Filter-Id = "unlim" admin Password = "", Service-Type = Administrative Filter-Id = "unlim" eric Password = "", Service-Type = Administrative, Profile-Name = "" Filter-Id = "unlim" Extreme:Extreme-CLI-Authorization = Enabled albert Password = "", Service-Type = Administrative, Profile-Name = "Profile1"...
Page 47: Using Extremeware Vista
Using ExtremeWare Vista Using ExtremeWare Vista The ExtremeWare Vista™ device-management software that runs on the switch allows you to access the switch over a TCP/IP network using a standard web browser. Any properly configured standard web browser that supports frames and JavaScript (such as Netscape Navigator 3.0 or above, or Microsoft Internet Explorer 3.0 or above) can be used to manage the switch.
Page 48: Accessing Extremeware Vista
• Turn off one or more of the browser toolbars to maximize the viewing space of the ExtremeWare Vista content screen. • If you will be using ExtremeWare Vista to send an email to the Extreme Networks Technical Support department, configure the email settings in your browser.
Page 49 Using ExtremeWare Vista Task Frame The task frame has two sections: menu buttons and submenu links. The four task menu buttons are: • Configuration • Statistics • Support • Logout Below the task buttons are options. Options are specific to the task button that you select. When you select an option, the information displayed in the content frame changes.
Page 50: Saving Changes
Managing the Switch Status Messages Status messages are displayed at the top of the content frame. The four types of status messages are: • Information—Displays information that is useful to know prior to, or as a result of, changing configuration options. •...
Page 51: Do A Get When Configuring A Vlan
Sending Screen Output to Extreme Networks If Extreme Networks requests that you email the output of a particular ExtremeWare Vista screen, follow these steps: 1 Click the content frame of the screen that you must send.
Page 52: Greenwich Mean Time Offsets
Managing the Switch Once enabled, the switch sends out a periodic query to the NTP servers defined later (if configured) or listens to broadcast NTP updates from the network. The network time information is automatically saved into the on-board real-time clock. 4 If you would like this switch to use a directed query to the NTP server, configure the switch to use the NTP server(s).
Page 53 Using the Simple Network Time Protocol Table 13: Greenwich Mean Time Offsets (continued) Offset in GMT Offset Common Time Zone Hours in Minutes References Cities -9:00 -540 YST - Yukon Standard -10:00 -600 AHST - Alaska-Hawaii Standard CAT - Central Alaska HST - Hawaii Standard -11:00 -660...
Page 54: Sntp Configuration Commands
Managing the Switch SNTP Configuration Commands Table 14 describes SNTP configuration commands. Table 14: SNTP Configuration Commands Command Description config sntp-client [primary | secondary] server Configures an NTP server for the switch to [<ipaddress> | <host_name>] obtain time information. Queries are first sent to the primary server.
Page 55: Configuring Ports On A Switch
Configuring Ports on a Switch This chapter describes the following topics: • Port Numbering on page 55 • Enabling and Disabling Switch Ports on page 55 • Load Sharing on the Switch on page 57 • Switch Port-Mirroring on page 59 •...
Page 56: Configuring Switch Port Speed And Duplex Setting
Configuring Ports on a Switch Configuring Switch Port Speed and Duplex Setting By default, the switch is configured to use autonegotiation to determine the port speed and duplex setting for each port. You can manually configure the duplex setting and the speed of 10/100 Mbps ports.
Page 57: Load Sharing On The Switch
If the failed port becomes active again, traffic is redistributed to include that port. This feature is supported between Extreme Networks switches only, but may be compatible with third-party trunking or link-aggregation algorithms. Check with an Extreme Networks technical representative for more information.
Page 58: Configuring Switch Load Sharing
Configuring Ports on a Switch You can configure the address-based load-sharing algorithm on the Summit 300-48 switch. The address-based load-sharing algorithm uses addressing information to determine which physical port in the load-sharing group to use for forwarding traffic out of the switch. Addressing information is based on the packet protocol, as follows: —...
Page 59: Load-Sharing Example
Switch Port-Mirroring • Ports on the switch are divided into a maximum of five groups. • Port-based and round-robin load sharing algorithms do not apply. • A redundant load share group can only include ports from the following ranges: 1:1-1:24, 1:25-1:48, 1:49-1:52.
Page 60: Port-Mirroring Commands
Configuring Ports on a Switch Up to eight mirroring filters and one monitor port can be configured. After a port has been specified as a monitor port, it cannot be used for any other function. NOTE Frames that contain errors are not mirrored. The mirrored port always transmits tagged frames.
Page 61: Port-Mirroring Example
1:3 tagged config mirroring add port 1:1 Extreme Discovery Protocol The Extreme Discovery Protocol (EDP) is used to gather information about neighbor Extreme Networks switches. EDP is used by the switches to exchange topology information. Information communicated using EDP includes: •...
Page 62 Configuring Ports on a Switch Summit 300-48 Switch Software User Guide...
Page 63: Virtual Lans (Vlans)
Virtual LANs (VLANs) This chapter describes the following topics: • Overview of Virtual LANs on page 63 • Types of VLANs on page 64 • VLAN Names on page 69 • Configuring VLANs on the Switch on page 70 • Displaying VLAN Settings on page 71 Setting up Virtual Local Area Networks (VLANs) on the switch eases many time-consuming tasks of network administration while increasing efficiency in network operations.
Page 64: Types Of Vlans
Virtual LANs (VLANs) • VLANs ease the change and movement of devices. With traditional networks, network administrators spend much of their time dealing with moves and changes. If users move to a different subnetwork, the addresses of each endstation must be updated manually.
Page 65: Single Port-Based Vlan Spanning Two Switches
Types of VLANs Spanning Switches with Port-Based VLANs To create a port-based VLAN that spans two switches, you must do two things: 1 Assign the port on each switch to the VLAN. 2 Cable the two switches together using one port on each switch per VLAN. Figure 2 illustrates a single VLAN that spans a BlackDiamond switch and a Summit 300-48 switch.
Page 66: Tagged Vlans
Virtual LANs (VLANs) Figure 3 illustrates two VLANs spanning two switches. On system 1, ports 1:12 through 1:24, and port 1:51 are part of VLAN Accounting; ports 1:37 through 1:48, and port 1:52 are part of VLAN Engineering. On system 2, all ports on slot 1 are part of VLAN Accounting; all ports on slot 8 are part of VLAN Engineering.
