Page 1 EPICenter Concepts and Solutions Guide Version 5.0 Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 http://www.extremenetworks.com Published: October, 2004 Part number: 100175-00 Rev. 01...
Page 2 Chassis, SummitLink, SummitGbX, SummitRPS and the Extreme Networks logo are trademarks of Extreme Networks, Inc., which may be registered or pending registration in certain jurisdictions. The Extreme Turbodrive logo is a service mark of Extreme Networks, which may be registered or pending registration in certain jurisdictions. Specifications are subject to change without notice.
Page 3: Table Of Contents
EPICenter Reports Role-based Access Management EPICenter Stand-alone Utilities The EPICenter Policy Manager Upgrade Distributed Server Mode (EPICenter Gold Upgrade) EPICenter Software Architecture Extreme Networks Switch Management SNMP and MIBs Traps and Smart Traps Device Status Polling EPICenter Concepts and Solutions Guide...
Page 4 Extreme Networks Device Support Third-Party Device Support Chapter 2 Getting Started with EPICenter Starting EPICenter Starting the EPICenter Server Starting the EPICenter Client The EPICenter Client Login Window Getting Help Working with the EPICenter Features Device Selection Persistence Running Features in Separate Windows...
Page 5 Baseline Configurations Identifying Changes in Configuration Files Automatic Differences Detection Device Configuration Management Log Managing Firmware Upgrades Automated Retrieval of Firmware Updates from Extreme Networks Detection of Firmware Obsolescence for Network Components Multi-Step Upgrade Management Chapter 7 Managing Network Security...
Page 6 Using Alarms to Monitor Potential Security Issues Device Syslog History Network Access Security Using VLANs Using IP Access Lists Chapter 8 Managing Wireless Networks Wireless Networking Overview Inventory Management Using Wireless Reports Security Monitoring with Reports Client MAC spoofing report Monitoring Unauthenticated Clients Detecting Rogue Access Points Enabling Rogue Access Point Detection...
Page 7 Avaya Devices in EPICenter Launching the Avaya Device Manager from the Devices Sub-Menu Tools Menu Commands Launching the Avaya Integrated Management Console from EPICenter Monitoring IP Phones on Extreme Networks Devices Importing IP Phones Syncing IP Phones The IP Phones Properties Display...
Page 8 Inventory Manager Grouping Manager Printing Topology STP Monitor Reports Appendix B EPICenter Utilities The DevCLI Utility Using the DevCLI Commands DevCLI Examples Inventory Export Scripts Using the Inventory Export Scripts Inventory Export Examples The SNMPCLI Utility Using the SNMPCLI Utility SNMPCLI Examples Port Configuration Utility The AlarmMgr Utility...
Page 9: Preface
Preface This preface provides an overview of this guide, describes guide conventions, and lists other useful publications. Introduction This guide provides the required information to use the EPICenter software. It is intended for use by network managers who are responsible for monitoring and managing Local Area Networks, and assumes a basic working knowledge of: •...
Page 10: Conventions
Preface Conventions Table 1 and Table 2 list conventions that are used throughout this guide. Table 1: Notice Icons Icon Notice Type Alerts you to... Note Important features or instructions. Caution Risk of unintended consequences or recoverable loss of data. Warning Risk of permanent loss of data.
Page 11: Related Publications
• ExtremeWare Software User Guide • ExtremeWare Command Reference Guide • ExtremeWare XOS Concepts Guide • ExtremeWare XOS Command Reference Guide For documentation on Extreme Networks products, and for general information about Extreme Networks, see the Extreme Networks home page: • http://www.extremenetworks.com Customers with a support contract can access the Technical Support pages at: •...
Page 12 Preface EPICenter Concepts and Solutions Guide...
Page 13: Epicenter Overview
LANs (VLANs), and implement policy-based networking in enterprise LANs with Extreme Networks switches. EPICenter offers a comprehensive set of network management tools that are easy to use from a client workstation running EPICenter client software, or from a workstation configured with a web browser and the Java plug-in.
