Download Print this page

Extreme Networks ExtremeWare XOS Guide Manual

Concepts guide

Hide thumbs Also See for ExtremeWare XOS Guide:

Command reference manual (2024 pages)

,

Manual (496 pages)

,

Command reference manual (1712 pages)

Table of Contents

Advertisement

Quick Links

Download this manual

ExtremeWare XOS Concepts Guide

Software Version 11.3

Extreme Networks, Inc.

3585 Monroe Street

Santa Clara, California 95051

(408) 579-2800

(888) 257-3000

http://www.extremenetworks.com

Published: September 2005

Part number: 100194-00 Rev 01

Table of Contents

Advertisement

Chapters

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the ExtremeWare XOS Guide and is the answer not in the manual?

Questions and answers

Summary of Contents for Extreme Networks ExtremeWare XOS Guide

Page 1 ExtremeWare XOS Concepts Guide Software Version 11.3 Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (408) 579-2800 (888) 257-3000 http://www.extremenetworks.com Published: September 2005 Part number: 100194-00 Rev 01...
Page 2 Purple Extreme Solution Partners Logo, ServiceWatch, Summit, the Summit7i Logo, and the Color Purple, among others, are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and other countries. Other names and marks may be the property of their respective owners.
Page 3: Table Of Contents
Contents Preface............................21 Introduction ..........................21 Terminology........................21 Conventions..........................22 Platform-Dependent Conventions ..................22 Text Conventions.........................22 Related Publications .........................23 Using ExtremeWare XOS Publications Online .................23 Part 1: Using ExtremeWare XOS Chapter 1: ExtremeWare XOS Overview................... 27 Platforms and Required Software Versions ...................27 Summary of Features.........................27 Feature Highlights of ExtremeWare XOS 11.3 ................28 Software Licensing ........................33 Upgrading on the BlackDiamond 10K Switch Only ..............34...
Page 4 Contents Managing Passwords .........................50 Applying a Password to the Default Account ................50 Applying Security to Passwords.....................51 Displaying Passwords......................52 Access to Both MSM Console Ports—Modular Switches Only............53 Domain Name Service Client Services ..................53 Checking Basic Connectivity.......................54 Ping...........................54 Traceroute ..........................55 Displaying Switch Information ....................56 Chapter 3: Managing the Switch ....................
Page 5 Contents SNMPv3..........................85 Message Processing......................86 SNMPv3 Security ........................86 SNMPv3 MIB Access Control ....................89 SNMPv3 Notification......................90 Using the Simple Network Time Protocol..................92 Configuring and Using SNTP ....................93 SNTP Example........................96 Chapter 4: Managing the ExtremeWare XOS Software..............97 Overview of the ExtremeWare XOS Software .................97 Understanding the ExtremeWare XOS Software ..............97 Using the ExtremeWare XOS File System..................98 Moving or Renaming Files on the Switch ................98...
Page 6 Contents Load-Sharing Examples .....................125 Displaying Switch Load Sharing..................126 Switch Port Mirroring.......................129 Switch Port Mirroring on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only ....................130 Switch Port Mirroring on the BlackDiamond 10K Switch Only..........131 Switch Port-Mirroring Rules and Restrictions for All Switches ..........131 Switch Port-Mirroring Examples ..................132 Verifying the Switch Port-Mirroring Configuration ..............133 Extreme Discovery Protocol ......................133...
Page 7 Contents PoE Usage Threshold......................167 Legacy Devices .........................167 PoE Operator Limits ......................168 LEDs............................168 Configuring PoE ........................169 Enabling Inline Power......................169 Reserving Power for a Slot....................170 Setting the Disconnect Precedence ..................170 Configuring the Usage Threshold ..................171 Configuring the Switch to Detect Legacy PDs ...............172 Configuring the Operator Limit ...................172 Configuring PoE Port Labels ....................173 Power Cycling Connected PDs ....................173...
Page 8 Contents Displaying Debug Information.....................209 Logging Configuration Changes...................209 Using sFlow..........................209 Configuring sFlow......................210 Displaying sFlow Information....................213 RMON............................213 About RMON ........................213 Supported RMON Groups of the Switch ................214 Configuring RMON ......................216 Event Actions ........................216 Displaying RMON Information ....................217 Chapter 9: Virtual LANs ....................... 219 Overview of Virtual LANs......................219 Benefits ...........................219 Virtual Routers and VLANs—BlackDiamond 10K Switch Only..........220...
Page 9 Contents FDB Contents ........................249 How FDB Entries Get Added....................250 FDB Entry Types .......................250 FDB Configuration Examples ....................251 Adding a Permanent Static Entry ..................251 Configuring the FDB Aging Time..................252 Clearing FDB Entries ......................252 Displaying FDB Entries ......................252 MAC-Based Security........................253 Disabling MAC Address Learning ..................253 Disabling Egress Flooding ....................254 Displaying Learning and Flooding Settings................256 Multicast FDB with Multiport Entry—Summit X450 Switch and BlackDiamond 8800 Chassis Only.256...
Page 10 Contents Configuring QoS on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only ....................292 QoS Profiles ...........................293 QoS Profiles on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only ....................293 QoS Profiles on the BlackDiamond 10K Switch ..............294 Traffic Groupings ........................295 Precedence of Traffic Groupings ..................295 ACL-Based Traffic Groupings....................296...
Page 11 Contents Chapter 17: Network Login ......................345 Network Login Overview ......................345 Web-Based, MAC-Based, and 802.1x Authentication............346 Multiple Supplicant Support ....................347 Campus and ISP Modes .....................348 Network Login and Hitless Failover—Modular Switches Only ..........348 Configuring Network Login .......................349 Enabling or Disabling Network Login on the Switch ..............350 Enabling or Disabling Network Login on a Specific Port ............350 Configuring the Move Fail Action ..................350 Displaying Network Login Settings ..................350...
Page 12 Contents Delta Expression Example ....................389 Ratio Expression Example ....................390 Delta-Ratio Expression Example..................392 Part 2: Using Switching and Routing Protocols Chapter 19: Ethernet Automatic Protection Switching..............395 Licensing ..........................395 Overview of the EAPS Protocol ....................395 Fast Convergence ......................397 Fault Detection and Recovery ....................397 Link Down Message Sent by a Transit Node .................398 Ring Port Down Event Sent by Hardware Layer ..............398 Polling ..........................399...
Page 13 Contents Chapter 20: Spanning Tree Protocol..................... 423 Overview of the Spanning Tree Protocol..................423 Spanning Tree Domains ......................423 Member VLANs .........................424 STPD Modes........................425 Encapsulation Modes......................425 STP States ........................426 Binding Ports........................427 Rapid Root Failover ......................429 STP and Hitless Failover—Modular Switches Only ..............429 STP Configurations........................430 Basic STP Configuration ....................430 Multiple STPDs on a Port ....................433...
Page 14 Contents Configuring the ESRP Domain ID..................468 Adding VLANs to an ESRP Domain ..................468 Enabling and Disabling an ESRP Domain ................469 Advanced ESRP Features......................469 ESRP Tracking........................469 ESRP Port Restart ......................473 ESRP Host Attach ......................473 ESRP Port Weight and Don’t Count ..................474 ESRP Groups ........................475 Displaying ESRP Information ....................476 Using ELRP with ESRP......................476...
Page 15 Contents Verifying the IPv4 Unicast Routing Configuration ...............501 Routing Configuration Example....................501 IPv4 Multinetting ........................503 Multinetting Topology ......................503 How Multinetting Affects Other Features ................504 Configuring IPv4 Multinetting.....................508 IP Multinetting Examples ....................509 Configuring DHCP/BOOTP Relay ....................509 Configuring the DHCP Relay Agent Option (Option 82) ............510 Verifying the DHCP/BOOTP Relay Configuration ..............510 UDP Forwarding........................511 Configuring UDP Forwarding ....................511...
Page 16 Contents Poison Reverse .........................541 Triggered Updates ......................541 Route Advertisement of VLANs ...................541 Route Redistribution .......................541 Configuring Route Redistribution ..................541 RIPng Configuration Example ....................542 Chapter 27: OSPF ........................543 Overview of OSPF........................543 Licensing .........................543 OSPF Edge Mode ......................544 Link State Database ......................544 Graceful OSPF Restart .......................545 Areas ..........................546 Point-to-Point Support .......................549...
Page 17 Contents Using the Loopback Interface .....................574 BGP Peer Groups ......................574 BGP Route Flap Dampening ....................575 BGP Route Selection ......................577 Stripping Out Private AS Numbers from Route Updates ............577 Route Redistribution ......................577 BGP Static Network......................578 Chapter 30: IP Multicast Routing....................579 Overview ..........................579 PIM Overview........................579 IGMP Overview .........................581...
Page 18 Inserting Powered Devices in the PoE Module—BlackDiamond 8800 Family of Switches Only..633 Untagged Frames on the 10 Gbps Module—BlackDiamond 10K Switch Only........633 Running MSM Diagnostics from the Bootloader—BlackDiamond 10K Switch Only ......633 Contacting Extreme Networks Technical Support................634 Appendix C: CNA Agent........................ 635 Overview ..........................635 Redundancy—BlackDiamond 10K Switch and BlackDiamond 8800 Family of Switches Only ...636...
Page 19 Contents Configuring the CNA Agent ......................637 Enabling the CNA Agent ....................637 Connecting to the CNA Server ....................637 Configuring the Interface ....................638 Clearing the Counters ......................638 Displaying CNA Agent Information ..................638 Troubleshooting ........................639 Appendix D: Supported Protocols, MIBs, and Standards..............641 Glossary .............................
Page 20 Contents ExtremeWare XOS 11.3 Concepts Guide...
Page 21: Preface
This guide provides the required information to configure ExtremeWare XOS™ software version 11.3 ® running on switches from Extreme Networks The guide is intended for use by network administrators who are responsible for installing and setting up network equipment. It assumes a basic working knowledge of: Local area networks (LANs) ●...
Page 22: Conventions
Preface Conventions This section discusses conventions used in the documentation. The following topics are discussed: Platform-Dependent Conventions on page 22 ● Text Conventions on page 22 ● Platform-Dependent Conventions Unless otherwise noted, all information applies to all platforms supported by ExtremeWare XOS software, which are the following: ®...
Page 23: Related Publications
ExtremeWare XOS Command Reference Guide ● Extreme Networks Consolidated XOS Hardware Installation Guide ● Documentation for Extreme Networks products is available on the World Wide Web at the following location: http://www.extremenetworks.com/ Using ExtremeWare XOS Publications Online You can access ExtremeWare XOS publications by downloading them from the Extreme Networks ®...
Page 24 Preface NOTE If you activate a cross-referencing link from the concepts guide PDF file to the command reference PDF file when the command reference PDF file is closed (that is, not currently open on your computer desktop), the system will close the user guide PDF file and open the command reference PDF file.
Page 25: Part 1: Using Extremeware Xos
Using ExtremeWare XOS...
Page 27: Chapter 1: Extremeware Xos Overview
ExtremeWare XOS Overview This chapter covers the following topics: Platforms and Required Software Versions on page 27 ● Summary of Features on page 27 ● Software Licensing on page 33 ● Software Factory Defaults on page 36 ● This chapter provides an overview of the ExtremeWare XOS version 11.3 software. Platforms and Required Software Versions ExtremeWare XOS is the full-featured software operating system that is designed to run on the Extreme Networks devices.
Page 28: Feature Highlights Of Extremeware Xos 11.3
Link Access Control Protocol (LACP ● NetLogin ● NOTE For more information on Extreme Networks switch components, see the Extreme Networks Consolidated XOS Hardware Installation Guide. Feature Highlights of ExtremeWare XOS 11.3 Virtual Routers NOTE Although the BlackDiamond 8800 family of switches and the Summit X450 switch support the three system virtual routers (VR-Default, VR-Mgmt, VR-Control), the BlackDiamond 10K switch additionally supports user-created virtual routers.
Page 29 To access the switch using the Secure Shell (SSH), you must download, install, and enable the SSH software module. Once installed, you use the SSH to access the switch. You obtain the SSH software module through your Extreme Networks support account on the website, once you provide the required information.
Page 30 With software version 11.0, you can use the Extreme Standby Routing Protocol (ESRP). ESRP is an Extreme Networks proprietary protocol that allows multiple switches to provide redundant routing services to users. ESRP also provides Layer 2 redundancy; the Layer 3 and Layer 2 redundancy can be used separately or together.
Page 31 Summary of Features IP Multinetting Software version 11.0 of ExtremeWare XOS introduces IP multinetting, which allows you to overlap multiple subnets onto the same physical segment. IP multinetting is designed for use in legacy networks, as a transitional tactic. For more information on IP multinetting, see Chapter RMON With software version 11.1, ExtremeWare XOS introduces Remote Monitoring (RMON), which supports...
Page 32 Beginning with ExtremeWare XOS version 11.3, you can run the Link Aggregation Control Protocol (LACP) on Extreme Networks devices. LACP enables dynamic load sharing and hot standby for link aggregation links, in accordance with the IEEE 802.3ad standard. All third-party devices supporting LACP run with Extreme Networks devices.
Page 33: Software Licensing
Chapter Software Licensing Some Extreme Networks products have capabilities that are enabled by using a software license key. Keys are typically unique to the switch and are not transferable. Keys are stored in NVRAM on the chassis and, once enabled, persist through reboots, software upgrades, power outages, and reconfigurations.
Page 34: Upgrading On The Blackdiamond 10K Switch Only
ExtremeWare XOS Overview license provides additional functionality for some features, as well as Border Gateway Protocol (BGP) functionality, on the switches. The Advanced Core license is not available for the BlackDiamond 8800 family of switches or the Summit X450 switch. Once you obtain a license, you cannot downgrade licenses.
Page 35: Obtaining A License Voucher
United States export restriction control. Extreme Networks ships these security features in a disabled state. You can obtain information on enabling these features at no charge from Extreme Networks. The SSH2 feature is in a separate, loadable software module, which must be installed on the Extreme Networks switches.
Page 36: Software Factory Defaults
Security Features Under License Control ExtremeWare XOS software supports the SSH2 protocol, which allows the encryption of sessions between an SSH2 client and an Extreme Networks switch, as well as the Secure Copy Protocol (SCP). The encryption methods used are under export restriction control.
Page 37 Software Factory Defaults Table 4: ExtremeWare XOS version 11.3 global factory defaults (Continued) Item Default Setting 802.1Q tagging All packets are untagged on the default VLAN (default). Spanning Tree Protocol Disabled for the switch; enabled for each port in the STPD. STPD port encapsulation mode •...
Page 38 ExtremeWare XOS Overview ExtremeWare XOS 11.3 Concepts Guide...
Page 39: Chapter 2: Accessing The Switch
Accessing the Switch This chapter covers the following topics: Understanding the Command Syntax on page 39 ● Port Numbering on page 42 ● Line-Editing Keys on page 43 ● Command History on page 44 ● Common Commands on page 44 ●...
Page 40: Syntax Helper
Accessing the Switch 2 If the command includes a parameter, enter the parameter name and values. The value part of the command specifies how you want the parameter to be set. Values include numerics, strings, or addresses, depending on the parameter. 3 After entering the complete command, press [Return].
Page 41: Command Shortcuts
NOTE If you use the same name across categories (for example, STPD and VLAN names), Extreme Networks recommends that you specify the identifying keyword as well as the actual name. If you do not use the keyword, the system may return an error message.
Page 42: Limits
Accessing the Switch Table 5: Command syntax symbols Symbol Description angle brackets < > Enclose a variable or value. You must specify the variable or value. For example, in the syntax configure vlan <vlan> ipaddress <ipaddress> you must supply a VLAN name for <vlan name> and an address for <ipaddress> when entering the command.
Page 43: Stand-Alone Switch Numerical Ranges
Line-Editing Keys Stand-alone Switch Numerical Ranges On a stand-alone switch, such as the Summit X450 switch, the port number is simply noted by the physical port number, as shown below: Separate the port numbers by a dash to enter a range of contiguous numbers, and separate the numbers by a comma to enter a range of noncontiguous numbers: —Specifies a contiguous series of ports on a stand-alone switch.
Page 44: Command History
Accessing the Switch Table 6: Line-editing keys (Continued) Key(s) Description Insert Toggles on and off. When toggled on, inserts text and shifts previous text to right. [Ctrl] + A Moves cursor to first character in line. [Ctrl] + E Moves cursor to last character in line. [Ctrl] + L Clears screen and movers cursor to beginning of line.
Page 45 Common Commands Table 7: Common commands (Continued) Command Description Generates the SSH2 host key. configure ssh2 key {pregenerated} You must install the SSH software module in addition to the base image to run SSH. Configures a recovery option for instances where an configure sys-recovery-level [all | exception occurs in ExtremeWare XOS.
Page 46: Accessing The Switch The First Time
Accessing the Switch Table 7: Common commands (Continued) Command Description Enables pausing of the screen display when show enable clipaging command output reaches the end of the page. The default setting is enabled. Enables a timer that disconnects all sessions (both Telnet enable idletimeout and console) after 20 minutes of inactivity.
Page 47: Safe Defaults Setup Method
Configuring Management Access Safe Defaults Setup Method Once you connect to the console port of the switch, or after you issue the unconfigure switch all CLI command, the system returns the following interactive script: configure safe-default-script Telnet is enabled by default. Telnet is unencrypted and has been the target of security exploits in the past.
Page 48: User Account
Accessing the Switch User Account A user-level account has viewing access to all manageable parameters, with the exception of: User account database. ● SNMP community strings. ● A person with a user-level account can use the command to test device reachability and change ping the password assigned to the account name.
Page 49: Creating A Management Account
Configuring Management Access To change the password on the default account, see “Applying a Password to the Default Account” on page Creating a Management Account The switch can have a total of 16 management accounts. You can use the default names (admin and user), or you can create new names and passwords for the accounts.
Page 50: Managing Passwords
Accessing the Switch NOTE The information that you use to configure the failsafe account cannot be recovered by Extreme Networks. Technical support cannot retrieve passwords or account names for this account. Protect this information carefully. To access your switch using the failsafe account, you must connect to the serial port of the switch. You cannot access the failsafe account through any other port.
Page 51: Applying Security To Passwords
Managing Passwords NOTE Passwords are case-sensitive; user names are not case-sensitive. To add a password to the default admin account: 1 Log in to the switch using the name admin. 2 At the password prompt, press [Return]. 3 Add a default admin password of green by entering the following command: configure account admin green To add a password to the default user account: 1 Log in to the switch using the name user.
Page 52: Displaying Passwords
Accessing the Switch To age out the password after a specified time, issue the following command: configure account [all | <name>] password-policy max-age [<num_days> | none] You can block users from employing previously used passwords by issuing the command: configure account [all | <name>] password-policy history [<num_passwords> | none] By default, the system terminates a session once the user has 3 consecutive failed login attempts.
Page 53: Access To Both Msm Console Ports-Modular Switches Only
Access to Both MSM Console Ports—Modular Switches Only User Name Password Password Password Password Flags Expiry Max. age Min. len History Date Limit --------------------------------------------------------------------------- admin None None None user None None None test Apr-17-2005 --------------------------------------------------------------------------- Flags: (C) Password character validation enabled, (L) Account locked out (l) Account lockout on login failures enabled You can also display which accounts may be locked out by issuing the following command: show accounts...
Page 54: Checking Basic Connectivity
Accessing the Switch In addition, the utility can be used to return the IP address of a hostname. (This command is nslookup available only on the Default VR on the BlackDiamond 10K switch.) You can specify up to eight DNS servers for use by the DNS client using the following command: configure dns-client add You can specify a default domain for use when a host name is used without a domain.
Page 55: Traceroute
Checking Basic Connectivity Table 9: Ping command parameters (Continued) Parameter Description end-size Specifies an end size for packets to be sent. Specifies that the ping request should use UDP instead of ICMP. dont-fragment Sets the IP to not fragment the bit. Sets the TTL value.
Page 56: Displaying Switch Information
Accessing the Switch uses ICMP echo messages to trace the routed path. ● icmp Beginning with ExtremeWare XOS, you can trace the route between the switch and an IPv6 address. However, you must specify the target’s IPv6 address to use this command. Displaying Switch Information To display basic information about the switch, issue the following command: show switch...
Page 57 Displaying Switch Information Current Time: Sat Feb 14 04:57:33 2004 Timezone: [Auto DST Disabled] GMT Offset: 0 minutes, name is UTC. Boot Time: Fri Feb 13 23:57:48 2004 Next Reboot: None scheduled Current State: OPERATIONAL Image Selected: primary Image Booted: primary Primary ver: 11.2.0.16...
Page 58 Accessing the Switch ExtremeWare XOS 11.3 Concepts Guide...
Page 59: Chapter 3: Managing The Switch
Managing the Switch This chapter covers the following topics: Overview on page 59 ● Understanding the ExtremeWare XOS Shell on page 60 ● Using the Console Interface on page 60 ● Using the 10/100 Ethernet Management Port on page 61 ●...
Page 60: Understanding The Extremeware Xos Shell
Managing the Switch Eight shell sessions ● Eight Telnet sessions ● Eight Trivial File Transfer Protocol (TFTP) sessions ● Eight SSH2 sessions ● Understanding the ExtremeWare XOS Shell When you log in to ExtremeWare XOS from a terminal, you enter the shell with a shell prompt displayed.
Page 61: Using The 10/100 Ethernet Management Port
EPICenter is a powerful yet easy-to-use application suite that facilitates the management of a network of Extreme Networks switches, as well as selected third-party switches. EPICenter offers a comprehensive set of network management tools that are easy to use from a client workstation running EPICenter client software, or from a workstation configured with a web browser and the Java plug-in.
Page 62: Authenticating Users
Managing the Switch Authenticating Users ExtremeWare XOS provides three methods to authenticate users who log in to the switch: RADIUS client ● TACACS+ ● Local database of accounts and passwords ● NOTE You cannot configure RADIUS and TACACS+ at the same time. RADIUS Client Remote Authentication Dial In User Service (RADIUS, RFC 2138) is a mechanism for authenticating and centrally administrating access to network nodes.
Page 63: About The Telnet Client
Using Telnet This section describes the following Telnet topics: About the Telnet Client on page 63 ● About the Telnet Server on page 63 ● Connecting to Another Host Using Telnet on page 64 ● Configuring Switch IP Parameters on page 64 ●...
Page 64: Connecting To Another Host Using Telnet
Managing the Switch Connecting to Another Host Using Telnet You can Telnet from the current CLI session to another host using the following command: telnet {vr <vr_name>} [<host_name> | <remote_ip>] {<port>} NOTE The BlackDiamond 8800 family of switches (formerly known as Aspen) and the Summit X450 switch do not support user-created VRs.
Page 65 Using Telnet If you need the switch's MAC address to configure your BOOTP or DHCP server, you can find it on the rear label of the switch. Note that all VLANs configured to use BOOTP or DHCP use the same MAC address to get their IP address, so you cannot configure the BOOTP or DHCP server to assign multiple specific IP addresses to a switch depending solely on the MAC address.
Page 66: Configuring Telnet Access To The Switch
Managing the Switch NOTE As a general rule, when configuring any IP addresses for the switch, you can express a subnet mask by using dotted decimal notation or by using classless inter domain routing notation (CIDR). CIDR uses a forward slash plus the number of bits in the subnet mask.
Page 67 Using Telnet To configure the virtual router from which you receive a Telnet request, use the following command: configure telnet vr [all | default | <vr_name>] To change the default TCP port number, use the following command: configure telnet port [<portno> | default] The range for the port number is 1 through 65535.
Page 68: Disconnecting A Telnet Session
Managing the Switch Entry AllowTheRest { ; #none specified then permit; Configuring Telnet to Use ACL Policies. This section assumes that you have already loaded the policy on the switch. For more information about creating and implementing ACLs and policies, see Chapter “Policy Manager”...
Page 69: Using Secure Shell 2
Chapter “Software Upgrade and Boot Options.” Extreme Networks recommends using a TFTP server that supports blocksize negotiation (as described in RFC 2348, TFTP Blocksize Option), to enable faster file downloads and larger file downloads. For detailed information about downloading ACL (and other) policy files, see Chapter “Policy...
Page 70: Understanding System Redundancy With Dual Msms Installed-Modular Switches Only
Managing the Switch NOTE The BlackDiamond 8800 family of switches and the Summit X450 switch do not support user-created VRs. The TFTP session defaults to port 69. If you do not specify a virtual router, VR-Mgmt is used. For example, to connect to a remote TFTP server with an IP address of 10.123.45.67 and “get” or retrieve an ExtremeWare XOS configuration file named XOS1.cfg from that host, use the following command: tftp 10.123.45.67 -g -r XOS1.cfg When you “get”...
Page 71 Understanding System Redundancy with Dual MSMs Installed—Modular Switches Only Health of secondary hardware components—This represents the health of the switch components, ● such as power supplies, fans, and so forth. Slot ID—The MSM slot where the node is installed (MSM-A or MSM-B). ●...
Page 72: Replicating Data Between Nodes
Managing the Switch Replicating Data Between Nodes ExtremeWare XOS replicates configuration and run-time information between the master MSM and the backup MSM so that the system can recover if the master fails. This method of replicating data is known as checkpointing. Checkpointing is the process of automatically copying the active state from the master to the backup, which allows for state recovery if the master fails.
Page 73: Viewing Node Status
Understanding System Redundancy with Dual MSMs Installed—Modular Switches Only After one application completes bulk checkpointing, the next application proceeds with its bulk checkpointing. To monitor the checkpointing status, use the command. show checkpoint-data {<process>} To view the status of bulk checkpointing and see if the backup MSM is synchronized with the master MSM, use the command.
Page 74: Understanding Hitless Failover Support-Modular Switches Only
Managing the Switch Table 10: Node states (Continued) Node State Description FAIL In the fail state, the node has failed and needs to be restarted or repaired. The node reaches this state if the system has a hardware or software failure. INIT In the initial state, the node is being initialized.
Page 75 Understanding Hitless Failover Support—Modular Switches Only Table 11: Protocol support for hitless failover Protocol Behavior Hitless Spanning Tree STP supports hitless failover including catastrophic failure of the MSM without Protocol (STP) interruption. There should be no discernible network event external to the box. The protocol runs in lock step on both MSMs and the backup MSM is a hot spare that can take over at any time with no impact on the network.
Page 76 Managing the Switch Table 11: Protocol support for hitless failover (Continued) Protocol Behavior Hitless EAPS Continued EAPS Shared Ports, Partner Mode Since the Partner node does not actively block traffic, whether the state is Ready or Blocking, it does not make any difference if the master MSM fails over.
Page 77: Platform Support For Hitless Failover
Understanding Hitless Failover Support—Modular Switches Only Table 11: Protocol support for hitless failover (Continued) Protocol Behavior Hitless Open Shortest Path If you configure OSPF graceful restart, there is no traffic interruption. However, First (OSPF) after OSPF comes up after restart, OSPF re-establishes sessions with its neighbors and relearns Link State Advertisements (LSAs) from all of the neighbors.