Page 67 Types of VLANs NOTE The use of 802.1Q tagged packets may lead to the appearance of packets slightly bigger than the current IEEE 802.3/Ethernet maximum of 1,518 bytes. This may affect packet error counters in other devices, and may also lead to connectivity problems if non-802.1Q bridges or routers are placed in the path.
Page 68: Physical Diagram Of Tagged And Untagged Traffic
Virtual LANs (VLANs) Figure 4: Physical diagram of tagged and untagged traffic System 1 1:49 1:1 - 1:12 1:13 - 1:24 1:25 - 1:36 1:37 - 1:48 50015 802.1Q Tagged server = Marketing = Sales = Tagged port Marketing & Sales System 2 LB48008A Figure 5 is a logical diagram of the same network.
Page 69: Vlan Names
VLAN Names • The server connected to port 1:16 on system 1 has a NIC that supports 802.1Q tagging. • The server connected to port 1:16 on system 1 is a member of both VLAN Marketing and VLAN Sales. • All other stations use untagged traffic. As data passes out of the switch, the switch determines if the destination port requires the frames to be tagged or untagged.
Page 70: Renaming A Vlan
Virtual LANs (VLANs) Renaming a VLAN To rename an existing VLAN, use the following command: config vlan <old_name> name <new_name> The following rules apply to renaming VLANs: • After you change the name of the default VLAN, it cannot be changed back to default. •...
Page 71: Vlan Configuration Examples
Displaying VLAN Settings Table 18: VLAN Configuration Commands (continued) Command Description delete vlan <name> Removes a VLAN. unconfig ports <portlist> monitor vlan <name> Removes port-based VLAN monitoring. unconfig vlan <name> ipaddress Resets the IP address of the VLAN. VLAN Configuration Examples The following Summit 300-48 switch example creates a tag-based VLAN named video.
Page 72 Virtual LANs (VLANs) Summit 300-48 Switch Software User Guide...
Page 73: Wireless Networking
Wireless Networking This chapter describes wireless networking using the Summit 300-48 switch and the Altitude 300 wireless port and includes information on the following topics: • Overview of Wireless Networking on page 73 • Wireless Devices on page 74 • Bridging on page 75 •...
Page 74: Summary Of Wireless Features
Wireless Networking Figure 6: Sample integrated wired and wireless network Summit 300-48 Altitude 300 Wireless clients Altitude 300 Wired network Wireless clients LB48018A This arrangement is part of the Extreme Unified Access Architecture, which is designed to support both wired and wireless networks from a single network switch. Because the intelligence normally associated with an access point is maintained in the Summit 300-48 switch, the cost of implementing radio access is greatly reduced.
Page 75: Bridging
Bridging You can set network policies at Layers 2 and 3 to cover both the wired and wireless networks. In this way you can block access to individuals suspected of intrusion across the entire network infrastructure. In addition to traditional wired devices, the Summit 300-48 switch supports the Altitude 300 wireless port, third party access points, and devices that rely on Power over Ethernet (PoE).
Page 76: Configuring Rf Properties
Wireless Networking 7 Configure a specific channel (determined from a site survey), if desired, on each interface. If you do not configure a specific channel, the switch auto-selects the channel with the least interference. 8 Connect the Altitude 300 wireless port. After this process is complete, clients can access your network through the Altitude 300 wireless port.
Page 77 Configuring RF Properties Table 20: RF Profile Property Values (continued) Property Default Allowed Values Description frag-length 2345 256-2345 Identifies fragment size in bytes. This value should remain at its default setting of 2345. It specifies the maximum size for a packet before data is fragmented into multiple packets.
Page 78: Configuring Wireless Switch Properties
Table 22. Extreme Networks ships the Summit 300-48 switch to be programmed with Extreme Network's special country code, which brings up only the G radio in channel 6, and turns off the A extreme_default radio.
Page 79: Configuring Wireless Ports
Configuring Wireless Ports Configuring Wireless Ports commands allow you to configure properties such as the IP address configure wireless ports and the location of the port. Table 23 lists the configuration commands for wireless ports. Table 23: Wireless Port Configuration Commands Command Description config wireless ports <portlist>...
Page 80: Managing Wireless Clients
Wireless Networking Table 25 lists the configuration commands for wireless ports. Table 25: Wireless Port Interface Configuration Commands Command Description config wireless ports <portlist> interface [1 | 2] rf-profile Attaches the port in the port list to the named RF <name>...
Page 81: Event Logging And Reporting
Event Logging and Reporting Table 27: Show Commands (continued) Command Description show wireless ports <portlist> interface [1 | 2] Summarizes wireless configuration information for configuration {detail} the selected port and interface. show wireless ports <portlist> interface [1 | 2] stats Lists 802.11 interface statistics for the selected port and interface.
Page 82 Wireless Networking Summit 300-48 Switch Software User Guide...
Page 83: Unified Access Security
Unified Access Security This chapter describes the security features of the Summit 300-48 switch and includes information on the following topics: • Overview of Security on page 83 • User Access Security on page 84 • Network Security Policies on page 87 •...
Page 84: User Access Security
Unified Access Security User Access Security Effective user security meets the following objectives: • Authentication — Assuring that only approved users are connected to the network at permitted locations and times. • Privacy — Assuring that user data is protected. Authentication The authentication process is responsible for screening users who attempt to connect to the network and granting or denying access based on the identity of the user, and if needed, the location of the client...
Page 85: Privacy
User Access Security then extends or denies access as instructed, and passes along configuration information such as VLAN and priority. 802.1x supports several EAP-class advanced authentication protocols, which differ in the specific identification types and encryption methods for the authentication: •...
Page 86 Unified Access Security incorporate each of these suites, and the Altitude 300 wireless port supports hardware-based AES and RC4 encryption. Table 28: Wi-Fi Security Cipher Suites Sponsoring Name Authentication Privacy Organization None or MAC WEP/RC4 IEEE 802.1x TKIP/RC4 Wi-Fi Alliance 802.1x CCMP/AES/TKIP IEEE...