Page 14 QoS rules. Extreme Networks switches and many other MIB-2 compatible devices can be monitored and controlled from a central interface, without exiting EPICenter to run a separate program or telnet session. Features such as SmartTraps (for Extreme Networks devices) and the EPICenter alarm system further maximize network monitoring capability while maintaining network usage efficiency.
Page 15: Inventory Management
Users with the appropriate access (roles with read/write access) can use this feature to discover Extreme Networks devices as well as any third-party devices running a MIB-2 compatible SNMP agent. Devices may be discovered by specific IP address or within a range of IP addresses.
Page 16: The Configuration Manager And The Firmware Manager
The IP/MAC Address Finder applet lets you search for specific network addresses (MAC or IP addresses) and identify the Extreme Networks switch and port on which the address resides. You can also use the IP/MAC Finder applet to find all addresses on a specific port or set of ports. If you have enabled EPICenter’s periodic MAC Address polling, which does polls for edge port address...
Page 17: Real-Time Statistics
The EPICenter software’s Topology feature allows you to view your network (EPICenter-managed devices and the links between Extreme Networks devices) as a set of maps. These maps can be organized as a tree of submaps that allow you to represent your network as a hierarchical system of campuses, buildings, floors, closets, or whatever logical groupings you want.
Page 18: Enterprise-Wide Vlan Management
EPICenter Overview Finally, from a managed device node on the map, you can invoke other EPICenter functions such as the alarm browser, telnet, real-time statistics, a front panel view, the VLAN Manager, or ExtremeWare Vista for the selected device. Enterprise-wide VLAN Management A virtual LAN (VLAN) is a group of location- and topology-independent devices that communicate as if they were on the same physical local area network (LAN).
Page 19: Role-Based Access Management
EPICenter Features Role-based Access Management All EPICenter users must log in with a user name and password in order to access EPICenter features. EPICenter initially provides four user roles: • Monitor role—users who can view status information only. • Manager role—users who can modify device parameters as well as view status information. •...
Page 20: Distributed Server Mode (Epicenter Gold Upgrade)
EPICenter Overview The Policy Manager includes three modules: • The Policies View, where you can create, view, and modify EPICenter policy definitions for Extreme Networks devices. • The ACL Viewer, where you can view the access list and QoS rules generated by the Policy Manager for the devices in your network.
Page 21: Extreme Networks Switch Management
To avoid the overhead of frequent device polling, the EPICenter software also uses a mechanism called SmartTraps to identify changes in Extreme Networks device configuration. In addition, standard SNMP MIB-2 traps can be used to define alarms for a large variety of other conditions.
Page 22: Traps And Smart Traps
EPICenter can use statistics gathered from the Remote Monitoring (RMON) MIB to provide utilization statistics on a port-by-port basis, if RMON is supported and enabled on the Extreme Networks devices EPICenter is managing. Utilization and error statistics can be displayed within the Real-Time Statistics applet, which provides a number of chart, graph, and tabular display formats.
Page 23: Extreme Networks Device Support
Edge Port Polling Using the MAC Address Poller EPICenter can maintain information about the MAC and IP addresses detected on Extreme Networks switch edge ports by polling the FDB tables of the Extreme switches it is managing. If MAC address polling is enabled, EPICenter uses Telnet polling to retrieve FDB information at regular intervals based on the settings of server properties in the Administration applet.
Page 24 EPICenter Overview device images and configuration description files may be added over time—check the Extreme Networks web site for information on new device support. EPICenter also provides support for Avaya Voice network devices through an integration of EPICenter and Avaya Integrated Management software that is co-resident on the same system. EPICenter Concepts and Solutions Guide...