Page 78: Hitless Failover Caveats
Managing the Switch Table 12: Platform support for hitless failover Platform Protocol ExtremeWare XOS Version BlackDiamond 10K ESRP ExtremeWare XOS 11.0 BlackDiamond 10K OSPF graceful restart ExtremeWare XOS 11.3 BlackDiamond 10K Network login ExtremeWare XOS 11.3 BlackDiamond 10K ExtremeWare XOS 11.0 BlackDiamond 8800 family ESRP ExtremeWare XOS 11.3...
Page 79: Using Power Supplies-Modular Switches Only
Understanding Power Supply Management Using Power Supplies—Modular Switches Only ExtremeWare XOS monitors and manages power consumption on the switch by periodically checking the power supply units (PSUs) and testing them for failures. To determine the health of the PSU, ExtremeWare XOS checks the voltage, current, and temperature of the PSU. The power management capability of ExtremeWare XOS: Protects the system from overload conditions ●...
Page 80 Managing the Switch Redundant or N+1—Power from a single PSU can be lost and no I/O modules are powered ■ down. Sufficient, but not redundant—Power from a single PSU is lost, and one or more I/O modules are ■ powered down. Insufficient—One or more modules are not powered up due to a shortfall of available power.
Page 81: Using Power Supplies-Summit X450 Switch Only
SummitX450 switch supports an internal power supply with a range of 90V to 240V AC power as well as an external redundant power supply. The Extreme Networks External Power System (EPS) allows you to add a redundant power supply to the Summit X450 switch to protect against a power supply failure.
Page 82: Displaying Power Supply Information
If you experience a PSU failure and have an external PSU installed, the switch uses the external PSU to maintain power to the switch. For more information about the Summit X450 switch and the EPS, see the Extreme Networks Consolidated XOS Hardware Installation Guide.
Page 83: Enabling And Disabling Snmpv1/V2C And Snmpv3
Using the Simple Network Management Protocol Message Processing on page 86 ● SNMPv3 Security on page 86 ● SNMPv3 MIB Access Control on page 89 ● SNMPv3 Notification on page 90 ● Enabling and Disabling SNMPv1/v2c and SNMPv3 ExtremeWare XOS can concurrently support SNMPv1/v2c and SNMPv3. The default is both types of SNMP enabled.
Page 84: Accessing Switch Agents
Managing the Switch Accessing Switch Agents To access the SNMP agent residing in the switch, at least one VLAN must have an assigned IP address. By default, SNMP access and SNMPv1/v2c traps are enabled. SNMP access and SNMP traps can be disabled and enabled independently—you can disable SNMP access but still allow SNMP traps to be sent, or vice versa.
Page 85: Snmpv3
SNMP, SNMPv1 and SNMPv2c, provided no privacy and little security. The following six RFCs provide the foundation for the Extreme Networks implementation of SNMPv3: RFC 2570, Introduction to version 3 of the Internet-standard Network Management Framework, provides an ●...
Page 86: Message Processing
USM Timeliness Mechanisms An Extreme Networks switch has one SNMPv3 engine, identified by its snmpEngineID. The first four octets are fixed to 80:00:07:7C, which represents the Extreme Networks vendor ID. By default, the additional octets for the snmpEngineID are generated from the device MAC address.
Page 87 Using the Simple Network Management Protocol to the security level of no authorization, no privacy. To set the snmpEngineID, use the following command: configure snmpv3 engine-id <hex_engine_id> SNMPEngineBoots can also be configured from the command line. SNMPEngineBoots can be set to any desired value but will latch on its maximum, 2147483647.
Page 88 Managing the Switch subtree that can be written to, and notify view defines the subtree that notifications can originate from. MIB views are discussed in “SNMPv3 MIB Access Control” on page A number of default (permanent) groups are already defined. These groups are: admin, initial, v1v2c_ro, v1v2c_rw.
Page 89: Snmpv3 Mib Access Control
Using the Simple Network Management Protocol For privacy, a 16-octet key is provided as input to DES-CBS encryption protocol, which generates an encrypted PDU to be transmitted. DES uses bytes 1-7 to make a 56 bit key. This key (encrypted itself) is placed in msgPrivacyParameters of SNMPv3 PDUs when the security level is specified as AuthPriv.
Page 90: Snmpv3 Notification
Managing the Switch To delete a MIB view, use the following command: configure snmpv3 delete mib-view [all-non-defaults | {[[hex <hex_view_name>] | <view_name>] {subtree <object_identifier>}}] MIB views that are used by security groups cannot be deleted. SNMPv3 Notification SNMPv3 can use either SNMPv1 traps or SNMPv2c notifications to send information from an agent to the network manager.
Page 91 Using the Simple Network Management Protocol you associate it with a parameter name, so you must create different target parameter names if you use different filters for different target addresses. To create a target parameter name and to set the message processing and security settings associated with it, use the following command: configure snmpv3 add target-params [[hex <hex_param_name>] | <param_name>] user [[hex <hex_user_name>] | <user_name>] mp-model [snmpv1 | snmpv2c | snmpv3] sec-model [snmpv1...
Page 92: Using The Simple Network Time Protocol
Managing the Switch To remove the association of a filter profile or all filter profiles with a parameter name, use the following command: configure snmpv3 delete filter-profile [all |[[hex <hex_profile_name>] | <profile_name>] {param [[hex <hex_param_name>] | <param_name>}]] Notification Tags When you create a target address, either you associate a list of notification tags with the target or by default, the defaultNotify tag is associated with the target.
Page 93: Configuring And Using Sntp
Using the Simple Network Time Protocol Configuring and Using SNTP To use SNTP, follow these steps: 1 Identify the host(s) that are configured as NTP server(s). Additionally, identify the preferred method for obtaining NTP updates. The options are for the NTP server to send out broadcasts or for switches using NTP to query the NTP server(s) directly.
Page 94 Managing the Switch Table 14: Time zone configuration command options (Continued) absolute_day Specifies a specific day of a specific year on which to begin or end DST. Format is: <month> <day> <year> where: • <month> is specified as 1-12 • <day> is specified as 1-31 •...
Page 95 Using the Simple Network Time Protocol NTP updates are distributed using GMT time. To properly display the local time in logs and other time- stamp information, the switch should be configured with the appropriate offset to GMT based on geographical location. Table 15 lists GMT offsets.
Page 96: Sntp Example
Managing the Switch Table 15: Greenwich Mean Time offsets (Continued) Offset in GMT Offset Hours in Minutes Common Time Zone References Cities +10:00 +600 EAST - East Australian Standard GST - Guam Standard Russia Zone 9 +11:00 +660 +12:00 +720 IDLE - International Date Line East Wellington, New Zealand;...
Page 97: Chapter 4: Managing The Extremeware Xos Software
Managing the ExtremeWare XOS Software This chapter covers the following topics: Overview of the ExtremeWare XOS Software on page 97 ● Using the ExtremeWare XOS File System on page 98 ● Managing the Configuration File on page 102 ● Managing ExtremeWare XOS Processes on page 103 ●...
Page 98: Using The Extremeware Xos File System
Managing the ExtremeWare XOS Software Configuration file management—With the enhanced configuration file management, you can oversee and manage multiple configuration files on your switch. In addition, you can upload, download, modify, and name configuration files used by the switch. Process control—With process control, you can stop and start processes, restart failed processes, and update the software for a specific process or set of processes.
Page 99: Copying Files On The Switch
Using the ExtremeWare XOS File System Where the following is true: —Specifies the removable external compact flash memory card. (This parameter is ● memorycard available only on modular switches.) —Specifies the current name of the configuration or policy file. ● old-name —Specifies the new name of the configuration or policy file.
Page 100: Displaying Files On The Switch
Managing the ExtremeWare XOS Software Configuration files have a .cfg file extension; policy files have a .pol file extension. When you copy a configuration or policy file from the system, make sure you specify the appropriate file extension. For example, if you want to copy a policy file, specify the filename and .pol. When you copy a file on a the switch, a message similar to the following appears: Copy config test.cfg to config test1.cfg on switch? (y/n) Enter...
Page 101: Deleting Files From The Switch
Using the ExtremeWare XOS File System Example The following command displays all of the configuration and policy files stored on your switch: The following is sample output from this command: total 424 -rw-r--r-- 1 root root 50 Jul 30 14:19 hugh.pol -rw-r--r-- 1 root root...
Page 102: Managing The Configuration File
Managing the ExtremeWare XOS Software For the option, this command removes/deletes an existing file on the external memory memorycard card. Example The following example removes the policy file named newpolicy.pol from the system: rm newpolicy.pol On a modular switch with an external memory card installed, the following command removes the policy file named test.pol from the external memory card: rm memorycard test.pol Managing the Configuration File...
Page 103: Managing Extremeware Xos Processes
Managing ExtremeWare XOS Processes For more information about saving, uploading, and downloading configuration files, see “Saving Configuration Changes” on page 601. Managing ExtremeWare XOS Processes ExtremeWare XOS consists of a number of cooperating processes running on the switch. With process control, under certain conditions, you can stop and start processes, restart failed processes, examine information about the processes, and update the software for a specific process or set of processes.
Page 104: Stopping A Process
Resource usage ● Stopping a Process If recommended by Extreme Networks Technical Support personnel, you can stop a running process. To stop a running process, use the following command: terminate process <name> [forceful | graceful] {msm <slot>} Where the following is true: —Specifies the name of the process.
Page 105: Starting A Process
Understanding Memory Protection Starting a Process To start a process, use the following command: start process <name> {msm <slot>} Where the following is true: —Specifies the name of the process. ● name —Specifies the slot number of the MSM. A specifies the MSM installed in slot A. B specifies the ●...
Page 106: Monitoring Cpu Utilization
● seconds 60 seconds. Extreme Networks recommends the default setting for most network environments. If you enter a number lower than 20 seconds, CPU utilization may increase. —Specifies the CPU threshold value. CPU usage is measured in percentages. The default ●...
Page 107: Displaying Cpu Utilization History
Monitoring CPU Utilization By default, CPU monitoring is enabled and occurs every 20 seconds. The default CPU threshold value is 60%. Displaying CPU Utilization History To display the CPU utilization history of one or more processes, use the following command: show cpu-monitoring {process <name>} {slot <slotid>} Where the following is true: —Specifies the name of the process.
Page 108 Managing the ExtremeWare XOS Software MSM-A 10.2 0.99 0.47 MSM-A elrp 0.44 0.28 MSM-A 12.2 1.1 1.16 MSM-A 4.18 MSM-A esrp 0.44 0.36 MSM-A etmon 23.3 21.84 7.24 The following is sample truncated output from a Summit X450 switch: CPU Utilization Statistics - Monitored every 25 seconds ----------------------------------------------------------------------- Process Total...
Page 109: Chapter 5: Configuring Slots And Ports On A Switch
Configuring Slots and Ports on a Switch This chapter covers the following topics: Configuring a Slot on a Modular Switch—BlackDiamond 10K Switch and BlackDiamond 8800 ● Family of Switches Only on page 109 Configuring Ports on a Switch on page 111 ●...
Page 110: I/O Ports On Blackdiamond 8810 Msm Module
Configuring Slots and Ports on a Switch NOTE For information on saving the configuration, see Appendix You configure the modular switch with the type of input/output (I/O) module that is installed in each slot. To do this, use the following command: configure slot <slot>...
Page 111: I/O Ports On Blackdiamond 8806 Msm Module
Configuring Ports on a Switch When you issue any commands specifying a slot that contains an MSM (slot 5 with one MSM and slot slots 5 and 6 with two MSMs) on the BlackDiamond 8810 switch, those commands affect only the data ports on that slot;...
Page 112: Port Numbering
Configuring Slots and Ports on a Switch Configuring Switch Port Speed and Duplex Setting on page 113 ● Port Numbering ExtremeWare XOS runs on both stand-alone and modular switches, and the port numbering scheme is slightly different on each. This section cover the following topics: Stand-alone Switch Numerical Ranges on page 112 ●...
Page 113: Enabling And Disabling Switch Ports
Configuring Ports on a Switch Enabling and Disabling Switch Ports By default, all ports are enabled. To enable or disable one or more ports on a switch, use the following commands: enable port [<port_list> | all] disable port [<port_list> | all] For example, to disable slot 7, ports 3, 5, and 12 through 15 on a modular switch, use the following command: disable port 7:3,7:5,7:12-7:15...
Page 114 The system then stops transmitting or receiving traffic from that link. Once the fault is alleviated, the system puts the link back up and the traffic automatically resumes. The Extreme Networks implementation of LFS conforms to the IEEE standard 802.3ae-2002. NOTE On the BlackDiamond 10K switch, the 10 Gbps module must have the serial number 804405-00-09 or higher to support LFS.
Page 115 Configuring Ports on a Switch configure ports 1:1 auto off duplex full The 10 Gbps ports do not autonegotiate; they always run at full duplex and 10 Gbps speed. Table 17 lists the support for autonegotiation, speed, and duplex setting for the various types of ports. Table 17: Support for autonegotiation on various ports Port Autonegotiation...
Page 116: Jumbo Frames
The switch only performs IP fragmentation, or participates in maximum transmission unit (MTU) negotiation on behalf of devices that support jumbo frames. You need jumbo frames when running the Extreme Networks VMAN implementation. When you are working on the BlackDiamond 10K switch, the switch enables jumbo frames when you configure VMANs.
Page 117: Path Mtu Discovery
Jumbo Frames configure jumbo-frame-size <framesize> The jumbo frame size range is 1523 to 9216. This value describes the maximum size of the frame in transit (on the wire), and includes 4 bytes of CRC plus another 4 bytes if 802.1Q tagging is being used. Set the MTU size for the VLAN, using the following command: configure ip-mtu <mtu>...
Page 118: Ip Fragmentation Within A Vlan
Configuring Slots and Ports on a Switch ExtremeWare XOS supports the fragmenting of IP packets. If an IP packet originates in a local network that allows large packets and those packets traverse a network that limits packets to a smaller size, the packets are fragmented instead of discarded.
Page 119: Link Aggregation On The Switch
Load sharing, link aggregation, and trunking are terms that have been used interchangeably in Extreme Networks documentation to refer to the same feature, which allows multiple physical ports to be aggregated into one logical port, or link aggregation group (LAG).
Page 120: Link Aggregation And Software-Controlled Redundant Ports-Summit X450 Switch Only
Configuring Slots and Ports on a Switch Link Aggregation and Software-Controlled Redundant Ports— Summit X450 Switch Only If you are configuring software-controlled redundant ports and link aggregation together, the following rules apply: Only the master logical port can be a either a primary or redundant port. ●...
Page 121 Link Aggregation on the Switch Link Aggregation Algorithm on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch NOTE You cannot configure port-based load sharing on the BlackDiamond 8800 family of switches or the Summit X450 switch. Address-based load sharing. When you configure address-based load sharing, the switch examines a specific place in the packet to determine which egress port to use for forwarding traffic: For Layer 2 load sharing, the switch uses the MAC source address and destination address.
Page 122: Lacp-Dynamic Link Aggregation
Beginning with ExtremeWare XOS version 11.3, you can run the Link Aggregation Control Protocol (LACP) on Extreme Networks devices. LACP enables dynamic load sharing and hot standby for link aggregation links, in accordance with the IEEE 802.3ad standard. All third-party devices supporting LACP run with Extreme Networks devices.
Page 123: Configuring Switch Load Sharing
The marker protocol portion of LACP ensures that all traffic on a link has been received in the order in which it was sent and is used when links must be dynamically moved between aggregation groups. The Extreme Networks LACP implementation responds to marker frames but does not initiate these frames. NOTE...
Page 124 Configuring Slots and Ports on a Switch Adding and Deleting Ports in a Load-Sharing Group Ports can be added or deleted dynamically in a load-sharing group, or LAG. To add or delete ports from a load-sharing group, use the following commands: configure sharing <port>...
Page 125: Load-Sharing Examples
Link Aggregation on the Switch commands. It can be thought of as the logical port representing the entire port group, and it serves as the LAG Group ID. To create a LAG for LACP, issue the following command, take the following steps: 1 Create a LAG, using the following command: enable sharing <port>...
Page 126: Displaying Switch Load Sharing
Configuring Slots and Ports on a Switch In this example, logical port 9 represents physical ports 9 through 12. When using load sharing, you should always reference the master logical port of the load-sharing group (port 9 in the previous example) when configuring or viewing VLANs; the logical port serves as the LAG Group ID.
Page 127 Link Aggregation on the Switch Dynamic link aggregation—LACP ● To verify your configuration, use the following command: show ports sharing The following is an example of the display you see when you display load sharing, or link aggregation, on the Summit X450 switch: Load Sharing Monitor Config Current...
Page 128 Configuring Slots and Ports on a Switch Actor Actor Partner Partner Partner Sys-Pri Sys-Pri Count -------------------------------------------------------------------------------- 0x0fa5 00:01:30:f9:9c:30 0x1f47 Port list: Member Actor Partner Port State Logic State Flags Port -------------------------------------------------------------------------------- Current Selected Collect-Dist A-GSCD-- 8015 Current Selected Collect-Dist A-GSCD-- 8016 Current Selected...
Page 129: Switch Port Mirroring
Switch Port Mirroring The following is an example of the output you see when you display the LACP information for port 5 on the Summit X450 switch: Member Actor Partner Port State Logic State Flags Port -------------------------------------------------------------------------------- Current Selected Collect-Dist A-GSCD-- 1005 ================================================================================...
Page 130: Switch Port Mirroring On The Blackdiamond 8800 Family Of Switches And The Summit X450 Switch Only
Configuring Slots and Ports on a Switch Port mirroring configures the switch to copy all traffic associated with one or more ports. The monitor port can then be connected to a network analyzer or RMON probe for packet analysis. The system uses a traffic filter that copies a group of traffic to the monitor port.
Page 131: Switch Port Mirroring On The Blackdiamond 10K Switch Only
Switch Port Mirroring Mirroring is not compatible with SFlow. Mirroring is not enabled! All traffic egressing the monitor port is tagged on the BlackDiamond 8800 family of switches and the Summit X450 switch. Even if some untagged ports send mirrored traffic to the monitor port, that traffic also egresses the monitor port tagged with the internal VLAN ID.
Page 132: Switch Port-Mirroring Examples
Configuring Slots and Ports on a Switch Unconfigure a slot (for all port-based filters on that slot). ■ Any mirrored port can also be enabled for load sharing (or link aggregation); however, each ● individual port of the load-sharing group must be explicitly configured for mirroring. The monitor port is automatically removed from all VLANs;...
Page 133: Verifying The Switch Port-Mirroring Configuration
Port number 2:1 in all vlans Extreme Discovery Protocol The Extreme Discovery Protocol (EDP) is used to gather information about neighbor Extreme Networks switches. EDP is used to by the switches to exchange topology information. Information communicated using EDP includes: Switch MAC address (switch ID) ●...
Page 134: Extreme Discovery Protocol
EDP is enabled on all ports by default. EDP enabled ports advertise information about the Extreme Networks switch to other switches on the interface and receives advertisements from other Extreme Networks switches. Information about other Extreme Networks switches is discarded after a timeout interval is reached without receiving another advertisement.
Page 135: Software-Controlled Redundant Port And Smart Redundancy
Software-Controlled Redundant Port and Smart Redundancy ============================================================================= Port 1:1: EDP is Enabled Tx stats: sw-pdu-tx=2555 vlan-pdu-tx=1465 pdu-tx-err=0 Rx stats: sw-pdu-rx=2511 vlan-pdu-rx=2511 pdu-rx-err=0 Time of last transmit error: None Time of last receive error: None Remote-System: BD10K Age = 41 Remote-ID: 00:00:00:30:48:41:ed:97 Software version: 11.1.0.19...
Page 136: Guidelines For Software-Controlled Redundant Ports And Port Groups
Configuring Slots and Ports on a Switch Figure 1: Dual-homed implementation for switch C Switch A Switch B Primary Redundant Link Link Switch C XOS002 In normal operation, the primary port is active and the software redundant switch (switch C in Figure 1) blocks the redundant port for all traffic, thereby avoiding a loop in the network.
Page 137: Configuring Software-Controlled Redundant Ports
Software-Controlled Redundant Port and Smart Redundancy NOTE On the BlackDiamond 10K switch, 10 Gbps modules with a serial number lower than 804405-00-09 the software redundant port feature cover only those failures where both the TX and RX paths fail. If a single strand of fiber is pulled on these ports, the software redundant port cannot correctly recover from the failure.To display the serial number of the module, issue the show slot <slot_number>...
Page 138: Configuring Automatic Failover For Combination Ports-Summit X450 Switch Only
Configuring Slots and Ports on a Switch The following is sample output on a modular switch of the after show port 1:1 information detail redundancy is configured: Virtual-router: VR-Default Type: Random Early drop: Disabled Admin state: Enabled with auto-speed sensing auto-duplex Link State: Active, 100Mbps, full-duplex...
Page 139: Configuring Automatic Failover For Combination Ports-Summit X450 Switch Only
Configuring Automatic Failover for Combination Ports—Summit X450 Switch Only but they are never active concurrently. If you plan to use the automatic failover feature, ensure that port settings are set correctly for autonegotiation. Summit X450 ports do not advertise or support flow control frames.
Page 140: Displaying Port Configuration Information
Configuring Slots and Ports on a Switch Figure 3: Redundancy cabling for the SummitX450-24x switch S450_005 The switch determines whether the port uses the primary or redundant media based upon the order in which the connectors are inserted into the switch. When the switch senses a mini-GBIC and a copper connector are inserted, the switch enables the uplink redundancy feature.
Page 141 Displaying Port Configuration Information VR-Default AUTO AUTO VR-Default AUTO AUTO VR-Default AUTO AUTO VR-Default AUTO AUTO VR-Default AUTO AUTO VR-Default AUTO AUTO VR-Default AUTO AUTO VR-Default AUTO AUTO VR-Default AUTO AUTO VR-Default AUTO AUTO VR-Default AUTO AUTO VR-Default AUTO AUTO VR-Default AUTO AUTO...
Page 142 Configuring Slots and Ports on a Switch Port Diag Flags Link Link Num Num Jumbo QOS Load State STP VLAN Proto Size profile Master ================================================================================ Em------e-- ready 9216 ================================================================================ Flags : a - Load Sharing Algorithm address-based, D - Port Disabled, e - Extreme Discovery Protocol Enabled, E - Port Enabled, f - Flooding Enabled, g - Egress TOS Enabled, j - Jumbo Frame Enabled, l - Load Sharing Enabled, m - MACLearning Enabled,...
Page 143: Port Display-Summit X450 Switch Only
Displaying Port Configuration Information Port Display—Summit X450 Switch Only The following command displays more specific information for port 3 on a Summit X450 switch: show ports 3 information detail Following is sample output from this command: Port: Virtual-router: VR-Default Type: Random Early drop: Disabled Admin state:...
Page 144: Port Display-Blackdiamond 8800 Family Of Switches Only
Configuring Slots and Ports on a Switch Port Display—BlackDiamond 8800 Family of Switches Only The following command displays more specific information for slot 3, port 1 on an BlackDiamond 8810 switch: show ports 3:1 information detail Following is sample output from this command: Port: Virtual-router: VR-Default Type:...
Page 145: Port Display-Blackdiamond 10K Series Switch Only
Displaying Port Configuration Information Port Display—BlackDiamond 10K Series Switch Only The switch displays slightly different information for various ports, depending on the speed and media. The following command displays more specific information for a slot 1, port 1 on a BlackDiamond 10K switch: show ports 1:1 information detail Following is sample output from this command:...
Page 146 Configuring Slots and Ports on a Switch ExtremeWare XOS 11.3 Concepts Guide...
Page 147: Chapter 6: Link Layer Discovery Protocol
Link Layer Discovery Protocol This chapter covers the following topics: Overview on page 147 ● LLDP Messages on page 148 ● Managing LLDP on page 150 ● Supported TLVs on page 150 ● Configuring LLDP on page 156 ● Displaying LLDP Settings on page 160 ●...
Page 148: Lldp Messages
The length of the packet cannot exceed 1500 bytes. As you add TLVs, you increase the length of the LLDP frame. Once you reach 1500 bytes, the remaining TLVs are dropped. Extreme Networks recommends that you advertise information regarding only one or two VLANs on the LLDP port, to avoid dropped TLVs.
Page 149: Transmitting Lldp Messages
LLDP TLVs as well as the configured optional TLVs. The LLDP agent running on the Extreme Networks switch passes serially through the list of ports that are enabled for LLDP and periodically transmits an LLDP frame containing the mandatory TLVs and any configured optional TLVs.
Page 150: Managing Lldp
Link Layer Discovery Protocol Managing LLDP LLDP can work in tandem with EDP. LLDP is disabled by default, and EDP is enabled by default. LLDP information is transmitted periodically and stored for a finite period. You access the information using SNMP.
Page 151 Supported TLVs NOTE To avoid exceeding the 1500-byte limit, Extreme Networks recommends sending information on only one or two VLANs on the LLDP port. Any TLVs that exceed the limit are dropped. The following TLVs are enabled by default when LLDP transmit is enabled on a port: Chassis ID ●...
Page 152: Mandatory Tlvs
Link Layer Discovery Protocol Mandatory TLVs This section discusses the following mandatory TLVs, which are automatically enabled once you enable LLDP on a port: Chassis ID TLV on page 152 ● Port ID TLV on page 152 ● TTL TLV on page 152 ●...
Page 153 Supported TLVs NOTE The system description TLV is automatically enabled once you enable LLDP and is always sent as part of the LLDPDU. Although this TLV is not mandatory according to the standard, the ExtremeWare XOS software includes this TLV in all LLDPDUs by default; you can configure the system not to advertise this TLV. This section discusses the following optional TLVs: Port Description TLV on page 153 ●...
Page 154 The ExtremeWare XOS software advertises bridge and router capabilities. When configured to advertise the system capabilities, Extreme Networks devices advertise bridging capabilities. Once at least one VLAN on the device has IP forwarding enabled, the system automatically advertises router capabilities.
Page 155 Supported TLVs As Extreme Networks devices are always capable of supporting protocol-based VLANs, once you configure this TLV, the system always advertises support for this type of VLAN. By default, once you configure this TLV, the system sends information for all VLANs on the port.
Page 156: Configuring Lldp
Link Layer Discovery Protocol Configuring LLDP You configure LLDP per port. To configure LLDP, take the following steps: 1 Enable LLDP on the desired port(s). 2 If desired, configure the system not to advertise the system description TLV. 3 If you want to change any default values, configure the following values: a Reinitialize period b Transmit interval c Transmit delay...
Page 157: Configuring Lldp Timers
Configuring LLDP To disable the default advertisement of the system description, issue the following command: configure lldp ports [all | <port_list>] no-advertise system-description Configuring LLDP Timers Once you enable LLDP, the timer values assume the default values. However, if you want to change any of these default values, use the CLI to configure the relevant timer.
Page 158: Configuring Optional Tlv Advertisements
NOTE Extreme Networks recommends that you advertise only one or two VLANS on specified ports to avoid dropping TLVs from the LLDPDU. You configure LLDP ports to advertise any of the following optional TLVs: Port description TLV ●...
Page 159 Configuring LLDP To advertise the IP address of the management VLAN (or the system MAC address if IP is not configured), issue the following command: configure lldp ports [all | <port_list>] [advertise | no-advertise] management- address You can advertise more than one VLAN name per LLDP-enabled port. To do so, add one optional VLAN name TLV for each VLAN you want to advertise.
Page 160: Unconfiguring Lldp
Link Layer Discovery Protocol You advertise the maximum frame size available on the LLDP-enabled port using the maximum frame size TLV. To advertise the maximum frame size, issue the following command: configure lldp ports [all | <port_list>] [advertise | no-advertise] vendor-specific dot3 max-frame-size Unconfiguring LLDP To unconfigure LLD, issue the following command:...
Page 161 Displaying LLDP Settings LLDP Port Configuration: Port SNMP Optional enabled transmit TLVs Mode Mode Notification LLDP 802.1 802.3 ============================================================================ Enabled Enabled Disabled PNDCM PpN- M-LF Enabled Enabled Disabled --D-- ---- ---- ============================================================================= LLDP Flags : (P) Port Description, (N) System Name, (D) System Description (C) System Capabilities, (M) Mgmt Address 802.1 Flags: (P) Port VLAN ID, (p) Port &...
Page 162: Displaying Lldp Information Detected From Neighboring Ports
Link Layer Discovery Protocol NOTE The Tx Length Exceeded column shows the number of LLDPDUs sent from the port that dropped configured optional TLVs to meet the 1500-byte limit for the LLDPDU. Displaying LLDP Information Detected from Neighboring Ports To display information from LLDP neighbors detected on the port, use the show lldp neighbors command.
Page 163: Chapter 7: Power Over Ethernet