Page 87: Network Security Policies
Network Security Policies Network Security Policies Network security policy refers to a set of network rules that apply to user access. You can base the rules on a variety of factors, including user identification, time and location, and method of authentication. It is possible to design network security policies to do all of the following: •...
Page 88: Policy Examples
Unified Access Security Policy Examples The following examples suggest typical uses of network security policies. Example. You want to give employees complete network access but limit access to visitors. The solution is to base network access on the authentication method, as indicated in Table 29. Table 29: Authentication-Based Network Access Example Authentication Method User Placement...
Page 89: Cli Commands For Security On The Switch
CLI Commands for Security on the Switch Table 31 lists the attributes included in the RADIUS response. Table 31: RADIUS Response Attributes Attribute Description EXTREME_NETLOGIN_VLAN_TAG VLAN for this MAC Vendor-Specific Attributes Table 32 lists the supported vendor-specific attributes (VSAs). The Extreme vendor ID is 1916. Table 32: Vendor-Specific Attributes Attribute Value...
Page 90: Security Profile Command Property Values
Unified Access Security Table 34 lists the properties for the security profile configuration command. Table 34: Security Profile Command Property Values Case Default Ranges Action ssid-in-beacon <value> off | on Turns on whether the SSID is published in the beacon or not. If you set this to off then the beacon does not contain the SSID and the client must know the SSID before it can associate.
Page 91: Example Wireless Configuration Process
Example Wireless Configuration Process Table 34: Security Profile Command Property Values (continued) Case Default Ranges Action dot1x multicast-cipher <value> aes | tkip | wep Specifies the cipher suite to use for legacy 802.1x or WPA clients. If the mcast cipher suite is aes, then the unicast cipher suite is AES.
Page 92 Unified Access Security To configure the VLAN, addresses, and RF profiles, follow these steps: 1 Create the wireless management VLAN. create vlan wireless-mgmt 2 Remove the wireless port from the default VLAN. configure vlan default delete ports 1:5 3 Add the wireless port to the management VLAN. configure vlan wireless-mgmt add ports 1:5 4 Configure this VLAN as the management VLAN.
Page 93 Example Wireless Configuration Process If you enter the wrong number of characters for the code, a message similar to the following appears. Invalid number of bytes in key. Expected 10 bytes, got 15 bytes. 8 Configure the security profile to use the 0 key you just defined as the default encryption key. configure security-profile wep-secure wep default-key-index 0 To configure dot1x security, follow these steps: 1 Create a security profile (...
Page 94 Unified Access Security Summit 300-48 Switch Software User Guide...
Page 95: Power Over Ethernet
Power Over Ethernet This chapter explains how to configure the Summit 300-48 switch to supply power to devices using the Power over Ethernet (PoE) capability. It contains the following sections: • Overview on page 95 • Port Power Management on page 96 •...
Page 96: Port Power Management
Power Over Ethernet Port Power Management When you connect PDs, the Summit 300-48 switch automatically discovers and classifies those that are AF-complaint. The following functions are supported for delivering power to the port: • Enabling the port for discovery and classification •...
Page 97: Port Power Events
Port Power Management Common Power Pool The common power pool represents the total amount of power available on a per-slot basis, less any power reserved or allocated to currently powered devices. When a new device is discovered, its defined power requirements are subtracted from the common power pool. If the common pool does not have sufficient available power, power is not supplied to the device.
Page 98: Per-Port Leds
Power Over Ethernet Ports are powered based upon their priority and discovery time. Higher priority ports with the oldest discovery time are powered first. If a device consumes more power than it is allocated by class type, it is considered a class violation. The device enters a fault state, and unreserved power is returned to the common pool.
Page 99 Configuring Power Over Ethernet Table 36: Power Over Ethernet Configuration Commands (continued) Command Description enable inline-power ports <portlist> Enables PoE for the listed ports. disable inline-power ports <portlist> Disables PoE for the listed ports. config inline-power usage-threshold <threshold> Sets the threshold for initiation of an alarm should the measured power exceed the threshold.
Page 100 Power Over Ethernet Table 36: Power Over Ethernet Configuration Commands (continued) Command Description unconfig inline-power disconnect-precedence [lowest-priority | Returns the disconnect-precedence to deny-port] the default state of deny-port. When the power drain exceeds the available power budget, due to a rise in power consumption after power is allocated to the ports, the PoE controller disconnects one of the ports to prevent overload on the...
Page 101 Configuring Power Over Ethernet Table 36: Power Over Ethernet Configuration Commands (continued) Command Description unconfig inline-power operator-limit ports <portlist> Resets the operator limit back to the default. unconfig inline-power violation-precedence ports <portlist> Resets the violation precedence back to the default. unconfig inline-power reserved-budget ports <portlist>...
Page 102 Power Over Ethernet Summit 300-48 Switch Software User Guide...
Page 103: Overview Of The Fdb
Forwarding Database (FDB) This chapter describes the following topics: • Overview of the FDB on page 103 • Configuring FDB Entries on page 105 • Displaying FDB Entries on page 106 Overview of the FDB The switch maintains a database of all media access control (MAC) addresses received on all of its ports. It uses the information in this database to decide whether a frame should be forwarded or filtered.
Page 104: How Fdb Entries Get Added
Forwarding Database (FDB) interface are stored as permanent. The Summit 300-48 switches support a maximum of 128 permanent entries. Once created, permanent entries stay the same as when they were created. For example, the permanent entry store is not updated when any of the following take place: —...
Page 105: Configuring Fdb Entries
Configuring FDB Entries Configuring FDB Entries To configure entries in the FDB, use the commands listed in Table 38. Table 38: FDB Configuration Commands Command Description clear fdb [{<mac_address> | vlan <name> Clears dynamic FDB entries that match the filter. | ports <portlist>}] When no options are specified, the command clears all FDB entries.