Page 25: Getting Started With Epicenter
If you have not yet installed version 5.0, see the EPICenter Installation and Upgrade Note for instructions. The Installation and Upgrade Note is included in the EPICenter product package along with the EPICenter software CD, and is also available in Adobe PDF format on the CD, and from the Extreme Networks web site.
Page 26: Starting The Epicenter Client
If you installed EPICenter as a regular application rather than as services, you must start the server from the Start menu: 1 From the Start menu, highlight Programs, then Extreme Networks, followed by EPICenter 5.0 to display the EPICenter menu.
Page 27 Starting the EPICenter Client in a Windows Environment To start the EPICenter stand-alone client: 1 From the Start menu, highlight Programs, then Extreme Networks. 2 If you are running the client on the system where the EPICenter server is installed, select EPICenter 5.0, then select EPICenter 5.0 Client...
Page 28: The Epicenter Client Login Window
Getting Started with EPICenter Figure 2: EPICenter Start-up page 3 In the left-hand column, click the Launch EPICenter link to display the EPICenter login page. Starting the EPICenter Client in a Solaris Environment To start the EPICenter client in a Solaris environment: 1 Set the current directory: cd <install_dir>...
Page 29 Click OK to acknowledge this. If you installed EPICenter in non-intrusive mode (so that EPICenter will not automatically be registered as a trap receiver on Extreme Networks devices) a message appears reminding you that EPICenter Concepts and Solutions Guide...
Page 30: Getting Help
Getting Started with EPICenter you are running in non-intrusive mode. Click OK to dismiss this message. See the EPICenter Installation and Upgrade Note for more information about non-intrusive mode. If you enabled Automatic Information Updates when you installed EPICenter, you may be presented with a message indicating that software updates are available.
Page 31: Working With The Epicenter Features
\Program Files\Extreme . In a Solaris environment this is Networks\EPICenter 5.0\doc /opt/extreme/epc5_0/doc • It can be downloaded from the Extreme Networks web site at under http://www.extremenetworks.com, the Support area. You must have a version of Adobe Acrobat Reader installed (version 4 or later) to view the PDF file.
Page 32: Running Features In Separate Windows
Getting Started with EPICenter new feature in the Main window of the EPICenter product. If a device was selected in the previous feature, that same device will be preselected in the newly-opened feature. For example, if you select a device in the Inventory Manager, and then run the Alarm Manager, the Alarm Log browser will automatically filter the alarm log to display just the alarms for the device that was selected in the Inventory Manager.
Page 33: Creating The Device Inventory
• Search for devices by specific IP addresses or ranges of IP address, including using wildcard search parameters to specify the IP address sets you want to query. • Limit your search to Extreme Networks devices only, or include all discovered MIB-2 devices regardless of manufacturer •...
Page 34 Getting Started with EPICenter Note that you must provide the SNMP read community string to enable EPICenter to get information from the devices it finds. If your devices do not all use the same read community string, you will need to add each set of devices as a separate specification, as shown in the example.
Page 35: Adding Devices Individually
To change the default communication values, click the Default button at the top of the Inventory Manager main page. EPICenter uses the Extreme Networks default values for its switches as the defaults in EPICenter: • Login as admin with no password •...
Page 36 Getting Started with EPICenter such as upgrading software versions or changing passwords on devices as a group, rather than one-by-one. Later chapters in this guide will provide examples of how device groups can be used for specific purposes in EPICenter. Initially, EPICenter provides a single device group, named Default.
Page 37: Managing Device Configurations And Firmware
• The Firmware Manager helps you manage the versions of firmware installed on your devices. EPICenter will check the Extreme Networks web site to find the most current versions of the device, slot and bootROM software, and will download it to the EPICenter server if you so choose. It can tell you if the software on your devices is the most current versions, and can also manage the process of the upgrading the images on your devices, through its Upgrade Wizard.