Power Over Ethernet Power over Ethernet (PoE) is an effective method of supplying 48 VDC power to certain types of powered devices (PDs) through Category 5 or Category 3 twisted pair Ethernet cables. PDs include wireless access points, IP telephones, laptop computers, web cameras, and other devices. With PoE, a single Ethernet cable supplies power and the data connection, reducing costs associated with separate power cabling and supply.
Page 164: Power Checking For Poe Module
Power Over Ethernet Power Checking for PoE Module PoE modules require more power than other I/O modules. When a chassis containing a PoE module is booted or a new PoE module is inserted, the power drain is calculated. Before the PoE module is powered up, the chassis calculates the power budget and powers up the PoE module only if there is enough power.
Page 165: Pd Disconnect Precedence
NOTE Extreme Networks recommends that you fully populate a single PoE module with PDs until the power usage is just below the usage threshold, instead of spacing PDs evenly across PoE modules.
Page 166: Port Disconnect Or Fault
Power Over Ethernet Deny power to the next PD requesting power, regardless of that port’s PoE priority ● This is a switchwide configuration that applies to each slot; you cannot configure this disconnect precedence per slot. The default value is deny-port. So, if you do not change the default value and the slot’s power is exceeded, the next PD requesting power is not connected (even if that port has a higher configured PoE port priority than those ports already receiving power).
Page 167: Port Power Reset
Power Delivery To display the status of PoE ports, including disconnected or faulted ports, use the following command: show inline-power info ports When a port is disconnected or otherwise moves into a fault state, SNMP generates an event (once you configure SNMP and a log message is created).
Page 168: Poe Operator Limits
Power Over Ethernet Detecting a PD through capacitance is used only if the following two conditions are both met: Legacy PD detection is enabled. ● The system unsuccessfully attempted to discover the PD using the standard resistance measurement ● method. To enable the switch to use legacy PDs, use the following command: enable inline-power legacy slot <slot>...
Page 169: Configuring Poe
Configuring PoE Configuring PoE PoE on the G48P module supports a full set of configuration and monitoring commands that allow you configure, manage, and display PoE settings at the system, slot, and port level. Refer to the ExtremeWare XOS Command Reference Guide for complete information on using the CLI commands. To enable inline power, or PoE, you must have a powered chassis and module.
Page 170: Reserving Power For A Slot
0. NOTE Extreme Networks recommends that you fully populate a single PoE module with PDs until the power usage is just below the usage threshold, instead of spacing PDs evenly across PoE modules. To reset the power budget for a PoE module to the default value of 50 W, use the following command: unconfigure inline-power budget slot <slot>...
Page 171: Configuring The Usage Threshold
Configuring PoE When several ports have the same PoE priority, the lower port numbers have higher PoE priorities. That is, the switch withdraws power (or disconnects) those ports with the highest port number(s). The system keeps dropping ports, using the algorithm you selected with the disconnect ports command, until the measured inline power for the slot is lower than the reserved inline power.
Page 172: Configuring The Switch To Detect Legacy Pds
Power Over Ethernet Although the percentage of used to budgeted power is measured by each PoE module, you set the threshold for sending the event for the entire switch. That is, once any PoE module passes the configured threshold, the system sends an event. The default value for this usage threshold is 70%.
Page 173: Configuring Poe Port Labels
Displaying PoE Settings and Statistics To configure the operator limit, use the following command: configure inline-power operator-limit <milliwatts> ports [all |<port_list>] To reset the operator limit to the default value of 15.4 W, use the following command: unconfigure inline-power operator-limit ports [all |<port_list>] To display the current operator limit on each port, use the following command: show inline-power configuration ports <port_list>...
Page 174 Power Over Ethernet Displaying System PoE Status To display the PoE status for the switch, use the following command: show inline-power The command provides status for the following areas: Configured inline power status—The status of the inline power for the switch: enabled or disabled. ●...
Page 175 Displaying PoE Settings and Statistics Displaying System Power Data Additionally, you can view the distribution of power, as well as currently required and allocated power, on the entire switch including the power supplies by using the following command: show power budget Following is sample output from this command: State Watts...
Page 176: Displaying Slot Poe Information
Power Over Ethernet Displaying Slot PoE Information You can display PoE status and statistics per slot. Displaying Slot PoE Status Use the following command to display PoE status for each slot: show inline-power slot <slot> The command provides the following information: Inline power status—The status of inline power.
Page 177: Displaying Port Poe Information
Displaying PoE Settings and Statistics Total ports faulted—Displays the number of ports in a fault state. ● Total ports disabled—Displays the number of ports in a disabled state. ● Following is sample output from this command: Inline-Power Slot Statistics Slot: Firmware status : Operational Firmware revision...
Page 178 Power Over Ethernet Displaying Port PoE Status To display the PoE status per port, use the following command: show inline-power info {detail} ports <port_list> This command provides the following information: State—Displays the port power state: ● Disabled ■ Searching ■ Delivering ■...
Page 179 Displaying PoE Settings and Statistics The detail command lists all inline power information for the selected ports. Detail output displays the following information: Configured Admin State ● Inline Power State ● MIB Detect Status ● Label ● Operator Limit ● PD Class ●...
Page 180 Power Over Ethernet The command provides the following information: State—Displays the port power state: ● Disabled ■ Searching ■ Delivering ■ Faulted ■ Disconnected ■ Other ■ Denied ■ PD’s power class—Displays the class type of the connected PD: ● “-----”: disabled or searching ■...
Page 181: Chapter 8: Status Monitoring And Statistics
Status Monitoring and Statistics This chapter describes the following topics: Status Monitoring on page 181 ● Viewing Port Statistics on page 181 ● Viewing Port Errors on page 182 ● Using the Port Monitoring Display Keys on page 183 ● Diagnostics on page 184 ●...
Page 182: Viewing Port Errors
Status Monitoring and Statistics Values are displayed to nine digits of accuracy. To view port statistics, use the following command: show ports {<port_list>} statistics {no-refresh} The switch collects the following port statistical information: Link Status—The current status of the link. Options are: ●...
Page 183: Using The Port Monitoring Display Keys
Using the Port Monitoring Display Keys Transmit Collisions (TX Coll)—The total number of collisions seen by the port, regardless of whether ● a device connected to the port participated in any of the collisions. Transmit Late Collisions (TX Late Coll)—The total number of collisions that have occurred after the ●...
Page 184: Diagnostics
Status Monitoring and Statistics Table 21: Port monitoring display keys with auto-refresh enabled Key(s) Description Displays the previous page of ports. Displays the next page of ports. [Esc] Exits from the screen. Clears all counters. [Space] Cycles through the following screens: •...
Page 185: Running Diagnostics On I/O And Management Modules-Modular Switches Only
Diagnostics Running Diagnostics on I/O and Management Modules—Modular Switches Only If you run the diagnostic routine on an I/O module, that module is taken offline while the diagnostic test is performed. Traffic to and from the ports on that I/O module is temporarily unavailable. When the diagnostic test is complete, the I/O module is reset and becomes operational again.
Page 186: Observing Led Behavior During A Diagnostic Test
The LED behavior described in this section relates only to the behavior associated with a diagnostic test. For more detailed information about all of the I/O module, MSM, and switch LEDs, see the Extreme Networks Consolidated XOS Hardware Installation Guide.
Page 187 Diagnostics After the I/O module completes the diagnostic test, or the diagnostic test is terminated, the DIAG and the Status LEDs are reset. During normal operation, the DIAG LED is off and the Status LED blinks green. MSM LED Behavior—BlackDiamond 8800 Family of Switches Table 26 describes the BlackDiamond 8800 family of switches MSM LED behavior during a diagnostic test on the primary MSM.
Page 188 Status Monitoring and Statistics Table 27 describes the BlackDiamond 8800 family of switches MSM LED behavior during a diagnostic test on the backup MSM. Table 27: BlackDiamond 8800 family of switches MSM LED behavior during diagnostic test on backup MSM Color Indicates Backup...
Page 189: Displaying Diagnostic Test Results
Occasional increments of these counters does not mean faulty hardware is detected or that hardware requires replacement. If you see persistent increments of these counters, please contact Extreme Networks Technical Support. In addition, you can enable the system health checker to check the backplane, CPU, and I/O modules by periodically sending diagnostic packets and checking the validity of the looped back diagnostic packets.
Page 190: Understanding The System Health Checker-Blackdiamond 8800 Family Of Switches Only
Status Monitoring and Statistics Backplane diagnostic packets are disabled by default. If you enable this feature, the system health ● checker tests the packet path for a specific I/O module every 6 seconds by default. The MSM sends and receives diagnostic packets from the I/O module to determine the state and connectivity. (The other I/O modules with backplane diagnostic packets disabled continue polling every 60 seconds by default.) System health check errors are reported to the syslog.
Page 191: Configuring Backplane Diagnostic Packets On The Switch
To configure the frequency of sending backplane diagnostic packets, use the following command: configure sys-health-check interval <interval> NOTE Extreme Networks does not recommend configuring an interval of less than the default interval. Doing so can cause excessive CPU utilization. System Health Check Examples This section provides examples for using the system health checker on the BlackDiamond 10K switch and the BlackDiamond 8800 family of switches.
Page 192 Status Monitoring and Statistics NOTE Extreme Networks does not recommend configuring an interval of less than 6 seconds. Doing this can cause excessive CPU utilization. Disabling Backplane Diagnostics. Building upon the previous example, the following example disables backplane diagnostics on slot 3:...
Page 193: Setting The System Recovery Level
—Configures the level to no recovery. ● none The default setting is . Extreme Networks recommends using the default setting. Displaying the System Recovery Setting To display the system recovery setting on the switch, use the following command: show switch This command displays general switch information, including the system recovery level.
Page 194 . Extreme Networks recommends using the default setting. reset To get the most from module recovery, Extreme Networks recommends using the default settings for both system recovery and module recovery. The default setting for system recovery is , and the default setting for module recovery is .
Page 195: Viewing The System Temperature
I/O module to ensure that you are not experiencing a hardware issue. If the module continues to enter the failed state, please contact Extreme Networks Technical Support. If you experience an MSM failure, please contact Extreme Networks Technical Support.
Page 196: System Temperature Output-Summit X450 Switch Only
Status Monitoring and Statistics The following sample output displays the current temperature and operating status of the installed modules and power controllers: Field Replaceable Units Temp (C) Status ------------------------------------------------ Slot-1 : 10G6X 36.37 Normal Slot-2 : G60X 35.31 Normal Slot-3 Slot-4 Slot-5 Slot-6...
Page 197: Fan Tray Temperature-Blackdiamond 10K Switch Only
Event Management System/Logging Temperature: 30.1 deg C Fan Tray Temperature—BlackDiamond 10K Switch Only To view the current temperature and status of the fan trays installed in the BlackDiamond 10K switch, use the following command: show fans The following sample output displays the fan tray temperature information on a BlackDiamond 10K switch: Right(Rear-facing) FanTray 1 information: Temperature:...
Page 198: Sending Event Messages To Log Targets
● The first six types of targets exist by default; but before enabling any syslog host, you must add the host’s information to the switch using the command. Extreme Networks EPICenter configure syslog can be a syslog target. By default, the memory buffer and NVRAM targets are already enabled and receive messages. To start...
Page 199: Filtering Events Sent To Targets
Event Management System/Logging targets are disabled on the backup MSM, as they are handled on the primary. If the syslog condition for the target is met by a message generated on the backup, the event is sent to primary-msm the primary MSM. Note that the target is active only on the primary MSM, and the target is...
Page 200 Status Monitoring and Statistics The three severity levels for extended debugging— , and — debug-summary debug-verbose debug-data require that debug mode be enabled (which may cause a performance degradation). See “Displaying Debug Information” on page 209 for more information about debugging. Table 30: Severity levels assigned by the switch Level Description...
Page 201 Event Management System/Logging Components and Conditions The event conditions detected by ExtremeWare XOS are organized into components and subcomponents. To get a listing of the components and subcomponents in your release of ExtremeWare XOS, use the following command: show log components {<event component>} {version} For example, to get a list of the components and subcomponents in your system, use the following command: show log components...
Page 202 Status Monitoring and Statistics When you use the keyword, you see the message text associated with the conditions. For details example, if you want to see the message text and the parameters for the event condition STP.InBPDU.Trace, use the following command: show log events stp.inbpdu.trace details The output produced by the command is similar to the following: Comp...
Page 203 Event Management System/Logging For example, assume that myFilter is configured as before, and assume that you want to exclude the STP.CreatPortMsgFail event. To add that condition, use the following command: configure log filter myFilter add exclude events stp.creatportmsgfail You can also add events and subcomponents to the filter. For example, assume that myFilter is configured as before, and you want to include the STP.InBPDU subcomponent.
Page 204 Status Monitoring and Statistics Each time a filter item is added to or deleted from a given filter, the specified events are compared against the current configuration of the filter to try to logically simplify the configuration. Existing items will be replaced by logically simpler items if the new item enables rewriting the filter. If the new item is already included or excluded from the currently configured filter, the new item is not added to the filter.
Page 205 Event Management System/Logging To configure a parameter match filter item, use the following command: configure log filter <name> [add | delete] {exclude} events [<event-condition> | [all | <event-component>] {severity <severity> {only}}] [match | strict-match] <type> <value> Each event in ExtremeWare XOS is defined with a message format and zero or more parameter types. command can be used to display event definitions (the event text and show log events all parameter types).
Page 206: Formatting Event Messages
Status Monitoring and Statistics To configure a range of scoped IPv6 addresses with a mask of 16, use the following command: configure log filter myFilter add events all match ipaddress 3ffe::/16%Default To configure a scoped IPv6 address with any VLAN, use the following command: configure log filter myFilter add events all match ipaddress 3ffe::/16%* To configure any scoped IPv6 address with a specific VLAN, use the following command: configure log filter myFilter add events all match ipaddress ::/0%Default...
Page 207: Displaying Real-Time Log Messages
Event Management System/Logging If you set the current session format using the following command: configure log target session format timestamp seconds date mm-dd-yyyy event-name component The same example would appear as: 06/25/2004 22:49:10 <dm> PowerSupply:4 Powered On To provide some detailed information to technical support, set the current session format using the following command: configure log target session format timestamp hundredths date mmm-dd event-name condition process-name source-line...
Page 208: Uploading Event Logs
Status Monitoring and Statistics The displayed messages can be formatted differently from the format configured for the targets, and you can choose to display the messages in order of newest to oldest or in chronological order (oldest to newest). Uploading Event Logs The log stored in the memory buffer and the NVRAM can be uploaded to a TFTP server.
Page 209: Displaying Debug Information
Using sFlow Occurred : # of times this event has occurred since last clear or reboot Flags : (*) Not all applications responded in time with there count values In(cluded): Set to Y(es) if one or more targets filter includes this event Notified : # of times this event has occurred when 'Included' was Y(es) The output of the command:...
Page 210: Configuring Sflow
Status Monitoring and Statistics for analysis. sFlow consists of a Management Information Base (MIB) and a specification of the packet format for forwarding information to a remote agent. Details of sFlow specifications can be found in RFC 3176, and specifications and more information can be found at the following website: http://www.sflow.org The ExtremeWare XOS implementation is based on sFlow version 5, which is an improvement from the revision specified in RFC 3176.
Page 211 Using sFlow management port IP address as it’s IP address. You change the agent IP address by using the following command: configure sflow agent {ipaddress} <ip-address> You unconfigure the agent using this command: unconfigure sflow agent Configuring the Remote Collector Address You can specify up to four remote collectors to send the sFlow data to.
Page 212 Status Monitoring and Statistics Additional sFlow Configuration Options There are three global options that you can configure to different values from the defaults. These affect how frequently the sFlow data is sent to the remote collector, how frequently packets are sampled, and the maximum number of sFlow samples that could be processed in the CPU per second.
Page 213: Displaying Sflow Information
RMON Unconfiguring sFlow You can reset the any configured values for sFlow to their default values and remove from sFlow any configured collectors and ports by using the following command: unconfigure sflow Displaying sFlow Information To display the current configuration of sFlow, use the following command: show sflow {configuration} To display the sFlow statistics, use the following command: show sflow statistics...
Page 214: Supported Rmon Groups Of The Switch
Status Monitoring and Statistics logs those events to the log. RMON can also send traps to the destination address configured by the management workstation. You can also use RMON to trigger a system reboot. Management Workstation A management workstation communicates with the RMON agent and collects the statistics from it. The workstation does not have to be on the same network as the RMON agent and can manage the agent by in-band or out-of-band connections.
Page 215 RMON The group is useful for analysis of traffic patterns and trends on an Ethernet port, and to establish baseline information indicating normal operating parameters. Alarms The Alarms group provides a versatile, general mechanism for setting threshold and sampling intervals to generate events on any RMON variable.
Page 216: Configuring Rmon
RMON requires one probe per LAN segment, and standalone RMON probes traditionally have been expensive. Therefore, the approach taken by Extreme Networks has been to build an inexpensive RMON probe into the agent of each system. This allows RMON to be widely deployed around the network without costing more than traditional network management.
Page 217: Displaying Rmon Information
RMON Displaying RMON Information To view the status of RMON polling on the switch—the enable/disable state for RMON polling—use the following command: show management To view the RMON memory usage statistics for a specific RMON feature (for example, statistics, events, logs, history, or alarms) or for all features, use the following command: show rmon memory {detail | <memoryType>} ExtremeWare XOS 11.3 Concepts Guide...
Page 218 Status Monitoring and Statistics ExtremeWare XOS 11.3 Concepts Guide...
Page 219: Chapter 9: Virtual Lans
Virtual LANs This chapter covers the following topics: Overview of Virtual LANs on page 219 ● Types of VLANs on page 220 ● VLAN Names on page 228 ● Configuring VLANs on the Switch on page 229 ● Displaying VLAN Settings on page 230 ●...
Page 220: Virtual Routers And Vlans-Blackdiamond 10K Switch Only
Virtual LANs VLANs ease the change and movement of devices—With traditional networks, network ● administrators spend much of their time dealing with moves and changes. If users move to a different subnetwork, the addresses of each endstation must be updated manually. Virtual Routers and VLANs—BlackDiamond 10K Switch Only NOTE You create virtual routers only on the Black Diamond 10K switch;...
Page 221 2 Cable the two switches together using one port on each switch per VLAN. Figure 6 illustrates a single VLAN that spans a BlackDiamond switch and another Extreme Networks switch. All ports on the system 1 switch belong to VLAN Sales. Ports 1 through 29 on the system 2 switch also belong to VLAN Sales.
Page 222 Virtual LANs Figure 6: Single port-based VLAN spanning two switches Sales System 1 System 2 EX_061 To create multiple VLANs that span two switches in a port-based VLAN, a port on system 1 must be cabled to a port on system 2 for each VLAN you want to have span across the switches. At least one port on each switch must be a member of the corresponding VLANs, as well.
Page 223: Tagged Vlans
Types of VLANs Figure 7: Two port-based VLANs spanning two switches System 1 Accounting Engineering System 2 EX_063 VLAN Accounting spans system 1 and system 2 by way of a connection between system 2, port 29 and system 1, slot 1, port 6. VLAN Engineering spans system 1 and system 2 by way of a connection between system 2, port 32, and system 1, slot 8, port 6.
Page 224 Virtual LANs Another benefit of tagged VLANs is the ability to have a port be a member of multiple VLANs. This is particularly useful if you have a device (such as a server) that must belong to multiple VLANs. The device must have a Network Interface Card (NIC) that supports IEEE 802.1Q tagging.
Page 225: Protocol-Based Vlans
Types of VLANs Figure 9: Logical diagram of tagged and untagged traffic Marketing Sales System 1 System 1 System 1 Ports 1-4 & 9-12 Port 25 * Ports 5-8, 13-16 & 32 Port 29 * System 2 System 2 System 2 Slot 1, Port 1 * Slot 1, Port 2 Slot 1, Port 3...
Page 226 Virtual LANs respectively. The remainder of the traffic belongs to the VLAN named MyCompany. All ports are members of the VLAN MyCompany. Figure 10: Protocol-based VLANs 192.207.35.1 192.207.36.1 My Company 192.207.35.0 192.207.36.0 Finance Personnel = IP traffic = All other traffic EX_065 Predefined Protocol Filters The following protocol filters are predefined on the switch:...
Page 227: Precedence Of Tagged Packets Over Protocol Filters
Types of VLANs For example: create protocol fred The protocol name can have a maximum of 32 characters. 2 Configure the protocol using the following command: configure protocol <name> add [etype | llc | snap] <hex> {[etype | llc | snap] <hex>} ...
Page 228: Vlan Names
NOTE If you use the same name across categories (for example, STPD and EAPS names), Extreme Networks recommends that you specify the identifying keyword as well as the actual name. If you do not use the keyword, the system may return an error message.
Page 229: Configuring Vlans On The Switch
Configuring VLANs on the Switch Configuring VLANs on the Switch NOTE On the BlackDiamond 10K switch, the 10 Gbps module must have the serial number 804405-00-09 or higher to support untagged frames. To display the serial number of the module, issue the show slot <slot_number> command.
Page 230: Displaying Vlan Settings
VLAN name. You can use the VLAN name alone (unless you are also using this name for another category such as STPD or EAPS, in which case Extreme Networks recommends including the keyword vlan). The following stand-alone switch example creates a port-based VLAN with an IPv6 address: Named development ●...
Page 231 Displaying VLAN Settings To display VLAN settings, use the following command: show vlan {detail |<vlan_name> {stpd}} command displays information about each VLAN, which includes: show Name ● VLANid ● How the VLAN was created ● Primary IPv4 address ● Secondary IP address (if configured) ●...
Page 232: Displaying Protocol Information
You establish a private path through the public network using the Extreme Networks VMAN feature, which creates a bidirectional virtual data connection. A given tunnel switches Layer 2 traffic; the specified tunnel traffic is completely isolated from other traffic or tunnels.
Page 233 The default VMAN Ethernet type on Extreme Networks devices is 0x88a8. If your VMAN transits a third-party device (other than an Extreme Networks device), you must configure the EtherType as the Ethernet type that the third-party device uses.
Page 234: Qos Queue On Egress Port
Virtual LANs On the BlackDiamond 10K switch, all ports added to a specified VMAN must be in the same virtual router. For more information on displaying, configuring, and using virtual routers, see Chapter VMAN multicasting with IP addresses. Beginning with ExtremeWare XOS software version 11.3, you can assign an IP address to a specified VMAN to enable multicasting.
Page 235: Guidelines For Configuring Vmans
Tunneling (VMANs) Guidelines for Configuring VMANs The following are some guidelines for configuring VMANs: Each tunnel port that accesses the user, or customer port, can support (or belong to) only one VMAN ● tunnel; the remaining ports throughout the VMAN tunnel can support many VMANs. Duplicate customer’s MAC address ingressing from multiple VMAN ports may disrupt the port ●...
Page 236 Virtual LANs NOTE You must configure the VMAN tunnel egress, or trunk, port as untagged so that the VMAN header is stripped from the frame. 6 Configure the switch to use the 802.1p value on the inner tag to assign the packet to the appropriate egress queue on the egress port, if desired.
Page 237 Tunneling (VMANs) Figure 11: Sample VMAN configuration on BlackDiamond 10K switch Engineering & BlackDiamond 10808 BlackDiamond 6808 Science Building EX_101 The VMAN is from the building to port 1, slot 1 on the BlackDiamond 10808 switch and from port 1, slot 6 on the BlackDiamond 10808 switch to the BlackDiamond 6808 switch: create vman vman_tunnel_1 configure vman vman_tunnel_1 tag 100...
Page 238: Displaying Vman Configurations
Virtual LANs configure vman vman_tunnel_1 add port 3:1 untagged configure vman vman_tunnel_1 add port 3:2 tagged enable dot1p examination inner-tag port 3:2 Displaying VMAN Configurations You can display the VMAN configuration and associated EAPS domains by issuing the show vman command.
Page 239 Tunneling (VMANs) The display from the command shows all the information shown in the show vman detail show vman command, but displays information for all configured VMANs. <vlan_name> To display the EtherType, used the following command: show vman etherType The following is sample output from the command: show vman etherType vMan EtherType: 0x88a8...
Page 240 Virtual LANs ExtremeWare XOS 11.3 Concepts Guide...
Page 241: Chapter 10: Virtual Routers
Virtual Routers This chapter describes the following topics: Virtual Routers Overview on page 241 ● Using Virtual Routers—BlackDiamond 10K Switch Only on page 244 ● Creating Virtual Routers on page 244 ■ Adding Ports to a Single Virtual Router on page 244 ■...
Page 242: Types Of Virtual Routers
Virtual Routers Types of Virtual Routers There are two types of virtual routers in an ExtremeWare XOS system: System virtual routers ● These are the special virtual routers created by ExtremeWare XOS during system boot up, and they cannot be deleted or renamed. There are a total of three of these special virtual routers in the ExtremeWare XOS system.
Page 243: Virtual Router Configuration Domain-Blackdiamond 10K Switch Only
Virtual Routers Overview User Virtual Routers—BlackDiamond 10K Switch Only User virtual routers are the virtual routers created by users in addition to the system virtual routers. The ability to create user virtual routers was first introduced in ExtremeWare XOS 11.0. When a new user virtual router is created, by default, no ports are assigned, no VLAN interface is created, and no support for any routing protocols is added.
Page 244: Using Virtual Routers-Blackdiamond 10K Switch Only
Virtual Routers Using Virtual Routers—BlackDiamond 10K Switch Only To use the user virtual router functionality in ExtremeWare XOS, you will need to do the following things: Create the virtual router ● Configure ports to a single virtual router, or to multiple virtual routers ●...
Page 245: Adding Routing Protocols To A Virtual Router
Using Virtual Routers—BlackDiamond 10K Switch Only The following is an example of removing all the ports on slot 3 from the default VLAN in the default virtual router and adding them for the exclusive use of the virtual router helix: configure vlan default delete ports 3:* configure vr vr-default delete ports 3:* configure vr helix add ports 3:*...
Page 246: Configuring The Routing Protocols And Vlans
Virtual Routers Configuring the Routing Protocols and VLANs Once the virtual router is created, the ports are added, and support for any needed routing protocols is added, you can configure the virtual router. To simplify configuring the user virtual routers, the concept of a virtual router configuration domain was added (instead of adding a virtual router keyword to every command in every routing protocol).
Page 247 Virtual Router Configuration Example The VLAN helix-accounting is created ● Ports that belong to the virtual router helix are added to the VLAN helix-accounting ● The CLI prompt is shown in this example to show how the virtual router configuration domain is displayed.
Page 248 Virtual Routers ExtremeWare XOS 11.3 Concepts Guide...
Page 249: Chapter 11: Forwarding Database
Forwarding Database This chapter describes the following topics: Overview of the FDB on page 249 ● FDB Configuration Examples on page 251 ● Configuring the FDB Aging Time on page 252 ● Displaying FDB Entries on page 252 ● MAC-Based Security on page 253 ●...
Page 250: How Fdb Entries Get Added
Forwarding Database How FDB Entries Get Added Entries are added into the FDB in the following ways: The switch can learn entries by examining packets it receives. The system updates its FDB with the ● source MAC address from a packet, the VLAN, and the port identifier on which the source packet is received.