Page 106: Fdb Configuration Examples
Forwarding Database (FDB) Table 38: FDB Configuration Commands (continued) Command Description enable learning port <portlist> Enables MAC address learning on one or more ports. FDB Configuration Examples The following example adds a permanent entry to the FDB: create fdbentry 00:E0:2B:12:34:56 vlan marketing port 1:4 The permanent entry has the following characteristics: •...
Page 107: Access Policies
Access Policies This chapter describes the following topics: • Overview of Access Policies on page 107 • Using Access Control Lists on page 107 Overview of Access Policies Access policies are a generalized category of features that impact forwarding and route forwarding decisions.
Page 108: Access Masks
Access Policies shared multiple access control lists, using different lists of values to examine packets. The following sections describe how to use access control lists. Access Masks There are between twelve and fourteen access masks available in the Summit 300-48, depending on which features are enabled on the switch.
Page 109: Rate Limits
Using Access Control Lists Rate Limits Each entry that makes up a rate limit contains a unique name and specifies a previously created access mask. Like an access list, a rate limit includes a list of values to compare with the incoming packets and an action to take for packets that match.
Page 110: Access Mask Precedence Numbers
Access Policies Access Mask Precedence Numbers The access mask precedence number is optional, and determines the order in which each rule is examined by the switch. Access control list entries are evaluated from highest precedence to lowest precedence. Precedence numbers range from 1 to 25,600, with the number 1 having the highest precedence. However, an access mask without a precedence specified has a higher precedence than any access mask with a precedence specified.
Page 111: The Permit-Established Keyword
Using Access Control Lists permit-established Keyword keyword is used to directionally control attempts to open a TCP session. permit-established Session initiation can be explicitly blocked using this keyword. NOTE For an example of using the permit-established keyword, refer to “Using the Permit-Established Keyword”...
Page 112: Deleting Access Mask, Access List, And Rate Limit Entries
Access Policies The maximum number of access list allowed by the hardware is 254 for each block of eight 10/100 Ethernet ports and 126 for each Gigabit Ethernet port, for a total of 1014 rules (254*3+126*2). Most user entered access list commands will require multiple rules on the hardware. For example, a global rule (an access control list using an access mask without “ports”...
Page 113: Access Control List Configuration Commands
Using Access Control Lists Table 39: Access Control List Configuration Commands Command Description create access-list <name> Creates an access list. The list is applied to all access-mask <access-mask name> ingress packets. Options include: {dest-mac <dest_mac>} • <name> — Specifies the access control list {source-mac <src_mac>} name.
Page 114 Access Policies Table 39: Access Control List Configuration Commands (continued) Command Description create access-mask <access-mask name> Creates an access mask. The mask specifes {dest-mac} which packet fields to examine. Options include: {source-mac} • <acess-mask name> — Specifies the {vlan } access mask name.
Page 115 Using Access Control Lists Table 39: Access Control List Configuration Commands (continued) Command Description create rate-limit <rule_name> Creates a rate limit. The rule is applied to all access-mask <access-mask name> ingress packets. Options include: {dest-mac <dest_mac>} • <rule_name> — Specifies the rate limit {source-mac <src_mac>} name.
Page 116: Access Control List Examples
Access Policies Table 39: Access Control List Configuration Commands (continued) Command Description delete access-mask <name> Deletes an access mask. Any access lists or rate limits that reference this mask must first be deleted. delete rate-limit <name> Deletes a rate limit. show access-list {<name>...
Page 117: Access Control List Denies All Tcp And Udp Traffic
Using Access Control Lists Step 1 – Deny IP Traffic. First, create an access-mask that examines the IP protocol field for each packet. Then create two access-lists, one that blocks all TCP, one that blocks UDP. Although ICMP is used in conjunction with IP, it is technically not an IP data packet.
Page 118: Access List Allows Tcp Traffic
Access Policies Figure 9: Access list allows TCP traffic ICMP 10.10.10.100 10.10.20.100 EW_035 Step 3 - Permit-Established Access List. When a TCP session begins, there is a three-way handshake that includes a sequence of a SYN, SYN/ACK, and ACK packets. Figure 10 shows an illustration of the handshake that occurs when host A initiates a TCP session to host B.
Page 119: Permit-Established Access List Filters Out Syn Packet To Destination
Using Access Control Lists Figure 11 shows the final outcome of this access list. Figure 11: Permit-established access list filters out SYN packet to destination 10.10.10.100 10.10.20.100 EW_037 Example 2: Filter ICMP Packets This example creates an access list that filters out ping (ICMP echo) packets. ICMP echo packets are defined as type 8 code 0.
Page 120 Access Policies Summit 300-48 Switch Software User Guide...
Page 121: Quality Of Service (Qos)
Quality of Service (QoS) This chapter describes the following topics: • Overview of Policy-Based Quality of Service on page 121 • Applications and Types of QoS on page 122 • Configuring QoS for a Port or VLAN on page 123 •...
Page 122: Applications And Types Of Qos
Quality of Service (QoS) Summit 300-48 switches support up to four physical queues per port. NOTE As with all Extreme switch products, QoS has no impact on switch performance. Using even the most complex traffic groupings has no cost in terms of switch performance. Applications and Types of QoS Different applications have different QoS requirements.
Page 123: Web Browsing Applications
Configuring QoS for a Port or VLAN Web Browsing Applications QoS needs for Web browsing applications cannot be generalized into a single category. For example, ERP applications that use a browser front-end may be more important than retrieving daily news information.
Page 124: Traffic Groupings
Quality of Service (QoS) Traffic Groupings After a QoS profile has been modified for bandwidth and priority, you assign traffic a grouping to the profile. A traffic grouping is a classification of traffic that has one or more attributes in common. Traffic is typically grouped based on the applications discussed starting on page -122.
Page 125: Mac-Based Traffic Groupings