Page 38 Getting Started with EPICenter Figure 8: Uploading a Baseline Configuration File This saves the configuration file as a baseline file in the directory, named by ip user/tftp/baselines address (e.g. 10_205_1_5.txt Note that you can also schedule the upload of baseline files. This feature is similar to scheduling archival uploads, except that a baseline upload cannot be scheduled on a repeating basis.
Page 39: Scheduling Configuration File Archiving
Managing Device Configurations and Firmware Figure 9: Configuration file information for a device Scheduling Configuration File Archiving You can schedule regular archival configuration file uploads on a daily or weekly basis. You can also set a limit on how many configuration files per device will be saved (you can limit by time, or by the number of files).
Page 40: Checking For Software Updates
When you install EPICenter you can enable the Automatic Information Update feature. This feature will connect to the Extreme Networks web site when the EPICenter server starts up, and then once every 24 hours, to check for new software updates. If it does find updates, it displays a message when you log into the EPICenter server from an EPICenter client, giving you the option of opening the Display Software Images Updates page.
Page 41: Using The Epicenter Alarm System
Using the EPICenter Alarm System Xs in the Change column indicates that the versions on the Extreme Networks web site have changed since the last time this display was Accepted. The Accept button at the top left corner, along with the checkbox, are used to acknowledge the update information.
Page 42: The Alarm Log Browser
• SNMP unreachable (EPICenter event) NOTE When Extreme Networks devices are added to the EPICenter Inventory database, they are automatically configured to send traps to the EPICenter server (unless you are running in non-intrusive Mode). To receive traps from non-Extreme Networks devices, you must manually configure those devices to send traps to the EPICenter server.
Page 43: Filtering The Alarm Log Display
Using the EPICenter Alarm System Figure 11: The Alarm Log Browser page Predefined filters Acknowledged alarms Alarm System module tabs EPICenter standard menus Number of alarms New alarm displayed (per filter) indicator Current filter definition Alarm summary Filtering the Alarm Log Display You can filter the list of alarms to view only a subset of alarms that are of particular interest—only alarms from a specific device, or a specific type of alarm, for example.
Page 44 Getting Started with EPICenter 1 Click the Filter button at the top of the Alarm Summary window. The Define Alarm Log Filter window opens. Figure 12: The Alarm Log filter definition window 2 Uncheck the View last 300 alarms checkbox. 3 From the drop-down menu in the Field field, select Source IP.
Page 45 Using the EPICenter Alarm System Figure 13: The filtered alarm summary list 7 If you want to save this filter for future use, click the Filter button again. The Define Alarm Log Filter window again opens, displaying the filter definition you just created. 8 Click Save and another small window opens where you can enter a name for this filter.
Page 46: Creating Or Modifying An Alarm Definition
Getting Started with EPICenter Creating or Modifying an Alarm Definition Although EPICenter provides a number of predefined alarms, you may find that you need to modify those alarm definitions, or even create your own alarms to alert you to specific conditions. For example, you may decide to modify the predefined SNMP Unreachable alarm to send an email to the network administrator when a device becomes unreachable (the predefined alarms by default do not take any actions other than to create an entry in the alarm log).
Page 47 Using the EPICenter Alarm System 1 Click the Alarm Definition tab at the top of the window. This displays the Alarm Definition List. Figure 14: The Alarm Definition List with the Overheat alarm selected 2 Scroll down in the list and select the Overheat alarm definition. The basic properties for this alarm definition are displayed in the lower part of the page when you do this, as shown in Figure 14.
Page 48 Getting Started with EPICenter Figure 15: The Modify Alarm Definition window with the Action Tab displayed For this alarm, you want to use an email action. However, before you can specify an email action, you must configure EPICenter with settings for the SMTP server it should use. If this has not yet been done, the two email checkboxes are not selectable, as shown in Figure 15.
Page 49 Using the EPICenter Alarm System d Click OK to save these settings. NOTE If your e-mail server is not reachable when an alarm action attempts to send an email, the alarm server may stall waiting for the email server to respond. 6 To configure EPICenter to send a text message as an alarm action, click the Short email to: check box to turn on the check.