Page 251: Fdb Configuration Examples
FDB Configuration Examples Static entries—A static entry does not age and does not get updated through the learning process. A ● static entry is maintained exactly as it was created. Conditions that cause dynamic entries to be updated, such as VLAN or port configuration changes, do not affect static entries. A locked static entry is an entry that was originally learned dynamically, but has been made static (locked) using the MAC address lock-down feature.
Page 252: Configuring The Fdb Aging Time
Forwarding Database Configuring the FDB Aging Time You configure the aging time for dynamic FDB entries using the following command: configure fdb agingtime <seconds> If the aging time is set to zero, all aging entries in the database are defined as static, nonaging entries. This means the entries will not age out, but non-permanent static entries can be deleted if the switch is reset.
Page 253: Mac-Based Security
MAC-Based Security NOTE This netlogin parameter applies only for the Summit X450 switch and the BlackDiamond 8800 family of switches. Chapter 17 for more information on netlogin —Displays all permanent entries, including the ingress and egress QoS profiles. ● permanent —Displays the entries for a set of ports or slots and ports.
Page 254: Disabling Egress Flooding
Forwarding Database Disabling MAC Address Learning on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only. When learning is disabled, packets with unknown source MAC addresses are dropped. Disabling Egress Flooding With ExtremeWare XOS software version 11.2, you can enable or disable egress flooding. Under default conditions, when the system does not find a match in the FDB for a unicast/multicast/broadcast MAC address in a packet received in a given port, the system forwards that frame to every port in the VLAN (known as Layer 2 flooding).
Page 255 MAC-Based Security In this way, the communication between client 1 and client 2 is controlled. If client 1 needs to communicate with client 2 and has that IP address, client 1 sends out an ARP request to resolve the IP address for client 2.
Page 256: Displaying Learning And Flooding Settings
Forwarding Database NOTE When you disable egress flooding on the BlackDiamond 10K switch, you also turn off broadcasting. Displaying Learning and Flooding Settings To display the status of MAC learning and egress flooding, use the following command: show ports {mgmt | <port_list>} information {detail} Following is sample output from this command: QB_Mariner.4 >...
Page 257: Chapter 12: Policy Manager
Policy Manager This chapter describes the following topics: Policy Manager on page 257 ● Creating and Editing Policies on page 257 ● Checking Policies on page 258 ● Refreshing Policies on page 259 ● Applying Policies on page 259 ● Policy Manager One of the processes that make up the ExtremeWare XOS system is the policy manager.
Page 258: Using The Edit Command
Policy Manager Using the Edit Command A VI-like editor is available on the switch to edit policies. To edit a policy file on the switch by launching the editor, use the following command: edit policy <filename> There are many commands available with the editor. For information about the editor commands, use any tutorial or documentation about VI.
Page 259: Refreshing Policies
Applying Policies Refreshing Policies When a policy file is changed (such as adding, deleting an entry, adding/deleting/modifying a statement), the information in the policy database does not change until the policy is refreshed. The user must refresh the policy so that the latest copy of policy is used. When the policy is refreshed, the new policy file is read, processed, and stored in the server database.
Page 260: Applying Routing Policies
Policy Manager Applying Routing Policies To apply a routing policy, use the command appropriate to the client. Different protocols support different ways to apply policies, but there are some generalities. Policies applied with commands that use the keyword control the routes imported to the protocol from the switch routing import-policy table.
Page 261: Chapter 13: Access Lists (Acls)
Access Lists (ACLs) This chapter describes the following topics: ACLs on page 261 ● ACL Policy File Syntax on page 262 ● Dynamic ACLs on page 268 ● ACL Evaluation Precedence on page 269 ● ACL Metering—BlackDiamond 8800 Family and Summit X450 Only on page 271 ●...
Page 262: Acl Policy File Syntax
Access Lists (ACLs) can be applied to an interface, and the precedence of the ACLs is determined as they are being configured. See “Dynamic ACLs” on page 268 for information about creating dynamic ACLs. ACL Policy File Syntax An ACL policy file contains one or more rule entries. Each rule entry consists of: a rule entry name, unique within the same ACL.
Page 263 ACLs Often an ACL will have a rule entry at the end of the ACL with no match conditions. This entry will match any ingress packets not otherwise processed, so that user can specify an action to overwrite the default permit action. Matching All Egress Packets.
Page 264 Access Lists (ACLs) Action Modifiers Additional actions can also be specified, independent of whether the packet is dropped or forwarded. These additional actions are called action modifiers. Not all action modifiers are available on all switches, and not all are available for both ingress and egress ACLs. The action modifiers are: —increments the counter named in the action modifier (ingress only) ●...
Page 265 ACLs example, DiffServ replacement is configured such that QP8 is mapped to code point 56. Matching packets are sent to QP8, and the DSCP value in the packet is set to 56: entry voice_entry { if { source-address 2.2.2.2/32; } then { qosprofile qp8;...
Page 266 Access Lists (ACLs) Table 34: ACL match conditions (Continued) Applicable IP Protocols/ Match Conditions Description Direction Destination-port {<number> | TCP or UDP destination port. Normally, you specify this match TCP, UDP/ <range>} in conjunction with the protocol match to determine which Ingress and protocol is being used on the port.
Page 267 ACLs Table 34: ACL match conditions (Continued) Applicable IP Protocols/ Match Conditions Description Direction ICMP-code <number> ICMP code field. This value or keyword provides more specific ICMP/Ingress information than the icmp-type. Because the value's meaning and Egress depends upon the associated icmp-type, you must specify the icmp-type along with the icmp-code.
Page 268: Dynamic Acls
Access Lists (ACLs) NOTE The BlackDiamond 8800 family and Summit X450 support 128 rules per Gigabit Ethernet port and 1024 rules per 10 Gigabit Ethernet port. Certain features also use rules for their implementation. A single match condition can require the creation of many rules, and may not be supported on these switches. For example, the match condition source-port 1000 - 3000 requires creating 2000 rules, and is not supported on these switches.
Page 269: Acl Evaluation Precedence
ACLs conditions, actions, and action-modifiers are the same as those that are available for ACL policy files (see “ACL Policy File Syntax” on page 262). In contrast to the ACL policy file entries, dynamic ACLs are created directly in the CLI. Use the following command to create a dynamic ACL: create access-list <dynamic-rule>...
Page 270 Access Lists (ACLs) Precedence of Dynamic ACLs Dynamic ACLs have a higher precedence than any ACLs applied using policy files. The precedence among any dynamic ACLs is determined as they are configured. Precedence within an ACL An ACL is a policy file that contains one or more rules. In ExtremeWare XOS, each rule can be one of following types: L2 rule—a rule containing only Layer 2 (L2) matching conditions, such as Ethernet MAC address ●...
Page 271: Acl Metering-Blackdiamond 8800 Family And Summit X450 Only
ACLs Fragmented packet handling Two keywords are used to support fragmentation in ACLs: fragments—FO field > 0 (FO means the fragment offset field in the IP header.)—BlackDiamond 10K ● only. first-fragments—FO == 0. ● Policy file syntax checker. The keyword cannot be used in a rule with L4 information. The fragments syntax checker will reject such policy files.
Page 272: Applying Acl Policy Files
Access Lists (ACLs) create meter <metername> To delete the meter, use the following command: delete meter <metername> Configuring the ACL Meter After the ACL meter is created, you will configure it. Configuring the ACL meter sets allowable traffic limits, and the actions to take with out of limit traffic. Use the following command to configure an ACL meter: configure meter <metername>...
Page 273: Displaying And Clearing Acl Counters
Applying ACL Policy Files To display which interfaces have ACLs configured, and which ACL is on which interface, use the following command: show access-list {any | ports <portlist> | vlan <vlanname>} {ingress | egress} Displaying and Clearing ACL Counters To display the ACL counters, use the following command: show access-list counter {<countername>} {any | ports <portlist>...
Page 274 Access Lists (ACLs) entry icmp { source-address 10.203.134.0/24; protocol icmp; icmp-type echo-request; } then { deny; count icmpcnt; The following example prevents TCP connections from being established from the 10.10.20.0/24 subnet, but allows established connections to continue, and allows TCP connections to be established to that subnet.
Page 275 Applying ACL Policy Files An ACL mask defines a unique match criteria and relative rule precedence. Masks are automatically generated based on the contents of an access-list policy. Only adjacent rules within the policy that have identical match criteria will utilize the same ACL mask. For this reason, it is advantageous to list all rules with the same match criteria together unless relative precedence with other policy rules is required.
Page 276 Access Lists (ACLs) In this example, the only difference between policy1.pol and policy2.pol is that rule entries two and three are swapped. Policy1.pol consumes three masks since there are no adjacent rules with the same match criteria. Policy2.pol consumes two masks since rules one and three are adjacent and have identical match criteria.
Page 277 Applying ACL Policy Files The only difference between policy3.pol and policy4.pol is that rule entries two and three are swapped. The two policies have the same effect, but policy4.pol does not unnecessarily consume an ACL mask. Mask and Rule Use by Feature: Additionally, certain non-ACL features allocate ACL masks and use ACL rules in order to function.
Page 278 Access Lists (ACLs) ExtremeWare XOS 11.3 Concepts Guide...
Page 279: Chapter 14: Routing Policies
Routing Policies This chapter describes the following topics: Routing Policies on page 279 ● Routing Policy File Syntax on page 279 ● Policy Match Conditions on page 280 ■ Policy Action Statements on page 283 ■ Applying Routing Policies on page 284 ●...
Page 280 Routing Policies nlri 10.204.134.0/24; } then { next-hop 192.168.174.92; origin egp; Policy entries are evaluated in order, from the beginning of the file to the end, as follows: If a match occurs, the action in the then statement is taken: ●...
Page 281 Routing Policies Table 36: Policy match conditions (Continued) Match Condition Description community [no-advertise | no-export | no-export- Where no-advertise, no-export and no-export-subconfed are subconfed | number <community_num> | the standard communities defined by RFC. <community_regular_expression> | <community_num> is a four byte unsigned integer, <as_num>...
Page 282 Routing Policies Table 37: AS regular expression notation (Continued) Character Definition Start of a confederation segment in the AS path End of a confederation segment in the AS path Table 38: Policy regular expression examples Attribute Regular Expression Example Matches AS path is 1234 “1234”...
Page 283 Routing Policies Policy Action Statements Table 39 lists the possible action statements. These are the actions taken when the policy match conditions are met in a policy entry. Table 39: Policy actions Action Description as-path "<as_num> {<as_num1> <as_num2> Prepends the entire list of as-numbers to the as-path of <as_num3>...
Page 284: Applying Routing Policies
Translating a route map to a policy on page 286 ● Translating an access profile to a policy You may be more familiar with using access profiles on other Extreme Networks switches. This example shows the policy equivalent to an ExtremeWare access profile. ExtremeWare Access-Profile:...
Page 285 Routing Policies Equivalent ExtremeWare XOS policy map definition: entry entry-5 nlri 22.16.0.0/14; then permit; entry entry-10 nlri 192.168.0.0/18 exact; then permit; entry entry-15 nlri any/8; then deny; entry entry-20 nlri 10.10.0.0/18; then permit; entry entry-25 nlri 22.44.66.0/23 exact; then deny; The policy above can be optimized by combining some of the if statements into a single expression.
Page 286 Translating a route map to a policy You may be more familiar with using route maps on other Extreme Networks switches. This example shows the policy equivalent to an ExtremeWare route map. ExtremeWare route map: Route Map : rt...
Page 287 Routing Policies entry entry-20 community 6553800; then deny; entry entry-30 then next-hop 10.201.23.10; as-path 20; as-path 30; as-path 40; as-path 40; permit; entry entry-40 then local-preference 120; weight 2; permit; entry entry-50 match any { origin incomplete; community 19661200; then dampening half-life 20 reuse-limit 1000 suppress-limit 3000 max-suppress 40 permit;...
Page 288 Routing Policies entry deny_rest { then deny; ExtremeWare XOS 11.3 Concepts Guide...
Page 289: Chapter 15: Quality Of Service
Bi-Directional Rate Shaping—BlackDiamond 10K Switch Only on page 310 ● Policy-based Quality of Service (QoS) is a feature of ExtremeWare XOS and the Extreme Networks switch architecture that allows you to specify different service levels for traffic traversing the switch.
Page 290: Applications And Types Of Qos
Quality of Service NOTE Policy-based QoS has no impact on switch performance. Using even the most complex traffic groupings has no cost in terms of switch performance. Applications and Types of QoS Different applications have different QoS requirements. The following applications are ones that you will most commonly encounter and need to prioritize: Voice applications ●...
Page 291: Critical Database Applications
Applications and Types of QoS Critical Database Applications Database applications, such as those associated with Enterprise Resource Planning (ERP), typically do not demand significant bandwidth and are tolerant of delay. You can establish a minimum bandwidth using a priority less than that of delay-sensitive applications. Web Browsing Applications QoS needs for Web browsing applications cannot be generalized into a single category.
Page 292: Configuring Qos
Quality of Service Configuring QoS NOTE With software version 11.0, you can create access control lists (ACLs) with QoS actions. The QoS forwarding information you configured in an ACL takes precedence over QoS configuration using the CLI commands. Refer to Chapter 13 for more information on ACLs.
Page 293: Qos Profiles
QoS Profiles DiffServ ■ dot1p ■ VLAN-based QoS ■ Port-based QoS ■ You may receive an error message when configuring a QoS feature in the above list on the ● BlackDiamond 8800 family of switches and the Summit X450 switch; it is possible that the shared resource is depleted.
Page 294: Qos Profiles On The Blackdiamond 10K Switch
Quality of Service strict priority, which is the default, or weighted round robin. In the strict priority method, the switch services the higher-priority queues first. As long as a queued packet remains in a higher-priority queue, any lower-priority queues are not serviced. If you configure the switch for weighted-round-robin scheduling, the system services all queues based on the weight assigned to the QoS profile.
Page 295: Traffic Groupings
Traffic Groupings The priority of a QoS profile determines the DiffServ code point value used in an IP packet when ■ the packet is transmitted (see “Replacing DiffServ code points” on page 301). A QoS profile does not alter the behavior of the switch until it is assigned to a traffic grouping. Recall that QoS profiles on the BlackDiamond 10K switch are linked to hardware queues.
Page 296: Acl-Based Traffic Groupings
Quality of Service Physical/logical groupings ● Source port ■ VLAN ■ NOTE The source port and VLAN QoS apply only to untagged packets, and 802.1p QoS applies only to tagged packets. If you use 802.1p or DiffServ QoS in conjunction with ACLs, you must configure the 802.1p or DiffServ action within the ACL itself.
Page 297 ● Configuring 802.1p Priority Extreme Networks switches support the standard IEEE 802.1p priority bits that are part of a tagged Ethernet packet. The 802.1p bits can be used to prioritize the packet and to assign that packet to a particular QoS profile.
Page 298 Quality of Service 802.1p information on the BlackDiamond 10K only. If a port is in more than one virtual router, you cannot use the QoS 802.1p features. The default VLAN DiffServ examination mappings apply on ports in more than one VR. If you attempt to configure examining or replacing 802.1p information on a port that is in more than one virtual router, the system returns the following message: Warning: Port belongs to more than one VR.
Page 299 Traffic Groupings Replacing 802.1p priority information. By default, 802.1p priority information is not replaced or manipulated, and the information observed on ingress is preserved when transmitting the packet. This behavior is not affected by the switching or routing configuration of the switch. NOTE In the BlackDiamond 8800 family of switches and the Summit X450 switch, 802.1p replacement uses existing flow classifiers.
Page 300: Configuring Diffserv
Quality of Service Configuring DiffServ Contained in the header of every IP packet is a field for IP Type of Service (TOS), now also called the Differentiated Services (DiffServ) field. The DiffServ field is used by the switch to determine the type of service provided to the packet.
Page 301 Traffic Groupings Observing DiffServ information. When a packet arrives at the switch on an ingress port and this feature is enabled, the switch examines the first six of eight TOS bits, called the DiffServ code point. The switch can then assign the QoS profile used to subsequently transmit the packet based on the code point. The QoS profile controls which queue is used when transmitting the packet out of the switch and determines the forwarding characteristics of a particular code point.
Page 302 [{qosprofile} <qosprofile> | priority <value>] code- point <code_point> NOTE Extreme Networks recommends that you use the qosprofile <qosprofile> value to configure this parameter. By doing so, the queue used to transmit a packet determines the DiffServ value replaced in the IP packet.
Page 303 Traffic Groupings To configure the switch, follow these steps: 1 Using ACLs, assign a traffic grouping for traffic from network 10.1.2.x to QP3: configure access-list qp3sub any The following is a sample policy file example: #filename: qp3sub.pol entry QP3-subnet { if { source-address 10.1.2.0/24 } then {...
Page 304: Physical And Logical Groupings
Quality of Service Physical and Logical Groupings Two traffic groupings exist in this category: Source port ● VLAN ● Source port A source port traffic grouping implies that any traffic sourced from this physical port uses the indicated QoS profile when the traffic is transmitted out to any other port. To configure a source port traffic grouping, use the following command: configure ports <port_list>...
Page 305 Traffic Groupings To verify settings on ports or VLANs, use the following command: show ports {mgmt | <port_list>} information {detail} BlackDiamond 8800 family of switches and Summit X450 switch display. You display which QoS profile, if any, is configured on the BlackDiamond 8800 family of switches and the Summit X450 switch using the command.
Page 306 Quality of Service Following is sample output of this command for a BlackDiamond 10K switch 10 Gbps port: Port: Virtual-router: VR-Default Type: XENPAK Random Early drop: Disabled Admin state: Enabled with 10G full-duplex Link State: Ready Link Counter: Up 0 time(s) VLAN cfg: STP cfg: Protocol:...
Page 307: Verifying Qos Configuration And Performance
Verifying QoS Configuration and Performance Link Counter: Up 0 time(s) VLAN cfg: Name: Default, Internal Tag = 1, MAC-limit = No-limit STP cfg: s0(disable), Tag=(none), Mode=802.1D, State=FORWARDING Protocol: Name: Default Protocol: ANY Match all protocols. Trunking: Load sharing is not enabled. EDP: Enabled DLCS:...
Page 308: Displaying Qos Profile Information
Quality of Service After you have created QoS policies that manage the traffic through the switch, you can use the QoS monitor on the BlackDiamond 10K switch to determine whether the application performance meets your expectations. QoS features performance monitoring with a snapshot display of the monitored ports. To view switch performance per port, use the following command: show ports <port_list>...
Page 309: Guidelines For Configuring Qos
Guidelines for Configuring QoS The following are useful guidelines for configuring QoS: If you are using DiffServ for QoS parameters, Extreme Networks recommends that you also ● configure 802.1p or port-based QoS parameters to ensure that high-priority traffic is not dropped prior to reaching the Master Switch Module (MSM) on modular switches.
Page 310: Bi-Directional Rate Shaping-Blackdiamond 10K Switch Only
Quality of Service Bi-Directional Rate Shaping—BlackDiamond 10K Switch Only NOTE If you are working with the BlackDiamond 8800 family of switches or the Summit X450 switch, refer to [ACL CHAP} for information on metering the ingressing traffic. With software version 11.0, you can configure and display bi-directional rate shaping parameters. on the BlackDiamond 10K switch.
Page 311: Bandwidth Settings
Bi-Directional Rate Shaping—BlackDiamond 10K Switch Only Bandwidth Settings You apply ingress QoS profile (IQP or rate shaping) values on the BlackDiamond 10K switch as either a percentage of bandwidth or as an absolute value in Kbps or Mbps. IQP bandwidth settings are in turn applied to queues on physical ports.
Page 312: Configuring Bi-Directional Rate Shaping
Quality of Service port on the ingress port, using either percentage of total bandwidth or absolute values for committed and peak rates in Kbps or Mbps. You also set the priority level for each queue. To define rate shaping on a port, you assign a minimum and maximum bandwidth or rate plus a priority value to each queue on the ingress port (see Table 47 for the number of queues available to each...
Page 313: Chapter 16: Security
ExtremeWare XOS 11.3 introduces enhanced security features designed to protect, rapidly detect, and correct anomalies in your network. Extreme Networks products incorporate a number of features designed to enhance the security of your network while resolving issues with minimal network disruption.
Page 314: Safe Defaults Mode
CLEAR-Flow provide a rapid response to network threats. Sentriant can add to or modify the BlackDiamond 10K switch’s CLEAR-Flow rules and ACLs in real-time to inspect additional traffic or change inspection thresholds. For more information about Sentriant, contact your Extreme Networks representative. For more information about CLEAR-Flow, see Chapter 18, “CLEAR-Flow.”...
Page 315: Mac Address Security
MAC Address Security mode. Although SNMP, Telnet, and switch ports are enabled by default, the script prompts you to confirm those settings. By answering to each question, you keep the default settings. N (No) Would you like to disable Telnet? [y/N]: No Would you like to disable SNMP [y/N]: No Would you like unconfigured ports to be turned off by default [y/N]: No In addition, if you keep the default settings for SNMP and Telnet, the switch returns the following...
Page 316 Security NOTE Blackhole FDB entries added due to MAC security violations on the BlackDiamond 8800 family of switches (formerly known as Aspen) and the Summit X450 switch are removed after each FDB aging period regardless of whether the MAC addresses in question are still sending traffic. If the MAC addresses are still sending traffic, the blackhole entries will be re-added after they have been deleted.
Page 317: Mac Address Lock Down
MAC Address Security This command displays detailed information, including MAC security information, for the specified port. Limiting MAC Addresses with ESRP Enabled If you configure a MAC address limit on VLANS that participate in an Extreme Standby Router Protocol (ESRP) domain, you should add an additional back-to-back link (that has no MAC address limit on these ports) between the ESRP-enabled switches.
Page 318: Dhcp Server
Security NOTE Blackhole FDB entries added due to MAC security violations on the BlackDiamond 8800 family of switches and the Summit X450 switch are removed after each FDB aging period regardless of whether the MAC addresses in question are still sending traffic. If the MAC addresses are still sending traffic, the blackhole entries will be re-added after they have been deleted.
Page 319: Configuring The Dhcp Server
DHCP Server Configuring the DHCP Server The following commands allow you to configure the DHCP server included in the switch. The parameters available to configure include the IP address range, IP address lease, and multiple DHCP options. To configure the range of IP addresses assigned by the DHCP server, use the following command: configure vlan <vlan_name>...
Page 320: Denial Of Service Protection
Security Denial of Service Protection A Denial-of-Service (DoS) attack occurs when a critical network or computing resource is overwhelmed and rendered inoperative in a way that legitimate requests for service cannot succeed. In its simplest form, a Denial of Service attack is indistinguishable from normal heavy traffic. There are some operations in any switch or router that are more costly than others, and although normal traffic is not a problem, exception traffic must be handled by the switch’s CPU in software.
Page 321: Configuring Denial Of Service Protection
Denial of Service Protection Configuring Denial of Service Protection To enable or disable DoS protection, use the following commands: enable dos-protect disable dos-protect After enabling DoS protection, the switch will count the packets handled by the CPU and periodically evaluate whether to send a notification and/or create an ACL to block offending traffic. You can configure a number of the values used by DoS protection if the default values are not appropriate for your situation.
Page 322: Authenticating Users Using Radius Or Tacacs
Security Authenticating Users Using RADIUS or TACACS+ ExtremeWare XOS provides three methods to authenticate users who login to the switch: RADIUS ● TACACS+ ● Local database of accounts and passwords ● RADIUS, TACACS+, local database of accounts and passwords, and SSH are management access security features that control access to the management functions available on the switch.
Page 323 Authenticating Users Using RADIUS or TACACS+ Configuring the RADIUS Servers To configure the RADIUS servers, use the following command: configure radius {mgmt-access | netlogin} [primary | secondary] server [<ipaddress> | <hostname>] {<udp_port>} client-ip [<ipaddress>] {vr <vr_name>} To configure the primary RADIUS server, specify .
Page 324 Configuring RADIUS Accounting Extreme Networks switches are capable of sending RADIUS accounting information. As with RADIUS authentication, you can specify two servers for receipt of accounting information. To specify RADIUS accounting servers, use the following command: configure radius-accounting {mgmt-access | netlogin} [primary | secondary] server [<ipaddress>...
Page 325: Configuring Radius
Authenticating Users Using RADIUS or TACACS+ Do not use the keyword to set the shared secret. The keyword is primarily for encrypted encrypted the output of the command, so the shared secret is not revealed in the command show configuration output.
Page 326 For a RADIUS server to identify the administrative privileges of a user, Extreme Networks switches expect a RADIUS server to transmit the Service-Type attribute in the Access-Accept packet, after successfully authenticating the user.
Page 327 Authenticating Users Using RADIUS or TACACS+ command lists that are either permitted or denied to a user based on their login identity. Changes to the profiles file require the RADIUS server to be shutdown and restarted. Sending a HUP signal to the RADIUS process is not enough to force changes to the profiles file to take effect.
Page 328 2 Modify the Funk SBR ‘vendor.ini’ file and user accounts. To configure the Funk SBR server, the file ‘vendor.ini’ must be modified to change the Extreme Networks configuration value of ‘ignore-ports’ to yes as shown in the example below: vendor-product = Extreme Networks dictionary = Extreme ignore-ports...
Page 329 Building on this example configuration, you can use RADIUS to perform per-command authentication to differentiate user capabilities. To do so, use the Extreme-modified RADIUS Merit software that is available from the Extreme Networks by contacting Extreme Networks technical support. The software ™...
Page 330: Tacacs
Security eric Password = "", Service-Type = Administrative, Profile-Name = "" Filter-Id = "unlim" Extreme:Extreme-CLI-Authorization = Enabled albert Password = "", Service-Type = Administrative, Profile-Name = "Profile1" Filter-Id = "unlim" Extreme:Extreme-CLI-Authorization = Enabled lulu Password = "", Service-Type = Administrative, Profile-Name = "Profile1"...
Page 331: Configuring The Tacacs+ Servers
Authenticating Users Using RADIUS or TACACS+ This section describes the following topics: Configuring the TACACS+ Servers on page 331 ● Configuring the TACACS+ Timeout Value on page 331 ● Configuring the Shared Secret Password for TACACS+ Servers on page 331 ●...
Page 332: Enabling And Disabling Tacacs
Security Do not use the keyword to set the shared secret. The keyword is primarily for encrypted encrypted the output of the command, so the shared secret is not revealed in the command show configuration output. Enabling and Disabling TACACS+ After server information is entered, you can start and stop TACACS+ authentication as many times as necessary without needing to reconfigure server information.
Page 333: Configuring Tacacs+ Accounting
Secondary TACACS+ Accounting Server:Not configured Configuring TACACS+ Accounting Extreme Networks switches are capable of sending TACACS+ accounting information. As with TACACS+ authentication, you can specify two servers for receipt of accounting information. To specify TACACS+ accounting servers, use the following command: configure tacacs-accounting [primary | secondary] server [<ipaddress>...
Page 334: Enabling And Disabling Tacacs+ Accounting
Security Enabling and Disabling TACACS+ Accounting After you configure TACACS+ accounting server information, you must enable accounting before the switch begins transmitting the information. You must enable TACACS+ authentication for accounting information to be generated. You can enable and disable accounting without affecting the current state of TACACS+ authentication.
Page 335: Secure Shell 2
Secure Shell 2 Client address: 10.201.31.85 (VR-Default) Shared secret : purple TACACS+ Acct Server Connect Timeout sec: 3 Primary TACACS+ Accounting Server: Server name IP address 10.201.31.238 Server IP Port: Client address: 10.201.31.85 (VR-Default) Shared secret : purple Secondary TACACS+ Accounting Server: Server name IP address 10.201.31.235...
Page 336 Because SSH2 is currently under U.S. export restrictions, you must first obtain and install the ssh.xmod software module from Extreme Networks before you can enable SSH2. You must enable SSH2 on the switch before you can connect to the switch using an external SSH2 client.
Page 337: Using Acls To Control Ssh2 Access