Traffic Groupings prescribe the bandwidth management and priority handling for that traffic grouping. This level of packet filtering has no impact on performance. MAC-Based Traffic Groupings QoS profiles can be assigned to destination MAC addresses. MAC-based traffic groupings are configured using the following command: create fdbentry <mac_address>...
Page 126: Explicit Class Of Service (802.1P And Diffserv) Traffic Groupings
Quality of Service (QoS) Explicit Class of Service (802.1p and DiffServ) Traffic Groupings This category of traffic groupings describes what is sometimes referred to as explicit packet marking, and refers to information contained within a packet intended to explicitly determine a class of service. That information includes: •...
Page 127 Traffic Groupings supports four hardware queues. The transmitting hardware queue determines the bandwidth management and priority characteristics used when transmitting packets. To control the mapping of 802.1p prioritization values to hardware queues, 802.1p prioritization values can be mapped to a QoS profile. The default mapping of each 802.1p priority value to QoS profile is shown in Table 43.
Page 128: Configuring Diffserv
Quality of Service (QoS) Configuring DiffServ Contained in the header of every IP packet is a field for IP Type of Service (TOS), now also called the DiffServ field. The TOS field is used by the switch to determine the type of service provided to the packet.
Page 129 Traffic Groupings Observing DiffServ Information When a packet arrives at the switch on an ingress port, the switch examines the first six of eight TOS bits, called the code point. The switch can assign the QoS profile used to subsequently transmit the packet based on the code point.
Page 130: Physical And Logical Groupings
Quality of Service (QoS) DiffServ Examples For information on the access list and access mask commands in the following examples, see Chapter 10, “Access Policies”. Use the following command to use the DiffServe code point value to assign traffic to the hardware queues: enable diffserv examination ports all In the following example, all the traffic from network 10.1.2.x is assigned the DiffServe code point 23...
Page 131: Verifying Configuration And Performance
Verifying Configuration and Performance The same information is also available for ports or VLANs using one of the following commands: show ports <portlist> info {detail} show vlan Verifying Configuration and Performance After you have created QoS policies that manage the traffic through the switch, you can use the QoS monitor to determine whether the application performance meets your expectations.
Page 132: Displaying Qos Profile Information
Quality of Service (QoS) Displaying QoS Profile Information The QoS monitor can also be used to verify the QoS configuration and monitor the use of the QoS policies that are in place. To display QoS information on the switch, use the following command: show qosprofile <qosprofile>...
Page 133: Status Monitoring And Statistics
Status Monitoring and Statistics This chapter describes the following topics: • Status Monitoring on page 133 • Port Statistics on page 135 • Port Errors on page 136 • Port Monitoring Display Keys on page 137 • Setting the System Recovery Level on page 137 •...
Page 134: Status Monitoring Commands
Status Monitoring and Statistics Table 47 describes commands that are used to monitor the status of the switch. Table 47: Status Monitoring Commands Command Description show log {<priority>} Displays the current snapshot of the log. Options include: • priority — Filters the log to display message with the selected priority or higher (more critical).
Page 135: Port Statistics
Port Statistics Table 47: Status Monitoring Commands (continued) Command Description show tech-support Displays the output for the following commands: • show version • show switch • show config • show diag • show gdb • show iparp • show ipfdb •...
Page 136: Port Errors
Status Monitoring and Statistics • Received Byte Count (RX Byte Count) — The total number of bytes that were received by the port, including bad or lost frames. This number includes bytes contained in the Frame Check Sequence (FCS), but excludes bytes in the preamble. •...
Page 137: Port Monitoring Display Keys
Port Monitoring Display Keys • Receive Fragmented Frames (RX Frag) — The total number of frames received by the port were of incorrect length and contained a bad FCS value. • Receive Jabber Frames (RX Jab) — The total number of frames received by the port that was of greater than the support maximum length and had a Cyclic Redundancy Check (CRC) error.
Page 138: Logging
Status Monitoring and Statistics NOTE Extreme Networks recommends that you set the system recovery level to . This allows critical ExtremeWare to log an error to the syslog and automatically reboot the system after a critical exception. Logging The switch log tracks all configuration and fault information pertaining to the device. Each entry in the log contains the following information: •...
Page 139: Local Logging
Logging Table 50: Fault Log Subsystems (continued) Subsystem Description Port Port management-related configuration. Examples include port statistics and errors. • Message — The message contains the log information with text that is specific to the problem. Local Logging The switch maintains 1,000 messages in its internal log. You can display a snapshot of the log at any time by using the following command: show log {<priority>} where the following is true:...
Page 140: Logging Configuration Changes
Status Monitoring and Statistics — The IP address of the syslog host. — ipaddress — — The syslog facility level for local use. Options include through facility local0 local7 — — Filters the log to display message with the selected priority or higher (more critical). priority Priorities include (in order) critical, emergency, alert, error, warning, notice, info, and debug.
Page 141 Logging Table 51: Logging Commands (continued) Command Description config syslog {add} <host name/ip> {<port>} Configures the syslog host address and filters <facility> {<priority>} messages sent to the syslog host. Up to 4 syslog servers can be configured. Options include: • host name/ip— The IP address or name of the syslog host.
Page 142: Rmon
Status Monitoring and Statistics RMON Using the Remote Monitoring (RMON) capabilities of the switch allows network administrators to improve system efficiency and reduce the load on the network. The following sections explain more about the RMON concept and the RMON features supported by the switch.
Page 143: Configuring Rmon
RMON History The History group provides historical views of network performance by taking periodic samples of the counters supplied by the Statistics group. The group features user-defined sample intervals and bucket counters for complete customization of trend analysis. The group is useful for analysis of traffic patterns and trends on a LAN segment or VLAN, and to establish baseline information indicating normal operating parameters.