Page 50 Getting Started with EPICenter Figure 18: The modified Overheat alarm Example 2: Define a New Alarm to Forward a Trap Define a new alarm that forwards a trap to a remote host if port 10 on device “Summit_24” goes down. 1 Click the Alarm Definition tab at the top of the window, then click Add to open the New Alarm Definition dialog with the Basic tab displayed.
Page 51 Using the EPICenter Alarm System Figure 19: The Basic tab of the New Alarm Definition window 2 Click the Scope tab, and do the following: a Make sure the All devices and ports checkbox is not checked. b Select “Port” in the Source Type field. c Select the device (“Summit_24”) from the Device list.
Page 52 Getting Started with EPICenter Figure 20: The Scope tab of the New Alarm Definition window NOTE For convenience in scoping alarms, you might want to consider creating special-purpose device groups or port groups, and use those in your alarm scope. The benefit is that you can change the scope of the alarm simply by changing the membership of the relevant group.
Page 53: Threshold Configuration For Rmon And Cpu Utilization Alarms
Using the EPICenter Alarm System Figure 21: The Action tab of the New Alarm Definition window b If you need to change the trap receiver configuration, click the Settings... button to the right of the Forward trap to: line. This opens a configuration dialog where you can change the trap receiver configuration.
Page 54 Getting Started with EPICenter If you want a trap event to occur for both Rising and Falling threshold conditions, you can specify both thresholds. There are other SNMP traps supported by the EPICenter Alarm System, but not included in the threshold configuration function, that may require conditions to be set on the switch to define when a trap should occur.
Page 55 Using the EPICenter Alarm System The following diagram, shown in Figure 22, shows how alarms are generated for an RMON rule using Delta values, where the startup alarm condition is set to “Rising” or “RisingOrFalling.” RMON Alarm Event Generation Figure 22: RMON Alarm event generation Sampled Initial variable...
Page 56: Configuring A Cpu Utilization Rule
Getting Started with EPICenter b Click the Look up... button to display the Select MIB Variable dialog. c Expand the Extreme folder, select the variable, and click OK to extremeRtStatsUtilization enter it into the MIB Variable field. d Type “1500” in the Rising Threshold field. Note that for this variable the value must be in hundredths of a percent.
Page 57 Using the EPICenter Alarm System If you define an alarm for a CPU Utilization Rising Threshold event, an alarm will be generated each time the sample value meets the following conditions: — When the sample value becomes greater than or equal to the Rising Threshold for the first time (including the initial sample) after the alarm is enabled.
Page 58: Using Topology Views
Getting Started with EPICenter Note that in order to have any of these events cause an alarm in the EPICenter Alarm System, you need to define an alarm that responds to a CPU Utilization Rising Threshold or CPU Utilization Falling Threshold event.
Page 59 Using Topology Views Figure 24: Basic Topology Map A basic topology map such as the example in Figure 24 shows you a variety of information about the status of your network: • The border color of each device image indicates whether they are up or down •...
Page 60: Automated Map Creation Vs. Manual Map Creation
EPICenter cannot discover links between devices where EDP is not running (third-party devices, Extreme Networks devices with EDP disabled, or Extreme Networks devices running certain old versions of ExtremeWare). However, you can add user-defined links between devices to represent links that EPICenter cannot discover.
Page 61: Customizing The Look Of Your Maps
Using Basic EPICenter Reports Customizing the Look of Your Maps In addition to determining the network elements that appear on your Topology maps, you can also customize the look of your maps. You can change the color of the map background or add a background image, control whether device names and icons are displayed or not, control the size and color of the text used for node annotations, and so on.
Page 62 Getting Started with EPICenter Figure 27: Examples of EPICenter reports Most reports can be sorted in a number of ways, and many reports can be filtered to display only the data of interest, based on the types of information shown in the report. In addition, from some reports the displayed data can be exported to files in formats (csv or xml) that can be imported into other applications for analysis or display.