Secure Shell 2 For additional information on the SSH protocol refer to Federal Information Processing Standards Publication (FIPSPUB) 186, Digital Signature Standard, 18 May 1994. This can be download from: ftp:// ftp.cs.hut.fi/pub/ssh. General technical information is also available from: http://www.ssh.fi Using ACLs to Control SSH2 Access You can restrict SSH2 access by creating and implementing an ACL policy.
Page 338: Using Scp2 From An External Ssh2 Client
[user@linux-server]# scp2 test.pol admin@192.168.0.120:/config/test.pol SSH2 Client Functions on the Switch Beginning with ExtremeWare XOS 11.2, an Extreme Networks switch can function as an SSH2 client. This means you can connect from the switch to a remote device running an SSH2 server and send commands to that device.
Page 339: Secure Socket Layer
Secure Socket Layer You do not need to enable SSH2 or generate an authentication key to use the SSH2 and SCP2 commands from the ExtremeWare XOS CLI. NOTE The BlackDiamond 8800 family of switches and the Summit X450 switch do not support user-created VRs. To send commands to a remote system using SSH2, use the following command: ssh2 {cipher [3des | blowfish]} {port <portnum>} {compression [on | off]} {user <username>} {debug <debug_level>} {<username>@} [<host>...
Page 340: Enabling And Disabling Ssl
This section describes how to enable and disable SSL on your switch. NOTE Prior to ExtremeWare XOS 11.2, the Extreme Networks SSH module did not include SSL. To use SSL for secure HTTPS web-based login, you must upgrade your core software image to ExtremeWare XOS 11.2 or later, install the SSH module that works in concert with that core software image, and reboot the switch.
Page 341: Creating Certificates And Private Keys
Secure Socket Layer To disable SSL and HTTPS, enter the following command: disable web https Creating Certificates and Private Keys When you generate a certificate, the certificate is stored in the configuration file, and the private key is stored in the EEPROM. The certificate generated is in PEM format. To create a self-signed certificate and private key that can be saved in the EEPROM, use the following command: configure ssl certificate privkeylen <length>...
Page 342 . This warning acts as a reminder to also download the corresponding certificate. the certificate For security reasons, when downloading private keys, Extreme Networks recommends obtaining a pre- generated key rather than downloading a private key from a TFTP server. See “Configuring Pre-...
Page 343: Displaying Ssl Information
Secure Socket Layer Displaying SSL Information Use the following command to display whether the switch has a valid private and public key pair and the state of HTTPS access: show ssl ExtremeWare XOS 11.3 Concepts Guide...
Page 344 Security ExtremeWare XOS 11.3 Concepts Guide...
Page 345: Chapter 17: Network Login
Network Login This chapter describes the following topics: Network Login Overview on page 345 ● Configuring Network Login on page 349 ● Authenticating Users on page 351 ● 802.1x Authentication on page 359 ● Web-Based Authentication on page 363 ● MAC-Based Authentication on page 368 ●...
Page 346: Web-Based, Mac-Based, And 802.1X Authentication
Extreme Networks supports a smooth transition from web-based to 802.1x authentication. MAC-based authentication is used for supplicants that do not support a network login mode, or supplicants that are not aware of the existence of such security measures, for example an IP phone.
Page 347: Multiple Supplicant Support
Network Login Overview Disadvantages of Web-Based Authentication: The login process involves manipulation of IP addresses and must be done outside the scope of a ● normal computer login process. It is not tied to a Windows login. The client must bring up a login page and initiate a login.
Page 348: Campus And Isp Modes
After authentication, the port forwards packets. You do not explicitly configure the mode of operation; rather, the presence of any Extreme Networks Vendor Specific Attribute (VSA) that has a VLAN name or VLAN ID (any VLAN attribute) in the RADIUS server determines the mode of operation.
Page 349: Configuring Network Login
Configuring Network Login NOTE If you use 802.1x network login, authenticated clients remain authenticated during failover; however, shortly after failover, all authenticated clients automatically re-authenticate themselves. Re-authentication occurs without user intervention. If failover occurs during the authentication or re-authentication of a client, the client must repeat the authentication process.
Page 350: Enabling Or Disabling Network Login On The Switch
Network Login Enabling or Disabling Network Login on the Switch To enable or disable network login, use one of the following commands and specify the authentication method: enable netlogin [{dot1x} {mac} {web-based}] disable netlogin [{dot1x} {mac} {web-based}] By default netlogin is disabled. Enabling or Disabling Network Login on a Specific Port To enable network login on a port, use the following command to specify the ports and the authentication method:...
Page 351: Exclusions And Limitations
In the following example using FreeRADIUS, you add the configuration to the RADIUS server users file. The users file determines which attributes are sent back by the RADIUS server to the RADIUS client (an Extreme Networks switch). Depending on your RADIUS server, where and how you add the configuration might be different.
Page 352 Network Login Add the following line to the RADIUS server users file for netlogin-only disabled users: Extreme:Extreme-Netlogin-Only = Disabled Add the following line to the RADIUS server users file for netlogin-only enabled users: Extreme:Extreme-Netlogin-Only = Enabled Table 49 contains the Vendor Specific Attribute (VSA) definitions for web-based, MAC-based, and 802.1x network login.
Page 353 VLAN. Guidelines and Examples for Using VSAs This section contains guidelines and examples for using the Extreme Networks VSAs listed in Table The examples in this section use FreeRADIUS to modify the VSA. Depending on your RADIUS server, configuration might be different.
Page 354 Extreme-Netlogin-Extended-VLAN = *145 VSA 203—Extreme: Netlogin-VLAN-Name. The following describes the guidelines for VSA 203: For untagged VLAN movement with 802.1x netlogin, you can use all current Extreme Networks ● VLAN VSAs: VSA 203, VSA 209, and VSA 211.
Page 355: Configuring Local Database Authentication
Authenticating Users If you do not specify a URL, the network login infrastructure uses the default redirect page URL, ● , or the URL that you configured using the http://www.extremenetworks.com configure netlogin command. redirect-page VSA 204 applies only to the web-based authentication mode of Network Login. VSA 204 Example.
Page 356 32 characters. Passwords must have a minimum of 0 characters and a maximum of 32 characters. If you use RADIUS for authentication, Extreme Networks recommends that you use the same user name and password for both local authentication and RADIUS authentication.
Page 357 Authenticating Users Specifying a Destination VLAN If you configure a local netlogin account with a destination VLAN, upon successful authentication, the client transitions to the permanent, destination VLAN. You can specify the destination VLAN when you initially create the local netlogin account or at a later time. Adding VLANs when Creating a Local Netlogin Account.
Page 358 Network Login Modifying an Existing Local Netlogin Account After you create a local netlogin user name and password, you can update the following attributes of that account: Password of the local netlogin account ● Destination VLAN attributes including: adding clients tagged or untagged, the name of the VLAN, ●...
Page 359: 802.1X Authentication
802.1x Authentication —Specifies the name of the destination VLAN ● vlan_name —Specifies the VLAN ID, tag, of the destination VLAN ● vlan_name_tag —Specifies that the VSA 211 wildcard (*) is applied, only if you do not specify tagged or ● none untagged Displaying Local Netlogin Accounts...
Page 360: Enabling And Disabling 802.1X Network Login
Network Login Supplicant Side The supported 802.1x clients (supplicants) are Windows 2000 SP4 native client, Windows XP native clients, and Meetinghouse AEGIS. A Windows XP 802.1x supplicant can be authenticated as a computer or as a user. Computer authentication requires a certificate installed in the computer certificate store, and user authentication requires a certificate installed in the individual user's certificate store.
Page 361: 802.1X Network Login Configuration Example
802.1x Authentication 802.1x Network Login Configuration Example The following configuration example shows the Extreme Networks switch configuration needed to support the 802.1x network login example. NOTE In the following sample configuration, any lines marked (Default) represent default settings and do not need to be explicitly configured.
Page 362 Network Login With a guest VLAN configured, if a supplicant does not have 802.1x enabled and does not respond to 802.1x authentication requests sent by the switch, the supplicant moves to a guest VLAN. Upon entering the guest VLAN, the supplicant gains limited network access. You configure the amount of network access granted to clients in the guest VLAN.
Page 363: Post-Authentication Vlan Movement
Web-Based Authentication Modifying the Supplicant Response Timer To modify the supplicant response timer, use the following command and specify the supp-resp- parameter: timeout configure netlogin dot1x timers [{server-timeout <server_timeout>} {quiet-period <quiet_period>} {reauth-period <reauth_period>} {supp-resp-timeout <supp_resp_timeout>}] The default supplicant response timeout is 30 seconds. The number of authentication attempts is not a user-configured parameter.
Page 364: Enabling And Disabling Web-Based Network Login
URL after they get logged in. To support https, you must first download and install the separate Extreme Networks SSH software module (ssh.xmod). This additional module allows you to configure both SSH2 and SSL on the switch.
Page 365: Configuring Session Refresh
Logout-privilege Web-Based Network Login Configuration Example The following configuration example shows both the Extreme Networks switch configuration and the Radius server entries needed to support the example. VLAN corp is assumed to be a corporate subnet which has connections to DNS, WINS servers, network routers, and so on. VLAN temp is a temporary VLAN and is created to provide connections to unauthenticated network login clients.
Page 366 Network Login create vlan “temp” create vlan “corp” configure vlan “default” delete ports 4:1-4:4 enable ipforwarding # Configuration Information for VLAN temp # No VLAN-ID is associated with VLAN temp. configure vlan “temp” ipaddress 198.162.32.10 255.255.255.0 # Configuration Information for VLAN corp # No VLAN-ID is associated with VLAN corp.
Page 367: Web-Based Authentication User Login
Web-Based Authentication Web-Based Authentication User Login When you use web-based authentication, follow these steps: 1 Set up the Windows IP configuration for DHCP. 2 Plug into the port that has web-based network login enabled. 3 Log in to Windows. 4 Release any old IP settings and renew the DHCP lease. This is done differently depending on the version of Windows the user is running: Windows 9x—Use the tool.
Page 368: Mac-Based Authentication
● NOTE Because network login is sensitive to state changes during the authentication process, Extreme Networks recommends that you do not log out until the login process is complete. The login process is complete when you receive a permanent address.
Page 369: Enabling And Disabling Mac-Based Network Login
MAC-Based Authentication Secure MAC Configuration Example on page 370 ● MAC-Based Network Login Configuration Example on page 371 ● Enabling and Disabling MAC-Based Network Login To enable MAC-based network login on the switch, use the following command: enable netlogin Any combination of types of authentication can be enabled on the same switch. At least one of the authentication types must be specified on the CLI.
Page 370: Displaying The Mac Address List
Note that the commands are VR aware, and therefore one MAC list table exists per VR. Secure MAC Configuration Example The following configuration example shows how to configure secure MAC on your Extreme Networks switch. To configure secure MAC, do the following: Create a VLAN used for netlogin ●...
Page 371: Mac-Based Network Login Configuration Example
● show netlogin mac-list MAC-Based Network Login Configuration Example The following configuration example shows the Extreme Networks switch configuration needed to support the MAC-based network login example. create vlan “temp” create vlan “corp” configure vlan “default” delete ports 4:1-4:4 # Configuration Information for VLAN corp # No VLAN-ID is associated with VLAN corp.
Page 372: Configuring Netlogin Mac-Based Vlans-Blackdiamond 8800 Family Of Switches And The Summit X450 Switch Only
Network Login Configuring Netlogin MAC-Based VLANs—BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only Currently, network login allows only a single, untagged VLAN to exist on a port. This limits the flexibility for untagged supplicants because they must be in the same VLAN. Beginning with ExtremeWare XOS 11.3, the BlackDiamond 8800 family of switches and the Summit X450 switch support netlogin MAC-based VLANs.
Page 373 Additional Network Login Configuration Details When you change the netlogin port’s mode of operation, the switch deletes all currently known supplicants from the port and restores all VLANs associated with that port to their original state. In addition, by selecting , you are unable to manually add or delete untagged VLANs mac-based-vlans from this port.
Page 374 Network Login enable netlogin ports 1:1-1:10 mac configure netlogin ports 1:1-1:10 mode mac-based-vlans configure netlogin add mac-list default MySecretPassword Expanding upon the previous example, you can also utilize the local database for authentication rather than the RADIUS server: create netlogin local-user 000000000012 vlan-vsa untagged default create netlogin local-user 000000000010 vlan-vsa untagged users12 For more information about local database authentication, see “Configuring Local Database...
Page 375: Chapter 18: Clear-Flow
CLEAR-Flow This chapter describes the following topics: Overview on page 375 ● Configuring CLEAR-Flow on page 375 ● Adding CLEAR-Flow Rules to ACLs on page 376 ● CLEAR-Flow Rule Examples on page 389 ● Overview CLEAR-Flow is a broad framework for implementing security, monitoring, and anomaly detection in ExtremeWare XOS software.
Page 376: Displaying Clear-Flow Configuration And Activity
CLEAR-Flow After creating the ACLs that contain CLEAR-Flow rules, and after applying the ACLs to the appropriate interface, you will enable CLEAR-Flow on the switch. When CLEAR-Flow is enabled, the rules will be evaluated by the CLEAR-Flow agent on the switch, and if any rules are triggered, the CLEAR-Flow actions are executed.
Page 377: Clear-Flow Rule Match Type
Adding CLEAR-Flow Rules to ACLs then { <actions>; Or you can specify an optional clause: else entry <CLFrulename> <match-type> { { <match-conditions>; then { <actions>; } else { <actions>; In the CLEAR-Flow rule syntax, the <CLFrulename> is the name of the rule (maximum of 31 characters).
Page 378: Clear-Flow Rule Match Conditions
CLEAR-Flow CLEAR-Flow Rule Match Conditions In a CLEAR-Flow rule, the portion consists of one to four expressions, an optional <match-conditions> statement, and an optional statement: global-rule period entry <CLFrulename> <match-type> { { <expression>; <expression>; <expression>; <expression>; global-rule; period <interval>; then { <actions>;...
Page 379 Adding CLEAR-Flow Rules to ACLs counters. When you use a counter statement in an ACL, you are defining the counter used by CLEAR- Flow to monitor your system. The following sections discuss the CLEAR-Flow rule expressions in detail: Count Expression on page 379 ●...
Page 380 CLEAR-Flow Delta Expression A CLEAR-Flow delta expression computes the difference from one sample to the next of a counter value. This difference is compared with the threshold value. The following is the syntax for a CLEAR- Flow delta expression: delta <counterName> REL_OPER <countThreshold> ; hysteresis <hysteresis>...
Page 381 Adding CLEAR-Flow Rules to ACLs Table 52: Delta Expression Evaluation Example (Continued) Evaluation counter1 value Delta value Rule triggered? 1230 See the section, “Delta Expression Example” on page 389, for a full example of an ACL and a CLEAR- Flow rule using a delta expression. Ratio Expression A CLEAR-Flow ratio expression compares the ratio of two counter values with the threshold value.
Page 382 CLEAR-Flow Table 53: Ratio Expression Evaluation Example Evaluation counter1 value counter2 value ratio Rule triggered? 2475 2308 2313 3597 5340 1065 See the section, “Ratio Expression Example” on page 390, for a full example of an ACL and a CLEAR- Flow rule using a ratio expression.
Page 383 Adding CLEAR-Flow Rules to ACLs the counters is near the threshold. If the hysteresis value is greater than the threshold value, the hysteresis value will be set to zero. Table 54 is an example of evaluating the CLEAR-Flow delta-ratio expression above multiple times. Notice that the rule is not triggered at the second evaluation because both counters have not yet reached the min-value of 100.
Page 384: Clear-Flow Rule Actions
CLEAR-Flow CLEAR-Flow Rule Actions CLEAR-Flow rules specify an action to take when the rule is triggered and can optionally specify an action to take when the expression is false. Because more than one action can be taken in a single rule, the collection of actions is referred to as an action list.
Page 385 Adding CLEAR-Flow Rules to ACLs For example (enabling mirroring from within CLEAR-Flow rule): cli “enable mirroring to port 7:4 tagged” mirror add acl_rule_1 SNMP Trap This action sends an SNMP trap message to the trap server, with a configurable ID and message string, when the rule is triggered.
Page 386 CLEAR-Flow If a keyword is not supported, or a counter name is not found, a string of “unknownKeyword[$keyword]” will be substituted For the $vlanName and $port keyword, the keyword will be substituted for those rules in the wildcard ACL Some CLI commands do not support the keyword, so caution must be used with CLI commands that use this feature.
Page 387 Adding CLEAR-Flow Rules to ACLs Table 56: Predefined CLEAR-Flow Counters (Continued) Counter Name Description sys_IpInDiscards The number of input IP packets for which no problems were encountered to prevent their continued processing, but which were discarded (e.g., for lack of buffer space).
Page 388 CLEAR-Flow Table 56: Predefined CLEAR-Flow Counters (Continued) Counter Name Description sys_IcmpInAddrMaskReps The number of ICMP Address Mask Reply messages received. sys_IcmpOutMsgs The total number of ICMP messages which this entity attempted to send. Note that this counter includes all those counted by icmpOutErrors. sys_IcmpOutErrors The number of ICMP messages which this entity did not send due to problems discovered within ICMP such as a lack of buffers.
Page 389: Clear-Flow Rule Examples
CLEAR-Flow Rule Examples Table 56: Predefined CLEAR-Flow Counters (Continued) Counter Name Description sys_IgmpOutLeaves The number of outgoing IGMP leave requests. 1.Most of these descriptions can be found in RFC 2011, SNMPv2 Management Information Base for the In- ternet Protocol using SMIv2 2.The length of an ICMP packet depends on the type and code field.
Page 390: Ratio Expression Example
CLEAR-Flow move the traffic to QP3. In addition, reduce the peak rate to 5 Kbps on QP3. As long as the delta continues to be greater than or equal to 1000 packets, the CLEAR-Flow agent will repeatedly send a trap message every 120 seconds.
Page 391 CLEAR-Flow Rule Examples protocol tcp; } then { count counter2; entry cflow_ratio_rule_example { ratio counter1 counter2 > 5 ; period 2; min-value 1000; then { syslog "Rule $ruleName threshold ratio $ruleValue exceeds limit $ruleThreshold"; ExtremeWare XOS 11.3 Concepts Guide...
Page 392: Delta-Ratio Expression Example
CLEAR-Flow Delta-Ratio Expression Example In this example, every 2 seconds, the CLEAR-Flow agent will request the tcpSynCounter and tcpCounter values from the hardware. After it receives the two counter values, it will first calculate the delta for each of the counters and then check each counter’s delta value for its minimum value, which is 100. If both of the counters’...
Page 393: Part 2: Using Switching And Routing Protocols
Using Switching and Routing Protocols...
Page 395: Chapter 19: Ethernet Automatic Protection Switching
Ethernet Automatic Protection Switching This chapter covers the following topics: Licensing on page 395 ● Overview of the EAPS Protocol on page 395 ● Fault Detection and Recovery on page 397 ● Multiple EAPS Domains on page 400 ● Configuring EAPS on a Switch on page 403 ●...
Page 396 Ethernet Automatic Protection Switching An Ethernet ring built using EAPS can have resilience comparable to that provided by SONET rings, at a lower cost and with fewer restraints (such as ring size). The EAPS technology developed by Extreme Networks to increase the availability and robustness of Ethernet rings is described in RFC 3619: Extreme Networks’...
Page 397: Fast Convergence
Fault Detection and Recovery Figure 18: EAPS operation Secondary port Direction of is logically blocked health-check Master message node EW_071 If the ring is complete, the master node logically blocks all data traffic in the transmit and receive directions on the secondary port to prevent a loop. If the master node detects a break in the ring, it unblocks its secondary port and allows data traffic to be transmitted and received through it.
Page 398: Link Down Message Sent By A Transit Node
Ethernet Automatic Protection Switching A master node detects a ring fault in one of three ways: Link down message sent by a transit node ● Ring port down event sent by hardware layers ● Polling response ● The rest of this section describes the fault detection methods and the applicable restoration options. Link Down Message Sent by a Transit Node When any transit node detects a loss of link connectivity on any of its ring ports, it immediately sends a “link down”...
Page 399: Polling
Fault Detection and Recovery Polling The master node transmits a health check packet on the control VLAN at a user-configurable interval (see Figure 18). If the ring is complete, the master node receives the health-check packet on its secondary port (the control VLAN is not blocked on the secondary port). When the master node receives the health-check packet, it resets its failtimer and continues normal operation.
Page 400: Multiple Eaps Domains
Ethernet Automatic Protection Switching Multiple EAPS Domains This section illustrates how you can work with more than one EAPS domain. The scenarios described in this section include the following: EAPS Data VLAN Spanning Two Rings Connected by One Switch on page 400 ●...
Page 401: Multiple Eaps Domains Per Ring-Spatial Reuse
Multiple EAPS Domains Multiple EAPS Domains per Ring—Spatial Reuse To take advantage of the spatial reuse technology and broaden the use of the ring’s bandwidth, EAPS supports multiple EAPS domains running on the ring at the same time (Figure 21). Figure 21: Multiple EAPS domains per ring Master EAPS 1 Transit EAPS 2...
Page 402: Multiple Eaps Rings Sharing A Common Link
Ethernet Automatic Protection Switching Figure 22: EAPS shared ports configuration with spatial reuse EX_105 For information about configuring common links and EAPS shared ports, see “Configuring EAPS Shared Ports” on page 411. Multiple EAPS Rings Sharing a Common Link When you configure EAPS on multiple rings with a common link, you may experience a loop situation across both rings.
Page 403: Configuring Eaps On A Switch
Configuring EAPS on a Switch Figure 23: Multiple EAPS domains sharing a common link with EAPS shared ports Controller EAPS1 EAPS2 link ID=1 Common link Partner S 10 Master Master node node EW_095 The switches on either end of the common link must be configured as controller and a partner. For information about configuring common links, see “Configuring EAPS Shared Ports”...
Page 404: Creating And Deleting An Eaps Domain
NOTE If you use the same name across categories (for example, STPD and EAPS names), Extreme Networks recommends that you specify the identifying keyword as well as the actual name. If you do not use the keyword, the system may return an error message.
Page 405: Configuring Eaps Polling Timers
Configuring EAPS on a Switch Configuring EAPS Polling Timers To set the values of the polling timers the master node uses for the EAPS health check packet that is circulated around the ring for an EAPS domain, use the following commands: configure eaps <name>...
Page 406: Configuring The Primary And Secondary Ports
Ethernet Automatic Protection Switching Configuring the Primary and Secondary Ports Each node on the ring connects to the ring through two ring ports. As part of the protection switching scheme, one port must be configured as the primary port, and the other must be configured as the secondary port.
Page 407: Configuring The Eaps Protected Vlans
Configuring EAPS on a Switch The following command example adds the control VLAN “keys” to the EAPS domain “eaps_1”. configure eaps eaps_1 add control vlan keys Configuring the EAPS Protected VLANs You must configure one or more protected VLANs for each EAPS domain. The protected VLANs are the data-carrying VLANs.
Page 408: Unconfiguring An Eaps Ring Port
Ethernet Automatic Protection Switching To disable the EAPS function for the entire switch, use the following command: disable eaps Unconfiguring an EAPS Ring Port Unconfiguring an EAPS port sets its internal configuration state to INVALID, which causes the port to appear in the Idle state with a port status of Unknown when you use the show eaps {<eapsDomain>} command to display the status information about the port.
Page 409 Configuring EAPS on a Switch p_10 p_11 p_12 p_13 p_14 p_15 p_16 p_17 p_18 p_19 p_20 p_21 p_22 p_23 p_24 p_25 p_26 p_27 p_28 p_29 p_30 NOTE You may see a slightly different display, depending on whether you display the master node or the transit node. The display from the command shows all the information shown in the show eaps detail...
Page 410 Ethernet Automatic Protection Switching Table 57: show eaps display fields (Continued) Field Description State On a transit node, the command displays one of the following states: • Idle—The EAPS domain has been enabled, but the configuration is not complete. • Links-Up—This EAPS domain is running, and both its ports are up and in the forwarding state.
Page 411: Configuring Eaps Shared Ports
Configuring EAPS Shared Ports Table 57: show eaps display fields (Continued) Field Description Tag status Tagged status of the control VLAN: • Tagged—The control VLAN has this port assigned to it, and the port is tagged in the VLAN. • Untagged—The control VLAN has this port assigned to it, but the port is untagged in the control VLAN.
Page 412: Steady State
Ethernet Automatic Protection Switching Steady State In steady state when the common link is up, both the controller and partner are said to be in the “ready” state. After EAPS has converged and the EAPS master node has blocked its own secondary ports, the controller puts all its ports into “forwarding,”...
Page 413 Configuring EAPS Shared Ports Figure 25: EAPS domain common link failure EAPS3 Active-Open Controller EAPS2 EAPS1 Partner Master Master Master EW_102b When the common link is restored, the controller goes into Preforwarding state. After the controller receives notification from the master nodes that they have converged and blocked their secondary ports, the controller opens all ports.
Page 414: Flushing The Fdbs
Ethernet Automatic Protection Switching Flushing the FDBs When a controller goes into or out of the “blocking” state, the controller sends a “flush fdb” message to flush all of the FDBs of the switches in its segments. Each switch in the path of the “flush fdb” message flushes its FDB.
Page 415: Configuring The Shared Port Segment Timer
Configuring EAPS Shared Ports Configuring the Shared Port Segment Timer To configure the segment timer, use the following command: configure eaps shared-port <ports> segment-timeout expiry-action [segment-down | send- alert] Where the following is true: —If the controller or partner switch’s segment timer expires, that segment is set to ●...
Page 416 Ethernet Automatic Protection Switching The following examples of the command displays shared port information show eaps shared-port when the EAPS domain is in a “ready” state (for example, when the common link is up). EAPS shared-port count: 1 -------------------------------------------------------------------------------- Link Domain Vlan Shared-port Mode...
Page 417 Configuring EAPS Shared Ports Table 58: show eaps shared-port display fields (Continued) Field Description Displays one of the following states: • Yes—Indicates that the EAPS instance on the other end of the common link is configured with matching link ID and opposite modes.
Page 418: Eaps Shared Port Configuration Rules
Ethernet Automatic Protection Switching Table 58: show eaps shared-port display fields (Continued) Field Description EAPS Domain (available with the The EAPS domain having the segment port as one of its ring ports. detail keyword or by specifying a shared port) Vlan-port count (available with the The total number of VLANs being protected under this segment port.
Page 419: Eaps Shared Port Configuration Examples
EAPS Shared Port Configuration Examples 1 controller and 1 partner ■ 2 partners ■ A shared port cannot be configured on an EAPS master’s secondary port. ● EAPS Shared Port Configuration Examples This section provides examples of EAPS shared port configurations. Basic Configuration This example, shown in Figure...
Page 420: Right Angle Configuration
Ethernet Automatic Protection Switching Figure 27: EAPS shared port basic core configuration Master node S 12 P1:2 P1:3 Controller Controller EAPS3 EAPS1 EAPS2 P1:1 link ID=2 S 11 link ID=1 Common link Common link Master S 10 node Partner Partner EAPS4 S 13 Master...
Page 421: Large Core And Access Rings Configuration
EAPS Shared Port Configuration Examples Figure 29: Basic core and right angle configuration Master node EAPS5 EAPS4 S 14 Partner link ID=3 Controller Controller Common Partner link EAPS3 EAPS1 Master link ID=1 node Common Common link ID=2 Master link link S 13 node Partner...
Page 422: Advanced Configuration
Ethernet Automatic Protection Switching Advanced Configuration Figure 31 shows an extension of the Basic Core and Right Angle configuration. Figure 31: Advanced configuration Partner Controller Controller Master Master node EAPS2 EAPS3 link ID=2 link ID=4 Common Common EAPS5 link Common link link EAPS1...
Page 423: Chapter 20: Spanning Tree Protocol
Spanning Tree Protocol This chapter covers the following topics: Overview of the Spanning Tree Protocol on page 423 ● Spanning Tree Domains on page 423 ● STP Configurations on page 430 ● Per VLAN Spanning Tree on page 436 ● Rapid Spanning Tree Protocol on page 436 ●...
Page 424: Member Vlans
Spanning Tree Protocol The key points to remember when configuring VLANs and STP are: Each VLAN forms an independent broadcast domain. ● STP blocks paths to create a loop-free environment. ● Within any given STPD, all VLANs belonging to it use the same spanning tree. ●...
Page 425: Stpd Modes
Spanning Tree Domains Assigns VLAN v5 to STPD s8. ● Creates the same tag ID for the VLAN and the STPD (the carrier VLAN’s VLANid must be identical ● to the STPDs StpdID). create vlan v5 configure vlan v5 tag 100 configure vlan v5 add ports 1:1-1:20 tagged create stpd s8 configure stpd s8 add vlan v5 ports all emistp...
Page 426: Stp States
Extreme Multiple Instance Spanning Tree Protocol (EMISTP) mode ● EMISTP mode is proprietary to Extreme Networks and is an extension of STP that allows a physical port to belong to multiple STPDs by assigning the port to multiple VLANs. EMISTP adds significant flexibility to STP network design.