Page 144: Event Actions
Status Monitoring and Statistics Event Actions The actions that you can define for each alarm are shown in Table 52. Table 52: Event Actions Action High Threshold No action Notify only Send trap to all trap receivers. Notify and log Send trap;...
Page 145: Overview Of The Spanning Tree Protocol
Spanning Tree Protocol (STP) This chapter describes the following topics: • Overview of the Spanning Tree Protocol on page 145 • Spanning Tree Domains on page 145 • STP Configurations on page 146 • Configuring STP on the Switch on page 148 •...
Page 146: Defaults
Spanning Tree Protocol (STP) A port can belong to only one STPD. If a port is a member of multiple VLANs, then all those VLANs must belong to the same STPD. The key points to remember when configuring VLANs and STP are: •...
Page 147: Multiple Spanning Tree Domains
STP Configurations • Marketing is defined on all switches (switch A, switch B, switch Y, switch Z, and switch M). Two STPDs are defined: • STPD1 contains VLANs Sales and Personnel. • STPD2 contains VLANs Manufacturing and Engineering. The VLAN Marketing is a member of the default STPD, but not assigned to either STPD1 or STPD2. Figure 15: Multiple Spanning Tree Domains Sales, Personnel, Marketing Manufacturing, Engineering, Marketing...
Page 148: Configuring Stp On The Switch
Spanning Tree Protocol (STP) Figure 16: Tag-based STP configuration Marketing & Sales Marketing, Sales & Engineering Switch 1 Switch 3 Switch 2 Sales & Engineering LB48015 The tag-based network in Figure 16 has the following configuration: • Switch 1 contains VLAN Marketing and VLAN Sales. •...
Page 149: Stp Configuration Commands
Configuring STP on the Switch 3 Enable STP for one or more STP domains using the following command: enable stpd {<stpd_name>} NOTE All VLANs belong to the default STPD (s0). If you do not want to run STP on a VLAN, you must add the VLAN to a STPD that is disabled.
Page 150 Spanning Tree Protocol (STP) Table 53: STP Configuration Commands (continued) Command Description config stpd <stpd_name> maxage <value> Specifies the maximum age of a BPDU in this STPD. The range is 6 through 40. The default setting is 20 seconds. Note that the time must be greater than, or equal to 2 * (Hello Time + 1) and less than, or equal to 2 * (Forward Delay –1).
Page 151: Stp Configuration Example
Displaying STP Settings STP Configuration Example The following Summit 300-48 switch example creates and enables an STPD named Backbone_st. It assigns the Manufacturing VLAN to the STPD. It disables STP on ports 1:1 through 1:7 and port 1:12. create stpd backbone_st config stpd backbone_st add vlan manufacturing enable stpd backbone_st disable stpd backbone_st port 1:1-1:7,1:12...
Page 152: Disabling And Resetting Stp
Spanning Tree Protocol (STP) Disabling and Resetting STP To disable STP or return STP settings to their defaults, use the commands listed in Table 54. Table 54: STP Disable and Reset Commands Command Description delete stpd <stpd_name> Removes an STPD. An STPD can only be removed if all VLANs have been deleted from it.
Page 153: Overview Of Ip Unicast Routing
IP Unicast Routing This chapter describes the following topics: • Overview of IP Unicast Routing on page 153 • Proxy ARP on page 156 • Relative Route Priorities on page 157 • Configuring IP Unicast Routing on page 157 • IP Commands on page 158 •...
Page 154: Chapter 14 Ip Unicast Routing
IP Unicast Routing Router Interfaces The routing software and hardware routes IP traffic between router interfaces. A router interface is simply a VLAN that has an IP address assigned to it. As you create VLANs with IP addresses belonging to different IP subnets, you can also choose to route between the VLANs.
Page 155 Overview of IP Unicast Routing — Locally, by way of interface addresses assigned to the system — By other static routes, as configured by the administrator NOTE If you define a default route, and subsequently delete the VLAN on the subnet associated with the default route, the invalid default route entry remains.
Page 156: Proxy Arp
IP Unicast Routing Proxy ARP Proxy Address Resolution Protocol (ARP) was first invented so that ARP-capable devices could respond to ARP Request packets on behalf of ARP-incapable devices. Proxy ARP can also be used to achieve router redundancy and simplify IP client configuration. The switch supports proxy ARP for this type of network configuration.
Page 157: Relative Route Priorities
Relative Route Priorities Relative Route Priorities Table 55 lists the relative priorities assigned to routes depending upon the learned source of the route. CAUTION Although these priorities can be changed, do not attempt any manipulation unless you are expertly familiar with the possible consequences. Table 55: Relative Route Priorities Route Origin Priority...
Page 158: Verifying The Ip Unicast Routing Configuration
IP Unicast Routing Verifying the IP Unicast Routing Configuration Use the command to display the current configuration of IP unicast routing for the show iproute switch, and for each VLAN. The command displays the currently configured routes, and show iproute includes how each route was learned.
Page 159 IP Commands Table 56: Basic IP Commands (continued) Command Description disable bootp vlan [<name> | all] Disables the generation and processing of BOOTP packets. disable bootprelay Disables the forwarding of BOOTP requests. disable ipforwarding {vlan <name>} Disables routing for one or all VLANs. disable ipforwarding broadcast {vlan <name>} Disables routing of broadcasts to other networks.
Page 160: Icmp Configuration Commands
IP Unicast Routing Table 57: Route Table Configuration Commands (continued) Command Description config iproute add default <gateway> Adds a default gateway to the routing table. A {<metric>} default gateway must be located on a configured IP interface. If no metric is specified, the default metric of 1 is used.
Page 161 IP Commands Table 58: ICMP Configuration Commands (continued) Command Description disable ip-option loose-source-route Disables the loose source route IP option. disable ip-option record-route Disables the record route IP option. disable ip-option record-timestamp Disables the record timestamp IP option. disable ip-option strict-source-route Disables the strict source route IP option.
Page 162: Routing Configuration Example
IP Unicast Routing Table 58: ICMP Configuration Commands (continued) Command Description enable ip-option use-router-alert Enables the switch to generate the router alert IP option with routing protocol packets. enable irdp {vlan <name>} Enables the generation of ICMP router advertisement messages on one or all VLANs. The default setting is enabled.