Page 427: Binding Ports
Spanning Tree Domains Listening ● A port in the listening state does not accept ingress traffic, perform traffic forwarding, or learn MAC source addresses. The port does receive STP BPDUs. This is the first transitional state a port enters after being in the blocking state. The bridge listens for BPDUs from neighboring bridge(s) to determine whether the port should or should not be blocked.
Page 428 Spanning Tree Protocol ), the STP port mode is changed to match; otherwise, the STP port inherits either the pvst-plus carrier VLANs encapsulation mode on that port or the STPD’s default encapsulation mode. To remove ports, use the following command: configure stpd <stpd_name>...
Page 429: Rapid Root Failover
Spanning Tree Domains If you manually delete a port from the STPD on a VLAN that has been added by autobind, ExtremeWare XOS records the deletion so that the port does not get automatically added to the STPD after a system restart. To learn more about the member VLANs, see “Member VLANs”...
Page 430: Stp Configurations
Spanning Tree Protocol 2 If the MSMs are not synchronized, replicate all saved images and configuration from the primary to the backup using the command. synchronize 3 Initiate failover using the command. run msm-failover For more detailed information about verifying the status of the MSMs and system redundancy, see “Understanding System Redundancy with Dual MSMs Installed—Modular Switches Only”...
Page 431 STP Configurations Figure 32: Multiple STPDs Sales, Personnel, Marketing Manufacturing, Engineering, Marketing Switch A Switch Y Switch B Switch Z Switch M STPD 1 STPD 2 Sales, Personnel, Manufacturing, Engineering, Marketing EX_048 When the switches in this configuration boot-up, STP configures each STPD such that the topology contains no active loops.
Page 432 Spanning Tree Protocol Figure 33: Incorrect tag-based STPD configuration Marketing & Sales Marketing, Sales & Engineering Switch 1 Switch 3 Switch 2 Sales & Engineering EX_049 The tag-based network in Figure 33 has the following configuration: Switch 1 contains VLAN Marketing and VLAN Sales. ●...
Page 433: Multiple Stpds On A Port
STP Configurations Multiple STPDs on a Port Traditional 802.1D STP has some inherent limitations when addressing networks that have multiple VLANs and multiple STPDs. For example, consider the sample depicted in Figure Figure 34: Limitations of traditional STPD EX_050 The two switches are connected by a pair of parallel links. Both switches run two VLANs, A and B. To achieve load-balancing between the two links using the traditional approach, you would have to associate A and B with two different STPDs, called S1 and S2, respectively, and make the left link carry VLAN A traffic while the right link carries VLAN B traffic (or vice versa).
Page 434: Emistp Deployment Constraints
Spanning Tree Protocol Alternatively, the same VLAN may span multiple large geographical areas (because they belong to the same enterprise) and may traverse a great many nodes. In this case, it is desirable to have multiple STP domains operating in a single VLAN, one for each looped area. The justifications include the following: The complexity of the STP algorithm increases, and performance drops, with the size and complexity ●...
Page 435 STP Configurations Figure 36: VLANs traverse domains inside switches Correct Wrong EX_052 The VLAN partition feature is deployed under the premise that the overall inter-domain topology ● for that VLAN is loop-free. Consider the case in Figure 37, VLAN red (the only VLAN in the figure) spans STPDs 1, 2, and 3.
Page 436: Per Vlan Spanning Tree
Spanning Tree Protocol Per VLAN Spanning Tree Switching products that implement Per VLAN Spanning Tree (PVST) have been in existence for many years and are widely deployed. To support STP configurations that use PVST, ExtremeWare XOS has an operational mode called PVST+. NOTE In this document, PVST and PVST+ are used interchangeably.
Page 437: Rstp Concepts
Rapid Spanning Tree Protocol RSTP Concepts This section describes important RSTP concepts. Port Roles RSTP uses information from BPDUs to assign port roles for each LAN segment. Port roles are not user- configurable. Port role assignments are determined based on the following criteria: A unique bridge identifier (MAC address) associated with each bridge ●...
Page 438 Spanning Tree Protocol Table 60 describes the link types. Table 60: RSTP link types Port Link Type Description Auto Specifies the switch to automatically determine the port link type. An auto link behaves like a point-to-point link if the link is in full-duplex mode or if link aggregation is enabled on the port.
Page 439: Rstp Operation
Rapid Spanning Tree Protocol Table 61: User-configurable timers (Continued) Timer Description Forward delay A port moving from the blocking state to the forwarding state uses the forward delay timer to transition through the listening and learning states. In RSTP, this timer complements the rapid configuration behavior.
Page 440 Spanning Tree Protocol blocked, the bridge immediately sends an “agree” message to unblock the proposing port without having to wait for further confirmations to come back or without the worry of temporary loops. Beginning with the root bridge, each bridge in the network engages in the exchange of “propose” and “agree”...
Page 441 Rapid Spanning Tree Protocol Figure 38: Example of root port rapid behavior Inital topology New topology Bridge Bridge Backup Designated Backup Designated port port port port LAN segment Superior STP bridge priority Root bridge EX_054 If the backup port receives the BPDU first, STP processes this packet and temporarily elects this port as the new root port while the designated port’s role remains unchanged.
Page 442 Spanning Tree Protocol Receiving Bridge Behavior The receiving bridge must decide whether or not to accept a proposal from a port. Upon receiving a proposal for a root port, the receiving bridge: Processes the BPDU and computes the new STP topology. ●...
Page 443 Rapid Spanning Tree Protocol Figure 39: Initial network configuration A , 0 A , 1 A , 2 A , 1 A , 2 A , 3 Designated Root Blocked port port port EX_055a The following steps describe how the network reconverges. 1 If the link between bridge A and bridge F goes down, bridge F detects the root port is down.
Page 444 Spanning Tree Protocol As shown in Figure 41, after the configuration update, bridge E: Regards itself as the new root bridge. ● Sends BPDU messages on both of its designated ports to bridges F and D, respectively. ● Figure 41: New root bridge selected A , 0 A , 1 A , 2...
Page 445 Rapid Spanning Tree Protocol As shown in Figure 43, after the configuration update, bridge D: Moves the alternate port to a designated port. ● Sends a “propose” message to bridge E to solicit confirmation of its designated role and to ●...
Page 446 Spanning Tree Protocol 6 To complete the topology change (as shown in Figure 45): Bridge D moves the port that received the “agree” message into the forwarding state. ● Bridge F confirms that its receiving port (the port that received the “propose” message) is the root ●...
Page 447: Stp Rules And Restrictions
STP Rules and Restrictions STP Rules and Restrictions This section summarizes the rules and restrictions for configuring STP as follows: The carrier VLAN must span all ports of the STPD. ● The StpdID must be the VLANid of the carrier VLAN; the carrier VLAN cannot be partitioned. ●...
Page 448: Stp Configuration Examples
Port mode ● NOTE The device supports the RFC 1493 Bridge MIB, RSTP-03, and Extreme Networks STP MIB. Parameters of the s0 default STPD support RFC 1493 and RSTP-03. Parameters of any other STPD support the Extreme Networks STP MIB.
Page 449: Emistp Configuration Example
STP Configuration Examples Configures the default encapsulation mode of dot1d for all ports added to STPD Backbone_st. ● Enables autobind to automatically add or remove ports from the STPD. ● Assigns the Engineering VLAN to the STPD. ● Assigns the carrier VLAN. ●...
Page 450: Rstp 802.1W Configuration Example
Spanning Tree Protocol configure green add ports 1:1-1:2 tagged create vlan yellow configure yellow tag 300 configure yellow add ports 1:3-1:4 tagged create stpd s1 configure stpd s1 add green ports all configure stpd s1 tag 200 configure stpd s1 add red ports 1:1-1:2 emistp enable stpd s1 create stpd s2 configure stpd s2 add yellow ports all...
Page 451 STP Configuration Examples Figure 48: RSTP example Sales, Personnel, Marketing Manufacturing, Engineering, Marketing Switch A Switch Y Switch B Switch Z Switch M STPD 1 STPD 2 Sales, Personnel, Manufacturing, Engineering, Marketing EX_048 ExtremeWare XOS 11.3 Concepts Guide...
Page 452: Displaying Stp Settings
Spanning Tree Protocol In this example, the commands configure switch A in STPD1 for rapid reconvergence. Use the same commands to configure each switch and STPD in the network. create stpd stpd1 configure stpd stpd1 mode dot1w create vlan sales create vlan personnel create vlan marketing configure vlan sales tag 100...
Page 453 Displaying STP Settings This command displays the following information: STPD port configuration ● STPD port mode of operation ● STPD path cost ● STPD priority ● STPD state (root bridge, and so on) ● Port role (root bridge, edge port, and so on) ●...
Page 454 Spanning Tree Protocol ExtremeWare XOS 11.3 Concepts Guide...
Page 455: Chapter 21: Extreme Standby Router Protocol
ESRP can provide better resiliency than using Spanning Tree Protocol (STP) or Virtual Router Redundancy Protocol (VRRP). Extreme Networks recommends that all switches participating in ESRP run the same version of ExtremeWare XOS.
Page 456: Esrp Modes Of Operation
Extreme Standby Router Protocol ESRP Modes of Operation ExtremeWare XOS has two modes of ESRP operation: standard and extended. Select standard ESRP if your network contains some switches running ExtremeWare, others running ExtremeWare XOS, and a combination of those switches participating in ESRP. Standard ESRP is backward compatible with and supports the ESRP functionality of ExtremeWare.
Page 457 ESRP Concepts Figure 49 displays a basic ESRP topology. Figure 49: Example of a basic ESRP topology ESRP Core Switch #1 ESRP Core Switch #2 State Domain Group State Domain Group Master corpnet1 Slave corpnet1 Master corpnet2 Slave corpnet2 Slave corpnet3 Master corpnet3...
Page 458: Esrp-Aware Switches
473. Configuring ESRP-Aware Switches For an Extreme Networks switch to be ESRP-aware, you must create an ESRP domain on the aware switch, add a master VLAN to that ESRP domain, and configure a domain ID, if necessary. To participate as an ESRP-aware switch, the following must be true: The ESRP domain name must identical on all switches (ESRP-enabled and ESRP-aware) participating ●...
Page 459: Standard And Extended Esrp
ESRP Concepts Displaying ESRP-Aware Information To display ESRP-aware information, use the following command: show esrp {<name>} The display includes the group number and MAC address for the master of the group, as well as the age of the information. Standard and Extended ESRP ESRP has two modes of operation: standard and extended.
Page 460: Esrp Domains
Extreme Standby Router Protocol In extended mode, the active port count considers the number of active ports and the port weight configuration also considers the bandwidth of those ports. You enable port weight only on the load- shared master port. Domain ID ●...
Page 461: Linking Esrp Switches
Linking ESRP Switches When considering system design using ESRP, Extreme Networks recommends using a direct link. Direct links between ESRP switches are useful under the following conditions: A direct link can provide a more direct routed path, if the ESRP switches are routing and supporting ●...
Page 462: Determining The Esrp Master
255. The default priority setting is 0. A priority setting of 255 makes an ESRP switch a standby switch that remains in slave mode until you change the priority setting. Extreme Networks recommends this setting for system maintenance. A switch with a priority setting of 255 will never become the master.
Page 463: Master Switch Behavior
Determining the ESRP Master Active port weight—The switch that has the highest port weight takes precedence. The bandwidth of ● the port automatically determines the port weight (available only in extended mode). You can configure the precedence order of the factors used by the system to determine the master ESRP switch.
Page 464: Esrp Failover Time
You can configure the pre-master state timeout using the following command: configure esrp <esrpDomain> timer premaster <seconds> CAUTION Configure the pre-master state timeout only with guidance from Extreme Networks personnel. Misconfiguration can severely degrade the performance of ESRP and your switch. ESRP Failover Time ESRP Failover time is largely determined by the following factors: ESRP hello timer setting.
Page 465: Esrp Election Algorithms
Determining the ESRP Master To change the election algorithm, you must first disable the ESRP domain and then configure the new election algorithm. If you attempt to change the election algorithm without disabling the domain first, an error message appears. To disable the ESRP domain, use the following command: disable esrp {<esrpDomain>} To modify the election algorithm, use the following command:...
Page 466: Configuring An Esrp Domain On A Switch
Extreme Standby Router Protocol Table 63: ESRP election algorithms (Continued) Election Algorithm Description sticky > priority > track > ports > mac Specifies that this ESRP domain should consider election factors in the following order: Stickiness, ESRP priority, tracking information, active ports, MAC address.
Page 467: Creating And Deleting An Esrp Domain
NOTE If you use the same name across categories (for example, STPD and ESRP names) Extreme Networks recommends that you specify the appropriate keyword as well as the actual name. If you do not specify the keyword, the switch may display an error message.
Page 468: Configuring The Esrp Domain Id
Extreme Standby Router Protocol configure esrp esrp1 domain-id 4097 Adding VLANs to an ESRP Domain This section assumes that you have already created and configured the VLANs that you want to add to the ESRP domain. Adding and Deleting a Master VLAN The master VLAN is the VLAN on the ESRP domain that exchanges ESRP PDUs and data between a pair of ESRP-enabled devices.
Page 469: Enabling And Disabling An Esrp Domain
Advanced ESRP Features configure esrp <esrpDomain> delete member <vlan_name> The following example removes the member VLAN from ESRP domain purple esrp1 configure esrp esrp1 delete member purple Enabling and Disabling an ESRP Domain To enable a specific ESRP domain, use the following command: enable esrp <esrpDomain>...
Page 470 Extreme Standby Router Protocol To configure the failover priority for an ESRP domain, follow these steps: 1 Set the failover priority, using the following command: configure esrp <esrpDomain> add track-environment failover <priority> 2 Assign the priority flag precedence over the active ports count, using the following command: configure esrp <esrpDomain>...
Page 471 Advanced ESRP Features configure esrp <esrpDomain> add track-ping <ipaddress> frequency <seconds> miss <misses> To disable ping tracking, use the following command: configure esrp <esrpDomain> delete track-ping <ipaddress> Displaying Tracking Information You can view the status of ESRP tracking on a per domain basis. The information displayed includes the type of tracking used by the ESRP domain and how you configured the tracking option.
Page 472: Esrp Host Attach
Extreme Standby Router Protocol configure esrp esrp1 add track-iproute 10.10.10.0/24 The route specified in this command must exist in the IP routing table. When the route is no longer available, the switch implements an ESRP failover to the slave switch. To configure ping tracking, use the following command: configure esrp esrp1 add track-ping 10.10.10.121 frequency 2 miss 2 The specified IP address is tracked.
Page 473: Esrp Port Restart
Advanced ESRP Features Figure 51: ESRP host attach OSPF/BGP-4 EX_095 ESRP VLANs that share ESRP HA ports must be members of different ESRP groups. Each port can have a maximum of seven VLANs. If you use load sharing with the ESRP HA feature, configure the load-sharing group first and then enable HA on the group.
Page 474: Esrp Port Weight And Don't Count
Extreme Standby Router Protocol changes due to frequent client activities like rebooting and unplugging laptops. This port is known as a don’t-count port. To configure the port weight on either a host attach port or a normal port, use the following command: configure esrp ports <ports>...
Page 475: Esrp Groups
Displaying ESRP Information Displaying ESRP Information To view ESRP information, use the following command: show esrp Output from this command includes: The operational state of an ESRP domain and the state of its neighbor ● ESRP port configurations ● To view more detailed information about an ESRP domain, use the following command and specify the domain name: show esrp {<name>} Output from this command includes:...
Page 476: Displaying Esrp Information
Extreme Standby Router Protocol Using ELRP with ESRP to Recover Loops ELRP sends loop-detect packets to notify ESRP about loops in the network. In an ESRP environment, when the current master goes down, one of the slaves becomes the master and continues to forward Layer 2 and Layer 3 traffic for the ESRP domain.
Page 477: Using Elrp With Esrp To Recover Loops
Using ELRP with ESRP To disable the use of ELRP by ESRP in the pre-master state, use the following command: configure esrp <esrpDomain> elrp-premaster-poll disable Configuring Master Polling If you enable the use of ELRP by ESRP in the master state, ESRP requests that ELRP packets are periodically sent to ensure that there is no loop in the network while ESRP is in the master state.
Page 478: Displaying Elrp Information
The example shown in Figure 53 uses a number of Extreme Networks devices as edge switches that perform Layer 2 switching for ESRP domain esrp1 and VLAN Sales. The edge switches are dual-homed to the BlackDiamond 10K switches. The BlackDiamond 10K switches perform Layer 2 switching between the edge switches and Layer 3 routing to the outside world.
Page 479: Esrp Examples
ESRP Examples Figure 53: Single ESRP domain using Layer 2 and Layer 3 redundancy OSPF or RIP Domain - esrp1, Domain - esrp1, VLAN - Sales VLAN - Sales (master) (standby) EX_097 The BlackDiamond 10K switch, acting as master for ESRP domain esrp1, performs both Layer 2 switching and Layer 3 routing services for VLAN Sales.
Page 480 Extreme Standby Router Protocol NOTE If your network has switches running ExtremeWare and ExtremeWare XOS participating in ESRP, Extreme Networks recommends that the ExtremeWare XOS switches operate in ESRP standard mode. To change the mode of operation, use the command.
Page 481 ESRP Examples Multiple Domains Using Layer 2 and Layer 3 Redundancy The example shown in Figure 54 illustrates an ESRP configuration that has multiple domains using Layer 2 and Layer 3 redundancy. Figure 54: Multiple ESRP domains using Layer 2 and Layer 3 redundancy OSPF or RIP Sales master,...
Page 482: Multiple Domains Using Layer 2 And Layer 3 Redundancy
Extreme Standby Router Protocol Configuration commands for the first BlackDiamond 10K switch are as follows: create vlan sales configure vlan sales tag 10 configure vlan sales add ports 1:1-1:2 configure vlan sales add ports 1:3 tagged configure vlan sales ipaddress 10.1.2.3/24 create vlan engineering configure vlan engineering tag 20 configure vlan engineering add ports 1:4...
Page 483 ESRP Cautions ESRP Cautions This section describes important details to be aware of when configuring ESRP. Configuring ESRP and IP Multinetting When configuring ESRP and IP multinetting on the same switch, the same set of IP addresses must be configured for all involved VLANs. ESRP and STP A switch running ESRP should not simultaneously participate in STP for the same VLAN(s).
Page 484: Esrp Cautions
Extreme Standby Router Protocol ExtremeWare XOS 11.3 Concepts Guide...
Page 485: Chapter 22: Virtual Router Redundancy Protocol
Virtual Router Redundancy Protocol This chapter covers the following topics: Overview on page 485 ● Determining the VRRP Master on page 485 ● Additional VRRP Highlights on page 488 ● VRRP Operation on page 489 ● VRRP Configuration Parameters on page 491 ●...
Page 486: Vrrp Tracking
Virtual Router Redundancy Protocol VRRP Tracking Tracking information is used to track various forms of connectivity from the VRRP router to the outside world. ExtremeWare XOS supports the use of the following VRRP tracking options: VRRP VLAN Tracking ● VRRP Route Table Tracking ●...
Page 487 Layer 2 switch between it and another VRRP node. In cases where a Layer 2 switch is used to connect VRRP nodes, Extreme Networks recommends that those nodes have priorities of less than 255. ExtremeWare XOS 11.3 Concepts Guide...
Page 488: Electing The Master Router
Virtual Router Redundancy Protocol Electing the Master Router VRRP uses an election algorithm to dynamically assign responsibility for the master router to one of the VRRP routers on the network. A VRRP router is elected master if the router has the highest priority (the range is 1 to 254;...
Page 489: Vrrp Operation
VRRP Operation VRRP and the Spanning Tree Protocol (STP) can be simultaneously enabled on the same switch. ● Extreme Networks does not recommend simultaneously enabling VRRP and ESRP on the same ● switch. VRRP Operation This section describes two VRRP network configurations: A simple VRRP network ●...
Page 490: Fully Redundant Vrrp Network
Virtual Router Redundancy Protocol physical interface. Each physical interface on each backup router must have a unique IP address. The virtual router IP address is also used as the default gateway address for each host on the network. If the master router fails, the backup router assumes forwarding responsibility for traffic addressed to the virtual router MAC address.
Page 491: Vrrp Configuration Parameters
VRRP Configuration Parameters VRRP Configuration Parameters Table 64 lists the parameters that you configure on a VRRP router. Table 64: VRRP configuration parameters Parameter Description vrid This is the virtual router identifier and is a configured item in the range of 1- to 255. This parameter has no default value. priority This priority value to be used by this VRRP router in the master election process.
Page 492: Vrrp Examples
Virtual Router Redundancy Protocol VRRP Examples This section provides the configuration syntax for the two VRRP networks discussed in this chapter. Configuring the Simple VRRP Network Figure 58 shows the simple VRRP network described in “Simple VRRP Network Configuration” section. Figure 58: Simple VRRP network Switch A Switch B...
Page 493: Configuring The Fully Redundant Vrrp Network
VRRP Examples Configuring the Fully Redundant VRRP Network Figure 59 shows the fully redundant VRRP network configuration described in the “Fully Redundant VRRP Network” section. Figure 59: Fully redundant VRRP configuration Switch A Switch B Master for virtual IP 192.168.1.3 Master for virtual IP 192.168.1.5 Master VRID = 1 Master VRID = 2...
Page 494: Vrrp Cautions
Virtual Router Redundancy Protocol VRRP Cautions This section describes important details to be aware of when configuring VRRP. Assigning Multiple Virtual IP Addresses It is possible to assign multiple virtual IP addresses to the same VRID for a VRRP VR. In this case, you must meet the following conditions: Multiple virtual IP addresses must be on the same subnet.
Page 495: Chapter 23: Ipv4 Unicast Routing
IPv4 Unicast Routing This chapter describes the following IPv4 topics: Overview of IPv4 Unicast Routing on page 495 ● Proxy ARP on page 499 ● Relative Route Priorities on page 498 ● Configuring IPv4 Unicast Routing on page 500 ● Verifying the IPv4 Unicast Routing Configuration on page 501 ●...
Page 496: Router Interfaces
IPv4 Unicast Routing Router Interfaces The routing software and hardware routes IP traffic between router interfaces. A router interface is simply a virtual LAN (VLAN) that has an IP address assigned to it. As you create VLANs with IP addresses belonging to different IP subnets, you can also choose to route between the VLANs.
Page 497: Dynamic Routes
Overview of IPv4 Unicast Routing Statically, by way of routes entered by the administrator: ● Default routes, configured by the administrator ■ Locally, by way of interface addresses assigned to the system ■ By other static routes, as configured by the administrator ■...
Page 498: Relative Route Priorities
IPv4 Unicast Routing Dynamic routes ● Directly attached network interfaces that are not active. ● NOTE If you define multiple default routes, the route that has the lowest metric is used. If multiple default routes have the same lowest metric, the system picks one of the routes. You can also configure blackhole routes—traffic to these destinations is silently dropped.
Page 499: Proxy Arp
Proxy ARP IP Route Sharing IP route sharing allows multiple equal-cost routes to be used concurrently. IP route sharing can be used with static routes or with OSPF routes. In OSPF, this capability is referred to as equal cost multipath (ECMP) routing.
Page 500: Proxy Arp Between Subnets
IPv4 Unicast Routing Proxy ARP Between Subnets In some networks, it is desirable to configure the IP host with a wider subnet than the actual subnet mask of the segment. You can use proxy ARP so that the router answers ARP requests for devices outside of the subnet.
Page 501: Verifying The Ipv4 Unicast Routing Configuration
Verifying the IPv4 Unicast Routing Configuration Verifying the IPv4 Unicast Routing Configuration Use the command to display the current configuration of IP unicast routing for the show iproute switch and for each VLAN. The command displays the currently configured routes and show iproute includes how each route was learned.
Page 502 IPv4 Unicast Routing Figure 61: Unicast routing configuration example 192.207.35.1 192.207.36.1 MyCompany 192.207.35.0 192.207.36.0 Finance Personnel = IP traffic NetBIOS NetBIOS = NetBIOS traffic NetBIOS NetBIOS EX_047 The stations connected to the system generate a combination of IP traffic and NetBIOS traffic. The IP traffic is filtered by the protocol-sensitive VLANs.
Page 503: Ipv4 Multinetting
Multinetting can be a critical element in a transition strategy, allowing a legacy assignment of IP addresses to coexist with newly configured hosts. However, because of the additional constraints introduced in troubleshooting and bandwidth, Extreme Networks recommends that you use multinetting as a transitional tactic only, and not as a long-term network design strategy.
Page 504: How Multinetting Affects Other Features
IPv4 Unicast Routing Figure 62: Multinetted Network Topology Transit VLAN multi network Primary subnet Secondary Host subnet-1 Secondary subnet-2 BD10K EX_102 Figure 62 shows a multinetted VLAN named multi. VLAN multi has three IP subnets so three IP addresses have been configured for the VLAN. One of the subnets is the primary subnet and can be connected to any transit network (for example, the Internet).
Page 505 IPv4 Multinetting Route Manager The Route Manager will install a route corresponding to each of the secondary interfaces. The route origin will be direct, will be treated as a regular IP route, and can be used for IP data traffic forwarding. These routes can also be redistributed into the various routing protocol domains if you configure route redistribution.
Page 506 IPv4 Unicast Routing RIP. This section describes the behavior of the Routing Information Protocol (RIP) in an IP multinetting environment: RIP does not send any routing information update on the secondary interfaces. However, RIP will ● advertise networks corresponding to secondary interfaces in its routing information packet to the primary interface.
Page 507 IPv4 Multinetting PIM also accepts membership information from hosts on secondary subnets. ● EAPS, ESRP, and STP Control protocols like Ethernet Automatic Protection Switching (EAPS), Extreme Standby Router Protocol (ESRP), and the Spanning Tree Protocol (STP) treat the VLAN as an interface. If the protocol control packets are exchanged as Layer 3 packets, then the source address in the packet is validated against the IP networks configured on that interface.
Page 508: Configuring Ipv4 Multinetting
IPv4 Unicast Routing To provide VRRP protection to such a VLAN, you must configure one of the following: Configure VRRP in VLAN v1 with two VRRP VRIDs. One VRID will have the virtual IP address ● 10.0.0.1/24, and the other VRID will have the virtual IP address 20.0.0.1/24. The other VRRP router, the one configured to act as backup, should be configured similarly.
Page 509: Ip Multinetting Examples
Configuring DHCP/BOOTP Relay IP Multinetting Examples The following example configures a switch to have one multinetted segment (port 5:5) that contains three subnets (192.168.34.0/24, 192.168.35.0/24, and 192.168.37.0/24). configure default delete port 5:5 create vlan multinet configure multinet ipaddress 192.168.34.1/24 configure multinet add secondary-ipaddress 192.168.35.1/24 configure multinet add secondary-ipaddress 192.168.37.1/24 configure multinet add port 5:5 enable ipforwarding...
Page 510: Configuring The Dhcp Relay Agent Option (Option 82)
IPv4 Unicast Routing Configuring the DHCP Relay Agent Option (Option 82) After configuring and enabling the DHCP/BOOTP relay feature, you can enable the DHCP relay agent option feature. This feature inserts a piece of information, called option 82, into any DHCP request packet that is to be relayed by the switch.
Page 511: Udp Forwarding
UDP Forwarding This command displays the configuration of the BOOTP relay service and the addresses that are currently configured. UDP Forwarding UDP Forwarding is a flexible and generalized routing utility for handling the directed forwarding of broadcast UDP packets. UDP forwarding enables you to configure your switch so that inbound broadcast UDP packets on a VLAN are forwarded to a particular destination IP address or VLAN.
Page 512 IPv4 Unicast Routing For example, if the following policy file is used as a UDP forwarding profile, any packets destined for UDP port 67 will be sent to IP address 20.0.0.5 AND flooded to VLAN to7: entry one { if match all { destination-port 67 ;...
Page 513: Udp Echo Server
UDP Forwarding UDP Echo Server You can use UDP echo packets to measure the transit time for data between the transmitting and receiving end. To enable UDP echo server support, use the following command: enable udp-echo-server {vr <vrid>}{udp-port <port>} To disable UDP echo server support, use the following command: disable udp-echo-server {vr <vrid>} ExtremeWare XOS 11.3 Concepts Guide...
Page 514 IPv4 Unicast Routing ExtremeWare XOS 11.3 Concepts Guide...
Page 515: Chapter 24: Ipv6 Unicast Routing
IPv6 Unicast Routing This chapter covers the following topics: This chapter describes the following topics: Overview of IPv6 Unicast Routing on page 515 ● Router Interfaces on page 516 ● Specifying IPv6 Addresses on page 516 ● Neighbor Discovery Protocol on page 518 ●...
Page 516: Router Interfaces
IPv6 Unicast Routing Router Interfaces The routing software and hardware routes IPv6 traffic between router interfaces. A router interface is either a virtual LAN (VLAN) that has an IP address assigned to it, or, new for IPv6, a layer 3 tunnel. As you create VLANs and tunnels with IPv6 addresses, you can also choose to route (forward traffic) between them.
Page 517 Overview of IPv6 Unicast Routing Leading zeros in a four-digit group can be omitted. There is a special use of a double colon (::) in an address. The double colon stands for one or more groups of 16 bits of zeros and can only be used once in an address.
Page 518: Neighbor Discovery Protocol