Page 163: Displaying Router Settings
Displaying Router Settings The example in Figure 18 is configured as follows: create vlan Finance create vlan Personnel config Finance add port 2,4 config Personnel add port 3,5 config Finance ipaddress 192.207.35.1 config Personnel ipaddress 192.207.36.1 enable ipforwarding Displaying Router Settings To display settings for various IP routing components, use the commands listed in Table 59.
Page 164: Configuring Dhcp/Bootp Relay
IP Unicast Routing Table 60: Router Reset and Disable Commands (continued) Command Description disable icmp address-mask {vlan <name>} Disables the generation of an ICMP address-mask reply messages. If a VLAN is not specified, the command applies to all IP interfaces. disable icmp parameter-problem {vlan Disables the generation of ICMP <name>}...
Page 165: Verifying The Dhcp/Bootp Relay Configuration
UDP-Forwarding 3 Configure the addresses to which DHCP or BOOTP requests should be directed, using the following command: config bootprelay add <ipaddress> To delete an entry, use the following command: config bootprelay delete {<ipaddress> | all} Verifying the DHCP/BOOTP Relay Configuration To verify the DHCP/BOOTP relay configuration, use the following command: show ipconfig This command displays the configuration of the BOOTP relay service, and the addresses that are...
Page 166: Udp-Forwarding Example
IP Unicast Routing UDP-Forwarding Example In this example, the VLAN Marketing and the VLAN Operations are pointed toward a specific backbone DHCP server (with IP address 10.1.1.1) and a backup server (with IP address 10.1.1.2). Additionally, the VLAN LabUser is configured to use any responding DHCP server on a separate VLAN called LabSvrs. The commands for this configuration are as follows: create udp-profile backbonedhcp create udp-profile labdhcp...
Page 167 UDP-Forwarding Table 61: UDP-Forwarding Commands (continued) Command Description config vlan <name> udp-profile <profile_name> Assigns a UDP-forwarding profile to the source VLAN. Once the UDP profile is associated with the VLAN, the switch picks up any broadcast UDP packets that matches with the user configured UDP port number, and forwards those packets to the user-defined destination.
Page 168 IP Unicast Routing Summit 300-48 Switch Software User Guide...
Page 169: Safety Information
Safety Information Important Safety Information WARNING! Read the following safety information thoroughly before installing your Extreme Networks switch. Failure to follow this safety information can lead to personal injury or damage to the equipment. Installation, maintenance, removal of parts, and removal of the unit and components must be done by qualified service personnel only.
Page 170: Power Cord
Safety Information • The appliance coupler (the connector to the unit and not the wall plug) must have a configuration for mating with an EN60320/IEC320 appliance inlet. • France and Peru only This unit cannot be powered from IT† supplies. If your supplies are of IT type, this unit must be powered by 230 V (2P+T) via an isolation transformer ratio 1:1, with the secondary connection point labeled Neutral, connected directly to ground.
Page 171: Lithium Battery
Important Safety Information Lithium Battery The lithium battery is not user-replaceable. WARNING! Danger of explosion if battery is incorrectly replaced. Replace only with the same or equivalent type recommended by the manufacturer. Dispose of used batteries according to the manufacturer’s instructions.
Page 172 Safety Information Summit 300-48 Switch Software User Guide...
Page 173: Supported Standards
Supported Standards The following is a list of software standards supported by ExtremeWare for the Summit 300-48 switch. Standards and Protocols RFC 1122 Host requirements RFC 793 TCP IEEE 802.1D-1998 (802.1p) Packet priority RFC 826 ARP IEEE 802.1Q VLAN tagging RFC 2068 HTTP RFC 2474 DiffServ Precedence RFC 2131 BootP/DHCP relay...
Page 174 Supported Standards Summit 300-48 Switch Software User Guide...
Page 175: Downloading A New Image
Software Upgrade and Boot Options This appendix describes the following topics: • Downloading a New Image on page 175 • Saving Configuration Changes on page 176 • Using TFTP to Upload the Configuration on page 177 • Using TFTP to Download the Configuration on page 178 •...
Page 176: Software Upgrade And Boot Options
Software Upgrade and Boot Options Rebooting the Switch To reboot the switch, use the following command: reboot { time <date> <time> | cancel} where is the date and is the time (using a 24-hour clock format) when the switch will be date time rebooted.
Page 177: Using Tftp To Upload The Configuration
• Modify the configuration using a text editor, and later download a copy of the file to the same switch, or to one or more different switches. • Send a copy of the configuration file to the Extreme Networks Technical Support department for problem-solving purposes.
Page 178: Using Tftp To Download The Configuration
Software Upgrade and Boot Options Using TFTP to Download the Configuration You can download ASCII files that contain CLI commands to the switch to modify the switch configuration. Three types of configuration scenarios that can be downloaded: • Complete configuration •...
Page 179: Remember To Save
Upgrading Bootloader Upgrading Bootloader is done using TFTP (from the CLI), after the switch has booted. Upgrade the BootROM only when asked to do so by an Extreme Networks technical representative. To upgrade the BootROM, use the following command: download bootrom [<hostname> | <ipaddress>] <filename>] [ bootstrap | diagnostics |...
Page 180: Accessing The Bootloader Cli
Software Upgrade and Boot Options Table 62: Bootstrap Command Options Option Description boot Boots a loader. enable Enables features. Accesses online help. help Accesses online help. Accesses online help. reboot Reboots the system. zmodem download. show Displays bootstrap information. Sets the file to use for config, loader and image commands.
Page 181: Boot Option Commands
Boot Option Commands Boot Option Commands Table 64 lists the CLI commands associated with switch boot options. Table 64: Boot Option Commands Command Description config download server [primary | secondary] Configures the TFTP server(s) used by a [<hostname> | <ipaddress>] <filename> scheduled incremental configuration download.
Page 182 Software Upgrade and Boot Options Table 64: Boot Option Commands (continued) Command Description use configuration [primary | secondary] Configures the switch to use a particular configuration on the next reboot. Options include the primary configuration area or the secondary configuration area. use image [primary | secondary] Configures the switch to use a particular image on the next reboot.
Page 183: Troubleshooting
Troubleshooting If you encounter problems when using the switch, this appendix may be helpful. If you have a problem not listed here or in the release notes, contact your local technical support representative. LEDs Power LED does not light: Check that the power cable is firmly connected to the device and to the supply outlet. On powering-up, the MGMT LED lights yellow: The device has failed its Power On Self Test (POST) and you should contact your supplier for advice.
Page 184: Using The Command-Line Interface
Switch does not power up: All products manufactured by Extreme Networks use digital power supplies with surge protection. In the event of a power surge, the protection circuits shut down the power supply. To reset, unplug the switch for 1 minute, plug it back in, and attempt to power up the switch.
Page 185: Port Configuration
Using the Command-Line Interface Check that the port through which you are trying to access the device has not been disabled. If it is enabled, check the connections and network cabling at the port. Check that the port through which you are trying to access the device is in a correctly configured VLAN.
Page 186: Vlans
Troubleshooting The only way to establish a full duplex link is to either force it at both sides, or run auto-negotiation on both sides (using full duplex as an advertised capability, which is the default setting on the Extreme switch). NOTE A mismatch of duplex mode between the Extreme switch and another network device will cause poor network performance.
Page 187: Stp
CPU utilization by process. Contacting Extreme Technical Support If you have a network issue that you are unable to resolve, contact Extreme Networks technical support. Extreme Networks maintains several Technical Assistance Centers (TACs) around the world to answer networking questions and resolve network problems.
Page 188 Troubleshooting • support@extremenetworks.com You can also visit the support website at: • http://www.extremenetworks.com/extreme/support/techsupport.asp to download software updates (requires a service contract) and documentation. Summit 300-48 Switch Software User Guide...
Page 189 Index Numerics authentication authentication method 02.1x/EAP 802.1x/EAP 802.11a, 802.11b, 802.11g 802.1p configuration commands (table) autonegotiation access control lists blackhole entries, FDB description boot option commands (table) examples Bootloader ICMP filter example upgrading verifying settings BOOTP access levels and UDP-Forwarding access lists BOOTP relay adding configuring...
Page 190 configuration factory defaults downloading features downloading complete ExtremeWare Vista downloading incremental accessing logging browser controls primary and secondary browser setup saving changes capturing screen output schedule download controlling access uploading to file fonts wireless ports home page 47, 48 configuring PoE navigating console connection saving changes...
Page 191 DHCP relay disabling names, VLANs enabling network security policies IP route sharing non-aging entries, FDB proxy ARP reset and disable commands (table) resetting opening a Telnet session router interfaces router show commands (table) routing table configuration commands (table) passwords multiple routes default populating forgetting...
Page 192 primary image deleting privacy rate-limiting private community, SNMP receive errors protocol analyzers, use with port-mirroring remote logging proxy ARP Remote Monitoring. See RMON communicating with devices outside subnet renaming a VLAN conditions reserved power configuring reset to factory defaults MAC address in response responding to ARP requests responding to requests RF configuration commands...
Page 193 Greenwich Mean Time Offsets (table) controlling access NTP servers disconnecting a session software licensing logging security features maximum sessions SSH2 protocol opening a session Spanning Tree Protocol. See STP using speed, ports TFTP SSH2 protocol server authentication key using description 20, 39 time-Based Authentication enabling...
Page 194 types UDP-Forwarding voice applications, QoS Web access, controlling web browsing applications, and QoS wireless event logging and reporting example network features networking show commands wireless ports configuration commands configuration process configuring interfaces managing 194 - Index Summit 300-48 Switch Software User Guide...
Page 195: Index Of Commands
Index of Commands config log display 139, 140 config mirroring add clear counters config mirroring delete clear fdb 105, 125 config ports auto off 26, 56 clear inline-power connection-history slot config ports auto on clear inline-power fault ports config ports display-string clear iparp 158, 163 config ports qosprofile...
Page 196 config vlan ipaddress 27, 38, 70, 157 disable inline-power ports config vlan name disable inline-power slot config vlan priority disable ipforwarding 159, 164 config vlan qosprofile 123, 130 disable ipforwarding broadcast 159, 164 config vlan tag disable ip-option loose-source-route config vlan udp-profile disable ip-option record-route config wireless port disable ip-option record-timestamp...
Page 197 enable inline-power enable inline-power ports save 38, 176, 181 enable inline-power slot show access-list 112, 116 enable ipforwarding 157, 159 show access-mask 112, 116 enable ipforwarding broadcast show accounts enable ip-option loose-source-route show banner enable ip-option record-route show configuration enable ip-option record-timestamp show debug-tracing enable ip-option strict-source-route show dns-client...
Page 198 show wireless config show wireless ports show wireless ports interface telnet 31, 36 traceroute 31, 32 unconfig icmp 162, 164 unconfig inline-power detection ports unconfig inline-power disconnect-precedence unconfig inline-power operator-limit ports unconfig inline-power reserved-budget ports unconfig inline-power usage-threshold unconfig inline-power violation-precedence ports 101 unconfig irdp 162, 164 unconfig management...

Extreme Networks Summit 300-48 Software User's Manual

Chapter 1 Extremeware Overview

Chapter 2 Accessing the Switch

Chapter 3 Managing the Switch

Chapter 4 Configuring Ports on a Switch

Chapter 5 Virtual Lans (Vlans)

Chapter 6 Wireless Networking

Chapter 7 Unified Access Security

Chapter 8 Power over Ethernet

Chapter 9 Forwarding Database (FDB)

Chapter 10 Access Policies

Chapter 11 Quality of Service (Qos)

Chapter 12 Status Monitoring and Statistics

Chapter 13 Spanning Tree Protocol (STP)

Chapter 14 IP Unicast Routing

Appendix A Safety Information

Appendix C Software Upgrade and Boot Options

Appendix B Supported Standards

Appendix D Troubleshooting

Quick Links

Need help?

Questions and answers

Related Manuals for Extreme Networks Summit 300-48

Summary of Contents for Extreme Networks Summit 300-48