IPv6 Unicast Routing Scoped addresses also appear in the outputs of display commands. IPv6 Addresses Used in Examples For the purposes of documentation, we follow RFC 3849, which indicates that the prefix 2001:db8::/32 can be used as a global unicast address prefix and will not be assigned to any end party. Neighbor Discovery Protocol The Neighbor Discovery Protocol, as defined in RFC 2461, defines mechanisms for the following functions:...
Page 519: Populating The Routing Table
Overview of IPv6 Unicast Routing The following settings can be configured on an interface to manage router advertisements: Settings to control the sending of router advertisements over the interface periodically and to control ● responding to router solicitations. The maximum time between sending unsolicited router advertisements ●...
Page 520 IPv6 Unicast Routing NOTE If you define a default route and subsequently delete the VLAN on the subnet associated with the default route, the invalid default route entry remains. You must manually delete the configured default route. Dynamic Routes Dynamic routes are typically learned by way of RIPng or OSPFv3. Routers that use RIPng or OSPFv3 exchange information in their routing tables in the form of advertisements.
Page 521 Overview of IPv6 Unicast Routing NOTE If you define multiple default routes, the route that has the lowest metric is used. If multiple default routes have the same lowest metric, the system picks one of the routes. You can also configure blackhole routes—traffic to these destinations is silently dropped. The criteria for choosing from multiple routes with the longest matching network mask is set by choosing the relative route priorities.
Page 522: Configuring Ip Unicast Routing
IPv6 Unicast Routing Configuring IP Unicast Routing This section describes the commands associated with configuring IP unicast routing on the switch. To configure routing: 1 Create and configure two or more VLANs. 2 Assign each VLAN that will be using routing an IP address using the following command: configure vlan <vlan_name>...
Page 523 Routing Configuration Example IP address ■ 2001:db8:36::1/48 MyCompany ● Port-based VLAN. ■ All ports on slots 1 through 4 have been assigned. ■ Figure 63: IPv6 Unicast routing configuration example 2001:db8:35::1/48 2001:db8:36::1/48 MyCompany 2001:db8:35::/48 2001:db8:36::/48 Finance Personnel IPv6 = IPv6 traffic IPv6 NetBIOS NetBIOS...
Page 524: Tunnel Configuration Examples
IPv6 Unicast Routing configure Finance ipaddress 2001:db8:35::1/48 configure Personnel ipaddress 2001:db8:36::1/48 configure ripng add vlan Finance configure ripng add vlan Personnel enable ipforwarding ipv6 enable ripng Tunnel Configuration Examples ExtremeWare XOS supports two types of tunnels, IPv6-in-IPv4 tunnels (known as configured tunnels or 6in4 tunnels) and IPv6-to-IPv4 tunnels (known as 6to4 tunnels).
Page 525: 6In4 Tunnel Configuration Example
Tunnel Configuration Examples 6in4 Tunnel Configuration Example Figure 64 illustrates a 6in4 tunnel configured between two IPv6 regions across an IPv4 region. Figure 64: 6in4 Tunnel Example Host A Router A 2001:db8:1::101/64 2001:db8:1::1/64 2001:db8:a::1/64 IPv6 192.168.1.1/24 IPv4 Router B IPv6 2001:db8:a::2/64 10.2.0.1/24 2001:db8:2::1/64...
Page 526 IPv6 Unicast Routing Router A configure vlan default delete port all create vlan public-ipv4 configure vlan public-ipv4 add port 1 untagged configure vlan public-ipv4 ipaddress 192.168.1.1/24 create tunnel public6in4 ipv6-in-ipv4 destination 10.2.0.1 source 192.168.1.1 configure tunnel public6in4 ipaddress 2001:db8:a::1/64 enable ipforwarding ipv6 public6in4 create vlan private-ipv6 configure vlan private-ipv6 add port 2 untagged configure vlan private-ipv6 ipaddress 2001:db8:1::1/64...
Page 527: 6To4 Tunnel Configuration Example
Tunnel Configuration Examples 6to4 Tunnel Configuration Example Figure 65 illustrates a 6to4 tunnel configured between two IPv6 regions across an IPv4 region. Figure 65: 6to4 Tunnel Configuration Example Host 1 Router 1 2002:c0a8:101::204:96ff:fe1f:a52a/48 2002:c0a8:101::2/48 2002:c0a8:101::1/16 IPv6 192.168.1.1/24 IPv4 Router 2 IPv6 2002:a00:1::1/16 Host 2...
Page 528 IPv6 Unicast Routing In this example, we assume that the IPv4 network can route from Router 1 to Router 2 (in other words, some IPv4 routing protocol is running on the public-ipv4 interfaces). However, you do not need to enable IPv4 forwarding on the public interfaces in this example unless you are also routing IPv4 traffic on them (in this example, it is assumed you are running no IPv4 traffic inside your respective IPv6 networks, although you could).
Page 529 Tunnel Configuration Examples Host 2: MAC address—00:04:96:1F:A4:32 ● IP address—2002:0a00:0001:0001:0204:96ff:fe1f:a432/64 ● Static route—destination 2002::/16, gateway 2002:0a00:0001:0001::1 ● Host 3: MAC address—00:01:30:00:C2:00 ● IP address—2002:0a00:0001:0002:0201:30ff:fe00:c200/64 ● Static route—destination 2002::/16, gateway 2002:0a00:0001:0002::1 ● ExtremeWare XOS 11.3 Concepts Guide...
Page 530 IPv6 Unicast Routing ExtremeWare XOS 11.3 Concepts Guide...
Page 531: Chapter 25: Rip
This chapter describes the following topics: Overview on page 531 ● Overview of RIP on page 532 ● Route Redistribution on page 533 ● RIP Configuration Example on page 535 ● This chapter assumes that you are already familiar with IP unicast routing. If not, refer to the following publications for additional information: RFC 1058—Routing Information Protocol (RIP) ●...
Page 532: Advantages Of Rip And Ospf
Advantages of RIP and OSPF The biggest advantage of using RIP is that it is relatively simple to understand and to implement, and it has been the de facto routing standard for many years. RIP has a number of limitations that can cause problems in large networks, including the following: A limit of 15 hops between the source and destination networks.
Page 533: Split Horizon
Route Redistribution Split Horizon Split horizon is a scheme for avoiding problems caused by including routes in updates sent to the router from which the route was learned. Split horizon omits routes learned from a neighbor in updates sent to that neighbor. Poison Reverse Like split horizon, poison reverse is a scheme for eliminating the possibility of loops in the routed topology.
Page 534: Configuring Route Redistribution
Figure 66: Route redistribution OSPF AS Backbone Area 0.0.0.0 Area 121.2.3.4 ASBR ASBR RIP AS EX_046 Configuring Route Redistribution Exporting routes from one protocol to another and from that protocol to the first one are discreet configuration functions. For example, to run OSPF and RIP simultaneously, you must first configure both protocols and then verify the independent operation of each.
Page 535: Rip Configuration Example
RIP Configuration Example These commands enable or disable the exporting of static, direct, and OSPF-learned routes into the RIP domain. You can choose which types of OSPF routes are injected, or you can simply choose , which ospf will inject all learned OSPF routes regardless of type. The default setting is disabled. RIP Configuration Example Figure 67 illustrates a BlackDiamond switch that has three VLANs defined as follows:...
Page 536 Figure 67: RIP configuration example 192.207.35.1 192.207.36.1 MyCompany 192.207.35.0 192.207.36.0 Finance Personnel = IP traffic NetBIOS NetBIOS = NetBIOS traffic NetBIOS NetBIOS EX_047 The stations connected to the system generate a combination of IP traffic and NetBIOS traffic. The IP traffic is filtered by the protocol-sensitive VLANs.
Page 537 RIP Configuration Example enable ipforwarding configure rip add vlan all enable rip ExtremeWare XOS 11.3 Concepts Guide...
Page 538 ExtremeWare XOS 11.3 Concepts Guide...
Page 539: Chapter 26: Ripng
RIPng This chapter describes the following topics: Overview on page 539 ● Overview of RIPng on page 540 ● Route Redistribution on page 541 ● RIPng Configuration Example on page 542 ● This chapter assumes that you are already familiar with IP unicast routing. If not, refer to the following publications for additional information: RFC 2080—RIPng for IPv6 ●...
Page 540: Advantages Of Ripng And Ospfv3
RIPng Advantages of RIPng and OSPFv3 The biggest advantage of using RIPng is that it is relatively simple to understand and to implement, and it has been the de facto routing standard for many years. RIPng has a number of limitations that can cause problems in large networks, including the following: A limit of 15 hops between the source and destination networks.
Page 541: Split Horizon
Route Redistribution Split Horizon Split horizon is a scheme for avoiding problems caused by including routes in updates sent to the router from which the route was learned. Split horizon omits routes learned from a neighbor in updates sent to that neighbor. Poison Reverse Like split horizon, poison reverse is a scheme for eliminating the possibility of loops in the routed topology.
Page 542: Ripng Configuration Example
RIPng disable ripng export [direct | ospfv3 | ospfv3-extern1 | ospfv3-extern2 | ospfv3-inter | ospfv3-intra | static] These commands enable or disable the exporting of static, direct, and OSPF-learned routes into the RIPng domain. You can choose which types of OSPF routes are injected, or you can simply choose ospf which will inject all learned OSPF routes regardless of type.
Page 543: Chapter 27: Ospf
OSPF This chapter covers the following topics: Overview of OSPF on page 543 ● Route Redistribution on page 550 ● Configuring OSPF on page 551 ● OSPF Configuration Example on page 553 ● Displaying OSPF Settings on page 555 ● This chapter assumes that you are already familiar with IP unicast routing.
Page 544: Ospf Edge Mode
OSPF OSPF Edge Mode OSPF Edge Mode is a subset of OSPF available on platforms with an Advanced Edge license. There are two restrictions on OSPF Edge Mode: At most, two Active OSPF VLAN interfaces are permitted. There is no restriction on the number of ●...
Page 545: Graceful Ospf Restart
To re-enable opaque LSAs across the entire system, use the following command: enable ospf capability opaque-lsa If your network uses opaque LSAs, Extreme Networks recommends that all routers on your OSPF network support opaque LSAs. Routers that do not support opaque LSAs do not store or flood them. At minimum a well interconnected subsection of your OSPF network must support opaque LSAs to maintain reliability of their transmission.
Page 546: Areas
OSPF Planned and Unplanned Restarts Two types of graceful restarts are defined: planned and unplanned. A planned restart would occur if the software module for OSPF was upgraded, or if the router operator decided to restart the OSPF control function for some reason. The router has advance warning, and is able to inform its neighbors in advance that OSPF is restarting.
Page 547 Overview of OSPF Backbone Area (Area 0.0.0.0) Any OSPF network that contains more than one area is required to have an area configured as area 0.0.0.0, also called the backbone. All areas in an AS must be connected to the backbone. When designing networks, you should start with area 0.0.0.0 and then expand into other areas.
Page 548: Virtual Links
OSPF option should not be used on NSSA internal routers. Doing so inhibits correct operation of the election algorithm. Normal Area A normal area is an area that is not: Area 0 ● Stub area ● NSSA ● Virtual links can be configured through normal areas. External routes can be distributed into normal areas.
Page 549: Point-To-Point Support
Overview of OSPF Figure 69: Virtual link providing redundancy Virtual link Area 2 ABR 1 ABR 2 Area 1 Area 3 Area 0 EX_045 Point-to-Point Support You can manually configure the OSPF link type for a VLAN. Table 68 describes the link types. Table 68: OSPF link types Link Type Number of Routers...
Page 550: Route Redistribution
OSPF Route Redistribution More than one routing protocol can be enabled simultaneously on the switch. Route redistribution allows the switch to exchange routes, including static routes, between the routing protocols. Figure 70 an example of route redistribution between an OSPF AS and a RIP AS. Figure 70: Route redistribution OSPF AS Backbone Area...
Page 551: Ospf Timers And Authentication
<hello-interval> <dead-interval> {<wait-timer-interval>} Configuring OSPF Each switch that is configured to run OSPF must have a unique router ID. Extreme Networks recommends that you manually set the router ID of the switches participating in OSPF, instead of having the switch automatically choose its router ID based on the highest interface IP address. Not performing this configuration in larger, dynamic environments could result in an older LSDB remaining in use.
Page 552: Ospf Wait Interval Parameters
OSPF configure ospf area <area-identifier> timer <retransmit-interval> <transit-delay> <hello-interval> <dead-interval> {<wait-timer-interval>} configure ospf virtual-link <router-identifier> <area-identifier> timer <retransmit- interval> <transit-delay> <hello-interval> <dead-interval> configure ospf vlan [<vlan-name> | all] timer <retransmit-interval> <transit-delay> <hello-interval> <dead-interval> {<wait-timer-interval>} OSPF Wait Interval Parameters You can configure the following parameters: Retransmit interval—The length of time that the router waits before retransmitting an LSA that is not ●...
Page 553: Ospf Configuration Example
OSPF Configuration Example OSPF Configuration Example Figure 71 is an example of an autonomous system using OSPF routers. The details of this network follow. Figure 71: OSPF configuration example Area 0 IR 2 IR 1 10.0.1.1 10.0.1.2 10.0.3.2 10.0.2.2 Headquarters ABR 2 ABR 1 10.0.3.1...
Page 554: Configuration For Abr1
OSPF Area 6 is a stub area connected to the backbone by way of ABR1. It is located in Los Angeles and has the following characteristics: Network number 161.48.x.x ● One identified VLAN (LA_161_48_2) ● Three internal routers ● Uses default routes for inter-area routing ●...
Page 555: Displaying Ospf Settings
Displaying OSPF Settings Displaying OSPF Settings You can use a number of commands to display settings for OSPF. To show global OSPF information, use command with no options. show ospf To display information about one or all OSPF areas, use the following command: show ospf area {<area-identifier>} option displays information about all OSPF areas in a detail format.
Page 556 OSPF ExtremeWare XOS 11.3 Concepts Guide...
Page 557: Chapter 28: Ospfv3
OSPFv3 This chapter covers the following topics: Overview of OSPFv3 on page 557 ● Route Redistribution on page 561 ● Overview of OSPFv3 Open Shortest Path First (OSPF) is a link state protocol that distributes routing information between routers belonging to a single IP domain; the IP domain is also known as an autonomous system (AS). In a link-state routing protocol, each router maintains a database describing the topology of the AS.
Page 558: Areas
OSPFv3 Table 69: Selected OSPFv3 LSA types (Continued) Type Number Description 0x2002 Network LSA 0x2003 Inter-Area-Prefix LSA 0x2004 Inter-Area-Router LSA 0x2009 Intra-Area-Prefix LSA 0x4005 AS external LSA Areas OSPFv3 allows parts of a network to be grouped together into areas. The topology within an area is hidden from the rest of the AS.
Page 559 Overview of OSPFv3 Stub Areas OSPFv3 allows certain areas to be configured as stub areas. A stub area is connected to only one other area. The area that connects to a stub area can be the backbone area. External route information is not distributed into stub areas.
Page 560: Link-Type Support
OSPFv3 Figure 72: Virtual link using area 1 as a transit area Virtual link Area 2 Area 1 Area 0 EX_044 Virtual links are also used to repair a discontiguous backbone area. For example, in Figure 73, if the connection between ABR1 and the backbone fails, the connection using ABR2 provides redundancy so that the discontiguous area can continue to communicate with the backbone using the virtual link.
Page 561: Route Redistribution
Route Redistribution Table 70: OSPFv3 link types (Continued) Link Type Number of Routers Description Broadcast Routers must elect a designated router (DR) and a backup designated router (BDR) during synchronization. Ethernet is an example of a broadcast link. Passive A passive link does not send or receive OSPFv3 packets. NOTE The number of routers in an OSPFv3 point-to-point link is determined per VLAN, not per link.
Page 562: Configuring Route Redistribution
OSPFv3 Figure 74: Route redistribution OSPF AS Backbone Area 0.0.0.0 Area 121.2.3.4 ASBR ASBR RIP AS EX_046 Configuring Route Redistribution Exporting routes from one protocol to another and from that protocol to the first one are discreet configuration functions. For example, to run OSPFv3 and RIPng simultaneously, you must first configure both protocols and then verify the independent operation of each.
Page 563: Ospfv3 Timers
OSPFv3 Configuration Example The cost metric is inserted for all RIPng, static, and direct routes injected into OSPFv3. If the cost metric is set to 0, the cost is inserted from the route. The tag value is used only by special routing applications. Use 0 if you do not have specific requirements for using a tag.
Page 564: Configuration For Router 1
EX_107 Figure 75 there are three Extreme Networks switches running ExtremeWare XOS images that have support for OSPFv3. Router 1 is an area border router and is connected to two other switches Router 2 and Router 3. Router 1 runs OSPFv3 on both the links connecting it to Router 2 and Router 3.
Page 565: Configuration For Router 2
OSPFv3 Configuration Example configure ospfv3 add vlan to-r2 area 0.0.0.0 create ospfv3 area 0.0.0.1 configure ospfv3 add vlan to-r3 area 0.0.0.1 enable ospfv3 Configuration for Router 2 The router labeled Router 2 has the following configuration: create vlan to-r1 configure vlan to-r1 ipaddress 2001:db8:4444:6666::2/64 configure vlan to-r1 add port 1:1 enable ipforwarding ipv6 configure ospfv3 routerid 0.0.0.2...
Page 566 OSPFv3 ExtremeWare XOS 11.3 Concepts Guide...
Page 567: Chapter 29: Border Gateway Protocol
Border Gateway Protocol This chapter covers the following topics: Overview on page 568 ● BGP Attributes on page 568 ● BGP Communities on page 568 ● BGP Features on page 569 ● This chapter describes how to configure the Border Gateway Protocol (BGP), an exterior routing protocol available on the switch.
Page 568: Overview
Border Gateway Protocol Overview BGP is an exterior routing protocol that was developed for use in TCP/IP networks. The primary function of BGP is to allow different autonomous systems (ASs) to exchange network reachability information. An AS is a set of routers that are under a single technical administration. This set of routers uses a different routing protocol, for example Open Shortest Path First (OSPF), for intra-AS routing.
Page 569: Bgp Features
BGP Features BGP Features This section describes the following BGP features supported by ExtremeWare XOS: Route Reflectors on page 569 ● Route Confederations on page 571 ● Route Aggregation on page 574 ● Using the Loopback Interface on page 574 ●...
Page 570 Border Gateway Protocol received from the client 3.3.3.3 by the router 2.2.2.2 are reflected to 4.4.4.4 and vice-versa. Routes received from 1.1.1.1 are reflected to all clients. To configure router 1.1.1.1, use the following commands: create vlan to_rr configure vlan to_rr add port 1:1 configure vlan to_rr ipaddress 10.0.0.1/24 enable ipforwarding vlan to_rr configure bgp router 1.1.1.1...
Page 571: Route Confederations
BGP Features configure vlan to_rr add port 1:1 configure vlan to_rr ipaddress 30.0.0.1/24 enable ipforwarding vlan to_rr configure bgp router 4.4.4.4 configure bgp as-number 100 create bgp neighbor 30.0.0.2 remote-as 100 enable bgp neighbor all enable bgp Route Confederations BGP requires networks to use a fully meshed router configuration. This requirement does not scale well, especially when BGP is used as an IGP.
Page 572 Border Gateway Protocol To configure router A, use the following commands: create vlan ab configure vlan ab add port 1 configure vlan ab ipaddress 192.1.1.6/30 enable ipforwarding vlan ab configure ospf add vlan ab area 0.0.0.0 create vlan ac configure vlan ac add port 2 configure vlan ac ipaddress 192.1.1.17/30 enable ipforwarding vlan ac configure ospf add vlan ac area 0.0.0.0...
Page 573 BGP Features To configure router C, use the following commands: create vlan ca configure vlan ca add port 1 configure vlan ca ipaddress 192.1.1.18/30 enable ipforwarding vlan ca configure ospf add vlan ca area 0.0.0.0 create vlan cb configure vlan cb add port 2 configure vlan cb ipaddress 192.1.1.21/30 enable ipforwarding vlan cb configure ospf add vlan cb area 0.0.0.0...
Page 574: Route Aggregation
Border Gateway Protocol configure bgp as-number 65002 configure bgp routerid 192.1.1.13 configure bgp confederation-id 200 enable bgp create bgp neighbor 192.1.1.14 remote-AS-number 65002 enable bgp neighbor 192.1.1.14 Route Aggregation Route aggregation is the process of combining the characteristics of several routes so that they are advertised as a single route.
Page 575: Bgp Route Flap Dampening
BGP Features Changes made to the parameters of a peer group are applied to all neighbors in the peer group. Modifying the following parameters will automatically disable and enable the neighbors before changes take effect: remote-as ● timer ● source-interface ●...
Page 576 Border Gateway Protocol penalty of 1000 and moves it to a “history” state in which the penalty value is monitored. The router continues to advertise the status of the route to neighbors. The penalties are cumulative. When the route flaps so often that the penalty exceeds a configurable suppress limit, the router stops advertising the route to network 172.25.0.0, regardless of how many times it flaps.
Page 577: Bgp Route Selection
BGP Features To view the configured values of the route flap dampening parameters for a BGP peer group, use the following command: show bgp peer-group {detail | <peer-group-name> {detail}} To display the dampened routes, use the following command: show bgp neighbor <remoteaddr> {address-family [ipv4-unicast | ipv4-multicast]} flap- statistics {detail} [all | as-path <path-expression>...
Page 578: Bgp Static Network
Border Gateway Protocol Exporting routes from OSPF to BGP and from BGP to OSPF are discrete configuration functions. To run OSPF and BGP simultaneously, you must first configure both protocols and then verify the independent operation of each. Then you can configure the routes to export from OSPF to BGP and the routes to export from BGP to OSPF.
Page 579: Chapter 30: Ip Multicast Routing
IP Multicast Routing This chapter covers the following topics: Overview on page 579 ● Configuring IP Multicast Routing on page 583 ● Configuration Examples on page 583 ● For more information on IP multicasting, refer to the following publications: RFC 1112—Host Extension for IP Multicasting ●...
Page 580 IP Multicast Routing Licensing To use the complete PIM functionality, you must have at least a Core license installed on your switch. The BlackDiamond 10K ships with a Core, or Advanced Core license. Other platforms can be upgraded to a Core license. See the section “Software Licensing”...
Page 581: Igmp Overview
You can run either PIM-DM or PIM-SM per virtual LAN (VLAN). PIM Mode Interoperation An Extreme Networks switch can function as a PIM multicast border router (PMBR). A PMBR integrates PIM-SM and PIM-DM traffic. When forwarding PIM-DM traffic into a PIM-SM network, the PMBR acts as a virtual first hop and encapsulates the initial traffic to RP.
Page 582: Static Igmp
IP Multicast Routing determine which ports want to remain in the multicast group. If other members of the VLAN want to remain in the multicast group, the router ignores the leave message, but the port that requests removal is removed from the IGMP snooping table. If the last port within a VLAN sends an IGMP leave message and the router does not receive any responses to the query, then the router immediately removes the VLAN from the multicast group.
Page 583: Configuring Ip Multicast Routing
Configuring IP Multicast Routing To display the IGMP snooping filters, use the following command: show igmp snooping {vlan} <name> filter Configuring IP Multicast Routing To configure IP multicast routing: 1 Configure the system for IP unicast routing. 2 Enable multicast routing on the interface using the following command: enable ipmcforwarding {vlan <name>} 3 Enable PIM on all IP multicast routing interfaces using the following command: configure pim add vlan [<vlan_name>...
Page 584: Pim-Dm Configuration Example
IP Multicast Routing PIM-DM Configuration Example Figure 78, the system labeled IR 1 is configured for IP multicast routing, using PIM-DM. Figure 78: IP multicast routing using PIM-DM configuration example Area 0 IR 2 IR 1 10.0.1.1 10.0.1.2 10.0.3.2 10.0.2.2 Headquarters ABR 2 ABR 1...
Page 585: Pim-Sm Configuration Example
Configuration Examples The router labeled IR1 has the following configuration: configure vlan HQ_10_0_1 ipaddress 10.0.1.2 255.255.255.0 configure vlan HQ_10_0_2 ipaddress 10.0.2.2 255.255.255.0 configure ospf add vlan all area 0.0.0.0 enable ipforwarding enable ospf enable ipmcforwarding configure pim add vlan all dense enable pim PIM-SM Configuration Example Figure...
Page 586 IP Multicast Routing configure vlan LA_161_48_2 ipaddress 161.48.2.2 255.255.255.0 configure vlan CHI_160_26_26 ipaddress 160.26.26.1 255.255.255.0 configure ospf add vlan all area 0.0.0.0 enable ipforwarding enable ipmcforwarding configure pim add vlan all sparse tftp TFTP_SERV -g -r rp_list.pol configure pim crp HQ_10_0_3 rp_list 30 configure pim cbsr HQ_10_0_3 30 The policy file, , contains the list of multicast group addresses serviced by this RP.
Page 587: Chapter 31: Ipv6 Multicast Routing
IPv6 Multicast Routing This chapter covers the following topics: Overview on page 587 ● MLD Overview on page 587 ● MLD Snooping on page 587 ● Static MLD on page 588 ● Overview IPv6 multicast routing is a function that allows a single IPv6 host to send a packet to a group of IPv6 hosts.
Page 588 IPv6 Multicast Routing MLD snooping is enabled by default on the switch. If MLD snooping is disabled, all MLD and IP multicast traffic floods within a given VLAN. MLD snooping expects at least one device on every VLAN to periodically generate MLD query messages. When a port sends an MLD done message, the switch removes the MLD snooping entry after 1000 milliseconds (the leave time is configurable, ranging from 0 to 10000 ms).
Page 589 Appendixes...
Page 591: Appendix A: Software Upgrade And Boot Options
Software Upgrade and Boot Options This appendix describes the following topics: Downloading a New Image on page 591 ● Understanding Hitless Upgrade—BlackDiamond 10K Switch Only on page 597 ● Saving Configuration Changes on page 601 ● Using TFTP to Upload the Configuration on page 603 ●...
Page 592: Understanding The Image Version String
Software Upgrade and Boot Options You can identify the appropriate image or module for your platform based on the filename of the image. Table 71 lists the filename prefixes for each platform: Table 71: Filename prefixes Platform Filename Prefixes BlackDiamond 10K bd10K- BlackDiamond 8810 bd8800-...
Page 593: Selecting A Primary Or A Secondary Image
For more information about installing the external compact flash memory card into the external compact flash slot of the MSM, please refer to the Extreme Networks Consolidated XOS Hardware Installation Guide.
Page 594: Installing A Modular Software Package
Software Upgrade and Boot Options Enter to continue the installation and reboot the switch. Enter to cancel. If you install the image at a later time, the image is still downloaded and saved to the switch, but you must use the following command to install the software: install image <fname>...
Page 595 16, “Security.” Upgrading a Modular Software Package When Extreme Networks introduces a new core software image, a new modular software package is also available. If you have a software module installed and upgrade to a new core image, you need to upgrade to the corresponding modular software package.
Page 596: Rebooting The Switch
Software Upgrade and Boot Options Method Two. 1 Download the software module from your TFTP server or external compact flash memory card using the following command: download image [[<hostname> | <ipaddress>] <filename> {{vr} <vrname>} | memorycard <filename>] {<partition>} {msm <slotid>} 2 Activate the installed modular package, if installed on the active partition, using the following command: run update...
Page 597: Rebooting The Management Module-Modular Switches Only
Understanding Hitless Upgrade—BlackDiamond 10K Switch Only NOTE When you configure a timed reboot of the switch, use the command to see the scheduled time. show switch To reboot the switch immediately, use the following command: reboot If you do not specify a reboot time, the reboot occurs immediately following the command, and any previously schedule reboots are cancelled.
Page 598: Performing A Hitless Upgrade
Performing a Hitless Upgrade The steps described in this section assume the following: You have received the new software image from Extreme Networks, and the image is on either a ● TFTP server or an external compact flash memory card. See “Downloading a New Image”...
Page 599 Understanding Hitless Upgrade—BlackDiamond 10K Switch Only download image [[<hostname> | <ipaddress>] <filename> {{vr} <vrname>} | memorycard <filename>] {<partition>} {msm <slotid>} NOTE If the backup MSM is installed in slot B, specify msm B. If the backup MSM is installed in slot A, specify msm Before the download begins, the switch prompts you to install the image immediately after the download is finished.
Page 600: Hitless Upgrade Examples
Using the assumptions described below, the following examples perform a hitless upgrade for a core software image on the BlackDiamond 10K switch: You have received the new software image from Extreme Networks named bd10K-11.1.0.14.xos. ● You do not know your selected or booted partitions.
Page 601: Saving Configuration Changes
Saving Configuration Changes Performing a Hitless Upgrade on the Current Partition The following example shows the commands necessary to perform a hitless upgrade on the current partition. In this example, the primary partition is the current partition: NOTE If you download the image to the current partition, specifying the partition name is optional. show switch download image tftphost bd10K-11.1.0.14.xos primary msm B run msm-failover...
Page 602: Viewing A Configuration
Software Upgrade and Boot Options —Specifies the primary saved configuration ● primary —Specifies the secondary saved configuration ● secondary —Specifies an existing user-defined configuration (displays a list of available user- ● existing-config defined configuration files) —Specifies a new user-defined configuration ●...
Page 603: Using Tftp To Upload The Configuration
The uploaded configuration file retains your system configuration and is saved in Extensible Markup Language (XML) format. This allows you to send a copy of the configuration file to the Extreme Networks Technical Support department for problem-solving purposes. To view your current switch configuration, use the command show configuration {<module-name>}...
Page 604: Synchronizing Msms-Modular Switches Only
Software Upgrade and Boot Options —Gets the specified file from the TFTP server and copies it to the local host ● —Specifies the name of the configuration file that you want to retrieve from the ● -r <remote_file> TFTP server —Specifies the name of the configuration file on the switch ●...
Page 605: Automatic Synchronization Of Configuration Files
Interaction with the Bootloader is required only under special circumstances and should be done only under the direction of Extreme Networks Customer Support. The necessity of using these functions implies a nonstandard problem which requires the assistance of Extreme Networks Customer Support.
Page 606: Upgrading The Bootrom-Blackdiamond 10K Switch Only
Upgrade the BootROM from a TFTP server on the network or an external compact flash memory card installed in the compact flash slot of the MSM, after the switch has booted. Upgrade the BootROM only when asked to do so by an Extreme Networks technical representative. To upgrade the BootROM, use the following command: download bootrom [[<ipaddress>...
Page 607: Accessing The Bootstrap Cli On The Summit X450
Extreme Networks Technical Support personnel. Forcing a firmware upgrade may cause incompatibility issues between the firmware and the software installed on the MSM. During the firmware upgrade, do not cycle down or disrupt the power to the switch. If a power interruption occurs, the firmware may be corrupted and need to be recovered.
Page 608 Software Upgrade and Boot Options Power over Ethernet (PoE) firmware is always automatically upgraded or downgraded to match the operational ExtremeWare XOS code image. This configuration is not applicable to PoE firmware. ExtremeWare XOS 11.3 Concepts Guide...
Page 609: Appendix B: Troubleshooting
● If you encounter problems when using the switch, this appendix may be helpful. If you have a problem not listed here or in the release notes, please contact Extreme Networks Technical Support. Troubleshooting Checklists The information in this section provides simple troubleshooting checklists for Layer 1, Layer 2, and Layer 3.
Page 610: Layer 2
Troubleshooting That the port is enabled, the link status is active, and speed and duplex parameters match the port ● settings at the other end of the cable. Use the command to display the configuration of one or more ports. show ports configuration That the packets are being received and transmitted.
Page 611 Troubleshooting Checklists Which destination networks are in the routing table and the source of the routing entry. ● To display the contents of the routing table or the route origin priority, use one of the following commands: —IPv4 environment ■ show iproute —IPv6 environment ■...
Page 612: Leds
Troubleshooting Use the following commands to display OSPFv3 information: —Displays global OSPFv3 information for the switch ■ show ospfv3 —Displays information related to OSPFv3 areas ■ show ospfv3 area —Displays detailed information about OSPFv3 interfaces ■ show ospfv3 interfaces Your Routing Information Protocol (RIP) configuration, including RIP poison reverse, split horizon, ●...
Page 613 If you continue to see “critical” software errors or the ERR LED is still amber after issuing the clear command and a switch reboot, contact Extreme Networks Technical support for further log static assistance. Status LED on the I/O module turns amber: Check the syslog message for a related I/O module error.
Page 614: Using The Command Line Interface
Troubleshooting Switch does not power up: All products manufactured by Extreme Networks use digital power supplies with surge protection. In the event of a power surge, the protection circuits shut down the power supply. To reset the power, unplug the switch for 1 minute, plug it back in, and attempt to power-up the switch.
Page 615 Using the Command Line Interface The community strings configured for the system and Network Manager are the same. ● The SNMPv3 USM, Auth, and VACM configured for the system and Network Manager are the ● same. The Telnet workstation cannot access the device: Check that: The device IP address, subnet mask, and default router are correctly configured, and that the device ●...
Page 616: Msm Prompt-Modular Switches Only
Troubleshooting Alternatively, another user having administrator access level can log in and initialize the device. This will return all configuration information (including passwords) to the initial values. In the case where no one knows a password for an administrator level user, contact your supplier. MSM Prompt—Modular Switches Only You do not know which MSM you are connected to: If you use a console connection to access and configure the switch, you should connect to the console...
Page 617: Port Configuration
[10 | 100 | 1000 | 10000] duplex [half | full] Extreme Networks switch to devices that do not support autonegotiation. By default, the Extreme Networks switch has autonegotiation set to On for Gigabit ports and set to Off for 10 Gigabit ports.
Page 618: Vlans
Troubleshooting You verify the VLAN configuration using the following command: show vlan {detail |<vlan_name> {stpd}} The solution for this error using this example is to remove ports 1 and 2 from the VLAN currently using untagged traffic on those ports. If this were the “default” VLAN, the command would be: localhost:23 # configure vlan default delete ports 1:1,1:2 You can now re-enter the previous command without error: localhost:26 # configure vlan marketing add ports 1:1,1:2...
Page 619: Esrp
Using the Command Line Interface NOTE This restriction is only enforced in an active STPD and when you enable STP to make sure you have a legal STP configuration. Only one carrier VLAN can exist in an STPD: Only one carrier VLAN can exist in a given STPD although some of the ports on the carrier VLAN can be outside the control of any STPD at the same time.
Page 620: Vrrp
Troubleshooting VRRP You cannot define VRRP virtual router parameters: Before configuring any virtual router parameters for VRRP, you must first create the VRRP instance on the switch. If you define VRRP parameters before creating the VRRP, you may see an error similar to the following: Error: VRRP VR for vlan vrrp1, vrid 1 does not exist.
Page 621: About Standalone Elrp
<vlan_name> ports [<ports> | all] interval <sec> —(This command is backward compatible with retry <count> [log | print | print-and-log] Extreme Networks switches running the ExtremeWare software.) ● run elrp <vlan_name> {ports <ports>} {interval <sec>} {retry <count>}...
Page 622: Displaying Standalone Elrp Information
Troubleshooting These commands start one-time, non-periodic ELRP packet transmission on the specified ports of the VLAN using the specified count and interval. If any of these transmitted packets is returned, indicating loopback detection, the ELRP client can perform a configured action such as logging a message in the system log file or printing a log message to the console.
Page 623: Using The Rescue Software Image-Modular Switches Only
Using the Rescue Software Image—Modular Switches Only rescue software image, you must be running ExtremeWare XOS 11.1 or later. Earlier versions of ExtremeWare XOS do not support the rescue software image. Beginning with ExtremeWare XOS 11.3, the BlackDiamond 8800 family of switches support loading the rescue image to the external compact flash memory card installed in the MSM.
Page 624: Obtaining The Rescue Image From An External Compact Flash Memory Card-Blackdiamond 8800 Family Of Switches Only
Use a PC with appropriate hardware such as a compact flash reader/writer and follow the manufacturer’s instructions to access the compact flash card and place the image onto the card. Before you remove or install any hardware, review the Extreme Networks Consolidated XOS Hardware Installation Guide for correct handling instructions.
Page 625: Debug Mode
Options.” If you are unable to recover the switch with the rescue image, or the switch does not reboot, please contact Extreme Networks Technical Support. Debug Mode The Event Management System (EMS) provides a standard way to filter and store messages generated by the switch.With EMS, you must enable debug mode to display debug information.
Page 626: Debug Mode
The core dump file contains a snapshot of the process when the error occurred. NOTE Use the commands described in this section only under the guidance of Extreme Networks Technical Support personnel to troubleshoot the switch. This section describes the following topics: Enabling the Switch to Send Debug Information on page 627 ●...
Page 627: Enabling The Switch To Send Debug Information
Saving Debug Information to the Memory Card —Specifies that saving debug information to the external memory card is disabled. This is the ● default behavior. Copying Debug Information To save and copy debug information to the specified memory card, use the following command: save debug tracefiles Modular Switches Only—After the switch writes a core dump file or other debug information to the external memory card, and before you can view the contents on the card, you must ensure it is safe to...
Page 628 Troubleshooting Output from this command includes the file size, date and time the file was last modified, and the file name. Moving or Renaming Files To move or rename an existing configuration or policy file in the system, use the following command: mv {memorycard} <old-name>...
Page 629: Top Command
UNIX documentation. TFTP Server Requirements Extreme Networks recommends using a TFTP server that supports blocksize negotiation (as described in RFC 2348, TFTP Blocksize Option), to enable faster file downloads and larger file downloads. System Health Check—Modular Switches Only...
Page 630: Enabling And Disabling Backplane Diagnostic Packets On The Switch
To configure the frequency of sending backplane diagnostic packets, use the following command: configure sys-health-check interval <interval> NOTE Extreme Networks does not recommend configuring an interval of less than the default interval. Doing so can cause excessive CPU utilization. System Odometer Each field replaceable component contains a system odometer counter in EEPROM.
Page 631: Configuring Backplane Diagnostic Packets On The Switch
System Odometer Monitored Components On a modular switch, the odometer monitors the following components: Chassis ● MSMs ● I/O modules ● Power controllers ● On the Summit X450 switch, the odometer monitors the following components: Switch ● XGN-2xn card ● Recorded Statistics The following odometer statistics are collected by the switch: Service Days—The amount of days that the component has been running...
Page 632: Temperature Operating Range
BootROM image. Finally, a corrupted compact flash can be recovered from either the Alternate or Default BootROM. For more information, please refer to the Extreme Networks Consolidated XOS Hardware Installation Guide. ExtremeWare XOS 11.3 Concepts Guide...
Page 633: Corrupted Bootrom On The Blackdiamond 8800 Family Of Switches
Inserting Powered Devices in the PoE Module—BlackDiamond 8800 Family of Switches Only Inserting Powered Devices in the PoE Module— BlackDiamond 8800 Family of Switches Only To reduce the chances of ports fluctuating between powered and non-powered states, newly inserted powered devices (PDs) are not powered when the actual delivered power for the module is within approximately 19 W of the configured inline power budget for that slot.
Page 634: Contacting Extreme Networks Technical Support
When the test is finished, the MSM reboots and runs the ExtremeWare XOS software. Contacting Extreme Networks Technical Support If you have a network issue that you are unable to resolve, contact Extreme Networks technical support. Extreme Networks maintains several Technical Assistance Centers (TACs) around the world to answer networking questions and resolve network problems.
Page 635: Appendix C: Cna Agent
CNA Agent The entire CNA software package consists of multiple parts. The Extreme Networks devices run only the CNA Agent. You must have the entire package; you cannot use the CNA Agent without the CNA software from Avaya. The user interface is a combination of a Java applet hosted from the CNA Server and a Command Line Interface (CLI).
Page 636: Redundancy-Blackdiamond 10K Switch And Blackdiamond 8800 Family Of Switches Only
CNA Agent software if the CNA Agent goes down or gets into a looped condition. Downloading the CNA Agent Software Module To use the CNA Agent functionality, you download the separate Extreme Networks software module (cna.xmod) following the instructions outlined in...
Page 637: Configuring The Cna Agent
Configuring the CNA Agent The CNA Agent starts the specified test within 100 ms once it receives an authenticated and correctly formatted test request from the CNA Server. The CNA Agent sends the test results to the CNA Server within 100 ms of test completion. Configuring the CNA Agent To run the tests, configure the following: Enable the CNA Agent.
Page 638: Configuring The Interface
CNA Agent Configuring the Interface By default, the Extreme Networks device uses the default VLAN as the interface that the CNA Agent (test plug) uses to receive test requests, conduct the tests, and send the results to the CNA Server. (The default VLAN belongs to the default virtual router: VR-Default).
Page 639: Troubleshooting
Adaptive Networking Software (ANS) runs on the CNA Server. Troubleshooting If the CNA Agent is not able to register with the CNA Server, check the following items: Ensure the time on the Extreme Networks device is set correctly. ● To display the time, issue the command.
Page 640 CNA Agent ExtremeWare XOS 11.3 Concepts Guide...
Page 641: Appendix D: Supported Protocols, Mibs, And Standards
Supported Protocols, MIBs, and Standards This appendix provides a list of software standards and protocols supported by ExtremeWare XOS. This appendix includes the following topics: General Routing and Switching on page 641 ● Virtual LANS (VLANs) on page 642 ● Link Fault Signal (LFS) on page 642 ●...
Page 642 Supported Protocols, MIBs, and Standards Virtual LANS (VLANs) IEEE 802.1Q VLAN Tagging Multiple STP domains per VLAN IEEE 802.3ad Static ConfigPort-based VLANs Virtual MANs Protocol-sensitive VLANs Link Fault Signal (LFS) IEEE 802.3ae-2002 Quality of Service (QoS) IEEE 802.1D -1998 (802.1p) Packet Priority Bi-directional Rate Shaping RFC 2474 Definition of the Differentiated Services Field RFC 2597 Assured Forwarding PHB Group...
Page 643 IP Multicast RFC 2362 Protocol Independent Multicast-Sparse Mode RFC 2236 Internet Group Management Protocol, (PIM-SM): Protocol Specification Version 2 PIM-DM Draft IETF PIM Dense Mode v2-dm-03 IGMP Snooping with Configurable Router Registration Forwarding PIM MIB draft-ietf-pim-mib-v2-01.txt RFC 3376 Internet Group Management Protocol, RFC 1112 Host extensions for IP multicasting Version 3 Management - SNMP &...
Page 644 Supported Protocols, MIBs, and Standards Management - Other RFC 854 Telnet Protocol Specification BSD System Logging Protocol (SYSLOG), with Multiple Syslog Servers Telnet client and server Local Messages (criticals stored across reboots) Secure Shell 2 (SSH2) client and server RFC 2030 Simple Network Time Protocol (SNTP) Secure Copy 2 (SCP2) client and server Version 4 for IPv4 and OSI Configuration logging...
Page 645: Glossary
MAC, IP addresses, IP type, or QoS queue. Once classified, the packets can be forwarded, counted, queued, or dropped. In Extreme Networks XOS software, you configure ACLs by creating a file, called a policy file (with a .pol file extension). The system parses the policy file and loads the ACL into the hardware.
Page 646 Glossary A (Continued) autobind In STP, autobind, when enabled, automatically adds or removes ports from the STPD. If ports are added to the carrier VLAN, the member ports of the VLAN are automatically added to the STPD. If ports are removed from the carrier VLAN, those ports are also removed from the STPD.
Page 647 B (Continued) blackhole In the Extreme Networks implementation, you can configure the switch so that traffic is silently dropped. Although this traffic appears as received, it does not appear as transmitted (because it is dropped). BOOTP Bootstrap Protocol. BOOTP is an Internet protocol used by a diskless...
Page 648 Avaya, allows the server to determine the best possible network path. The CNA Agent is a software piece of the entire CNA application that you install on Extreme Networks devices. You use the CNA Agent software only if you are using the Avaya CNA solution, and the CNA Agent cannot function unless you also obtain the rest of the CNA application from Avaya.
Page 649 LAN segment. Each LAN segment has only one designated port. Device Manager The Device Manager is an Extreme Networks-proprietary process that runs on every node and is responsible for monitoring and controlling all of the devices in the system. The Device Manager is useful for system redundancy.
Page 650 Equal Cost Multi Paths. In OSPF, this routing algorithm distributes network traffic across multiple high-bandwidth links to increase performance. The Extreme Networks OSPF implementation supports multiple equal cost paths between points and divides traffic evenly among the available paths. As many as four links may be involved in an ECMP link, and traffic is shared on the basis of IP source/ destination address session.
Page 651 Layer 2 and routing services to users. ESRP-aware device This is an Extreme Networks device that is not running ESRP itself but that is connected on a network with other Extreme Networks switches that are running ESRP. These ESRP-aware devices also fail over.
Page 652 Glossary E (Continued) Ethernet This is the IEEE 802.3 networking standard that uses carrier sense multiple access with collision detection (CSMA/CD). An Ethernet device that wants to transmit first checks the channel for a carrier, and if no carrier is sensed within a period of time, the device transmits. If two devices transmit simultaneously, a collision occurs.
Page 653 In the Extreme Networks implementation on modular switches, hitless failover means that designated configurations survive a change of primacy between the two MSMs with all details intact. Thus, those features run seamlessly during and after control of the system changes from one MSM to another.
Page 654 Glossary I (Continued) IGMP snooping This provides a method for intelligently forwarding multicast packets within a Layer 2 broadcast domain. By “snooping” the IGMP registration information, the device forms a distribution list that determines which endstations receive packets with a specific multicast address.
Page 655 ExtremeWare XOS. license ExtremeWare XOS version 11.1 introduces a licensing feature to the ExtremeWare XOS software. You must have a license, which you obtain from Extreme Networks, to apply the full functionality of some features. ExtremeWare XOS 11.3 Concepts Guide...
Page 656 Glossary L (Continued) link aggregation Link aggregation, also known as trunking or load sharing, conforms to IEEE 802.3ad. This feature is the grouping of multiple network links into one logical high-bandwidth link. link type In OSPF, there are four link types that you can configure: auto, broadcast, point-to-point, and passive.
Page 657 For out-of-profile traffic the metering function interacts with other components to either re-mark or drop the traffic for that flow. In the Extreme Networks implementation, you use ACLs to enforce metering. member VLAN In ESRP, you configure zero or more member VLANs for each ESRP domain.
Page 658 Glossary M (Continued) Master Switch Fabric Module. This Extreme Networks-proprietary name refers to the module that holds both the control plane and the switch fabric for switches that run the ExtremeWare XOS software on modular switches. One MSM is required for switch operation; adding an additional MSM increases reliability and throughput.
Page 659 NLRI prefix; the route attributes include a BGP next hop gateway address, community values, and other information. In the Extreme Networks implementation, a node is a CPU that runs node the management application on the switch. Each MSM on modular switches installed in the chassis is a node.
Page 660 Glossary O (Continued) OSI reference model The 7-layer standard model for network architecture is the basis for defining network protocol standards and the way that data passes through the network. Each layer specifies particular network functions; the highest layer is closest to the user, and the lowest layer is closest to the media carrying the information.
Page 661 Power On Self Test. On Extreme Networks switches, the POST runs POST upon powering-up the device. If the MGMT LED is yellow after the POST completes, contact your supplier for advice.
Page 662 PVST+ Per VLAN Spanning Tree +. This implementation of STP has a 1:1 relationship with VLANs. The Extreme Networks implementation of PVST+ allows you to interoperate with third-party devices running this version of STP. PVST is a earlier version of this protocol and is compatible with PVST+.
Page 663 Rapid Spanning Tree Protocol. RSTP, described in IEEE 802.1w, is an enhanced version of STP that provides faster convergence. The Extreme Networks implementation of RSTP allows seamless interoperability with legacy STP. Source address. The SA is the IP or MAC address of the device issuing the packet.
Page 664 Glossary S (Continued) secondary port In EAPS, the secondary port is a port on the master node that is designated the secondary port to the ring. The transit node ignores the secondary port distinction as long as the node is configured as a transit node.
Page 665 With SSH commands, both ends of the client/server connection are authenticated using a digital certificate, and passwords are protected by being encrypted. At Extreme Networks, the SSH is a separate software module, which must be downloaded separately. (SSH is bundled with SSL in the software module.) Secure Sockets Layer.
Page 666 Glossary S (Continued) superloop In EAPS, a superloop occurs if the common link betwee two EAPS domains goes down and the master nodes of both domains enter the falied state putting their respective secondary ports into the forwarding state. If there is a data VLAN spanning both EAPS domains, this action forms a loop between the EAPS domains.
Page 667 The identity of the virtual router you are working in currently displays in the prompt line of the CLI. The virtual routers discussed in relation to Extreme Networks switches themselves are not the same as the virtual router in VRRP.
Page 668 Glossary V (Continued) VoIP Voice over Internet Protocol is an Internet telephony technique. With VoIP, a voice transmission is cut into multiple packets, takes the most efficient path along the Internet, and is reassembled when it reaches the destination. VR-Control This virtual router is part of the embedded system in Extreme Networks BlackDiamond 10K switches.
Page 669 XENPAK Pluggable optics that contain a 10 Gigabit Ethernet module. The XENPAKs conform to the IEEE 802.3ae standard. ExtremeWare XOS 11.3 Concepts Guide...
Page 670 Glossary ExtremeWare XOS 11.3 Concepts Guide...
Page 671: Index Of Commands
Index of Commands configure eaps primary port, 406 configure eaps secondary port, 406 check policy, 258 configure eaps shared-port domain, 414 clear access-list counter, 273 configure eaps shared-port mode, 414 clear counters, 208, 329 configure eaps shared-port segment-timeout, 415 clear inline-power stats ports, 173 configure edp advertisement-interval, 135 clear log counters, 208 configure elrp-client one-shot, 622...
Page 672 Index of Commands configure radius-accounting timeout, 324 configure inline-power priority ports, 166, 171 configure rip import-policy, 260, 284 configure inline-power usage-threshold, 167, 172 configure rip trusted-gateway, 260, 284 configure iparp add proxy, 499 configure rip vlan route-policy, 260, 284 configure ip-mtu vlan, 117, 118 configure sflow agent, 211 configure iproute add default, 61, 66, 500, 522 configure sflow collector, 211...
Page 673 Index of Commands configure stpd tag, 447 delete fdbentry, 316 configure sys-health-check interval, 191, 631 delete netlogin local-user, 359 configure sys-recovery-level, 45, 193 delete stpd, 424 configure sys-recovery-level slot, 194 delete virtual router, 244 configure tacacs server client-ip, 331 delete vlan, 45 configure tacacs shared-secret, 331, 333 disable access-list refresh blackhole, 259 configure tacacs timeout, 331...
Page 674 Index of Commands disable telnet, 45, 68 enable ospf export static, 497, 520 disable udp-echo-server, 513 enable pim, 583 disable web https, 341 enable port, 113 download bootrom, 53, 606 enable radius, 324 download image, 53, 593, 599 enable radius-accounting, 325, 334 download ssl certificate, 341 enable rip, 500, 522 download ssl privkey, 342...
Page 675 Index of Commands show igmp snooping filter, 583 show igmp snooping static group, 582 quit, 66 show inline-power, 169, 171, 172, 174 show inline-power configuration ports, 171, 173, show inline-power info ports, 167, 178 reboot, 72, 73, 596, 597 show inline-power slot, 170, 176 refresh policy, 259 show inline-power stats ports, 179 reset inline-power ports, 167, 173...
Page 676 Index of Commands show snmpv3 access, 88 unconfigure sflow, 213 show snmpv3 filter, 91 unconfigure sflow agent, 211 show snmpv3 filter-profile, 91 unconfigure sflow collector, 211 show snmpv3 group, 88 unconfigure stpd ports link-type, 438 show snmpv3 mib-view, 89 unconfigure switch, 46, 602 show snmpv3 notify, 92 unconfigure vlan dhcp, 319 show snmpv3 target-addr, 90...
Page 677: Index
Index Symbols counters, 273 description, 261 # prompt, 48 editing, 258 * prompt, 48 examples, 273–274 .cfg file, 601 file syntax, 262 .pol file, 257 metering, 271 .xmod file, 594 refreshing, 259 .xos file, 594 rule entry, 262 > prompt, 48 rules, 270 transferring to the switch, 258 Numerics...
Page 678 Index AuthnoPriv, 88 route reflectors, 569 AuthPriv, 88 route selection, 577 autobind ports, 428 static networks, 578 automatic failover, 138–139 bi-directional rate shaping autonegotiation configuring, 312 description, 113 description, 310 displaying setting, 140, 141 maximum bandwidth settings, 311 flow control, 113 maximum committed rate, 311 off, 114 maximum ingress queues, 310...
Page 679 Index > prompt, 48 renaming, 98, 628 access levels, 47 saving changes, 601 command shortcuts, 41 selecting, 602 configuration access, 48 uploading, 603 history, 44 using, 602 limits, 42 configuration mode, XML, 102 line-editing keys, 43 configuration, change log, 209 named components, 41 configuring PoE, 169 prompt line, 48...
Page 680 Index DHCP server health-check packet, 399, 405 and IP multinetting, 507 hellotime, 405 description, 318 licensing, 395 diagnostics link down message, 398 displaying, 182, 189 master node, 396, 404 I/O module, 185 multiple domains per switch, 400 LEDs, 186 names, 41 MSM, 185 overview, 29 running, 185...
Page 681 Index without ESRP, 620 basic topology, 457 EMISTP description, 455 description, 426 direct link, 461 example, 433 displaying data, 476 rules, 434 domain ID, 461 domains, description, 460 and dual MSM systems, 198 don’t count, 474 configuring targets election algorithms, 465 components, 201 environment tracking, 470 conditions, 201...
Page 682 Index Events, RMON, 215 filters, protocol, 226 explicit packet marking, QoS, 296 flooding, 254 extended mode, ESRP domain, 456, 459 flooding, displaying, 141 Extreme Discovery Protocol. See EDP flow control Extreme Loop Recovery Protocol. See ELRP displaying setting, 140, 141 Extreme Multiple Instance...
Page 683 Index IEEE 802.1D, 423 description, 503 IEEE 802.1Q, 223 example, 509 IEEE 802.1Q tagging, 223 interface, 503 IEEE 802.1x, comparison with web-based interoperability with authentication, 346 ARP, 504 IGMP BGP, 506 and IP multinetting, 506 DHCP relay, 507 description, 581 DHCP server, 507 snooping, 581, 587 EAPS, 507...
Page 684 Index router interfaces, 516 SSH2, 36 routing table verifying, 35 dynamic routes, 520 limit, sFlow maximum CPU sample limit, 212 routing table IPv6 limiting entries, FDB, 253 multiple routes, 520 line-editing keys, 43 populating, 519 link aggregation verifying the configuration, 522 See also load sharing IRDP, and IP multinetting, 505 adding or deleting ports, 124...
Page 685 Index troubleshooting, 149 configuration, secure MAC, 370 unconfiguring, 156, 160 description, 368 LLDPDU, 148 disabling, 369 load sharing disadvantages, 347 See also link aggregation enabling, 369 algorithms, 120, 121 MAC-based security, 253, 315 and ESRP don’t count, 474 MAC-based VLANs, network login, 372 and ESRP host attach, 474 management access, 47 and VLANs, 126...
Page 686 Index multicast session refresh, 365 FDB static entry, 256 settings, displaying, 350 VMANs, 234 user multinetting. See IP multinetting netlogin-only disabled, 351 multiple routes, 497 netlogin-only enabled, 351 multiple routes IPv6, 520 user accounts, 351 multiple supplicants, network login support, 347 web-based authentication, user login, 367 noAuthnoPriv, 88 node election...
Page 687 Index enabling or disabling, 550 Per VLAN Spanning Tree. See PVST+ redistributing to BGP, 577 permanent entries, FDB, 251 restart, 545 permit-established, 274 router types, 546 settings, displaying, 555 and IP multinetting, 506 stub area, 547 mode interoperation, 581 timers, 551 multicast border router (PMBR), 581 virtual link, 548 PIM-DM...
Page 688 Index examples examples, 132 translating a route map, 286 guidelines, 131 translating an access profile, 284 monitor port, 130 file syntax, 279 tagged and untagged frames, 131 rule entry, 279 traffic filter, 130, 131 policy file troubleshooting, 131 copying, 99, 628 virtual port, 131 deleting, 101, 629 post-authentication VLAN movement, network...
Page 689 Index protected VLAN, EAPS, 407 default mapping to QoS profile, 301 protected VLAN, STP, 424 examining, 301 protocol analyzers, use with port-mirroring, 131 replacing value, 301 protocol filters, 226 viewing mapping to QoS profile, 302 Protocol Independent Multicast- Dense Mode. See examples PIM-DM source port, 304...
Page 690 Index and TACACS+, 62, 322, 330 IPv6 unicast routing, 515, 517, 518 client configuration, 325 OSPF, 543 description, 62, 322 RIP, 531 enabling and disabling, 323 RIPng, 539 Merit server configuration (example), 328 VRRP, 485 password, 323 per-command authentication, 325 advantages, 532 per-command configuration (example), 329 and IP multinetting, 506...
Page 691 Index Statistics group, 214 saving configuration changes, 601 trapDestTable, 216 scoped IPv6 addresses, 517 route aggregation, 574 SCP2, 339 route confederations, 571 secondary image, 593 route flap dampening, 575 Secure Copy Program 2. See SCP2 protocol route reflectors, 569 secure MAC route selection, 577 configuration, example, 370 router interfaces, 496, 516...
Page 692 Index automatic configuration, 109 software module clearing, 110 .xmod file, 594 diagnostics, 184 activating, 594 displaying information, 110 description, 594 manual configuration, 110 downloading, 593 mismatch, 110 overview, 29, 591 preconfiguring, 110 uninstalling, 594 Smart Redundancy software signature, 592 configuring, 137 software-controlled redundant ports description, 135 and link aggregation, 120...
Page 693 Index static networks, and BGP, 578 listening, 427 static routes, 497, 520 protected VLAN, 424 statistics, port, 182 PVST+, description, 436 Statistics, RMON, 214 rapid root failover, 429 status monitoring, 181 rules and restrictions, 447 stop process, 103 StpdID, 426, 448 troubleshooting, 447, 618 advanced example, 433 StpdID, 426...
Page 694 Index system recovery session configuring, 193 establishing, 63 description, 193 maximum number of, 63 displaying, 193 opening, 63 system redundancy terminating, 68 bulk checkpointing, 72 viewing, 69 configuring node priority, 71 TCP port number, 64 determining the primary node, 70 using, 62 dynamic checkpointing, 73 telnet...
Page 695 Index diagnostics STP, 447, 618 viewing results, 189 system LEDs, 612 disabling backplane diagnostics, 630 TFTP server, 69, 629 downloads and TFTP, 69, 629 traceroute, 54 EAPS, 397 untagged frames on 10Gbps module, 633 enabling backplane diagnostics, 630 virtual routers, 29 ESRP, 457, 458, 619 VLANs, 221, 224, 229, 618 filenames, 98, 628...
Page 696 Index virtual link, OSPFv3, 559 tagged, 223 virtual port, port-mirroring, 131 troubleshooting, 221, 224, 227, 229, 235, Virtual Router Redundancy Protocol. See VRRP virtual routers trunks, 223 adding and deleting routing protocols, 245 types, 220 and routing protocols, 245 untagged packets, 221, 224, 229 and VLANs, 220 VLANid, 223 commands, 243...
Page 697 Index virtual router MAC address, 488, 489 VLAN tracking, 486, 487 VRRP virtual router identifier (VRID), 491 definitions, 352 definitions (table), 352 order of use, 353 VSA 203 example, 354 guidelines, 354 VSA 204 example, 355 guidelines, 354 VSA 205 example, 355 guidelines, 355 VSA 206...
Page 698 Index ExtremeWare XOS 11.3 Concepts Guide...

This manual is also suitable for:

Extremeware xos 11.3

Save PDF