Page 63 Report Category Report Name Description Main • Extreme Networks eSupport Exports EPICenter data for use by Extreme Networks Export technical support. Accessible from the Main reports page. Network Summary • Network Summary Report Summary status of the network, as well as version and...
Page 64 Getting Started with EPICenter Report Category Report Name Description Client Reports • Network Login List of network login activity by device • Current Clients List of all current wireless clients detected, regardless of client state • Client History Historical presentation of activity by wireless client •...
Page 65: Managing Your Network Assets
You can tailor the discovery process to control the types of devices it will discover: • You can restrict the discovery to only Extreme Networks devices (the default) or have it discover all MIB-2 compatible devices. EPICenter Concepts and Solutions Guide...
Page 66 Managing your Network Assets • You can restrict the discovery to devices running SNMPv1 (the default) or allow it to discover devices running SNMPv3 as well. You can also control the range of IP addresses over which EPICenter will try to discover the devices it can manage: •...
Page 67 Creating a Network Component Inventory Figure 28: Device Discovery specifications Once the discovery results have been returned, you can then select the devices you want to add the EPICenter inventory. Discovery does not automatically add any devices to the EPICenter inventory. From the Discovery Results window, you can select individual or multiple devices to add to EPICenter’s inventory database.
Page 68: Adding Devices Individually
Managing your Network Assets Figure 29: Discovery Results window You can perform multiple Add operations from the Discovery results window, so you can discover a wide range of devices in one operation, and then add them in small sets based on which devices use common contact information, or how you want to place them in device groups.
Page 69: Importing Devices Using The Devcli Utility
Making Device Contact Information Changes Importing Devices Using the DevCLI Utility If you have a large number of devices you want to add the EPICenter inventory, and you have there addresses and contact information available in machine-readable form, you can use the DevCLI command line utility to import device information into the EPICenter database.
Page 70 Managing your Network Assets You can change any of the device contact information kept for a device in the EPICenter database through the Modify Devices and Device Groups dialog in the Inventory Manager. If multiple devices use the same contact information, you can change the information for all those devices in a single operation (if they are members of the same device group).
Page 71: Organizing Your Inventory With Device Groups
Organizing Your Inventory with Device Groups Figure 31: Contact Information change dialog You can change the value in the database only, or in both the database and on the device (or do neither). You might elect to make changes in the database only if the values had already been changed on the devices.
Page 72: Monitoring Critical Links With Port Groups
Managing your Network Assets Device groups can be useful in the following areas: • Alarms: If an alarm is scoped on a device group, when the group membership changes, the alarm scope automatically reflects that change. • Telnet macros: If a Telnet macro has a device group execution context, you can run the macro on all members of the device group by selecting the device group node in the Component Tree and executing the macro.
Page 73 Monitoring Critical Links with Port Groups Figure 32 shows a port group as defined in the Grouping Manager for the uplink ports on the core devices in a specific building. Figure 33 shows a utilization chart for the ports in the same port group. Even though the ports are on different devices, they can be grouped into a single statistical display, which makes it very easy to monitor the status of these critical links.
Page 74: Inventory Reports
The Reports feature includes the following reports on the inventory of devices, slots and ports in the EPICenter database: • Device Inventory Summary listing the Extreme Networks devices in a device group, or of a specific device type, including the MAC address, serial number, and current image on the device. From this report you can view a detailed report for an individual device.
Page 75: Uploading Inventory Information To Extreme Networks
Extreme Networks. To create a report suitable for upload to Extreme Networks, select a device group (or “all groups”) from the drop-down field at the top of the Main Reports page, and click Export.
Page 76 Managing your Network Assets EPICenter Concepts and Solutions Guide...
Page 77: Configuring And Monitoring Your Network
Configuring and Monitoring Your Network This chapter describes how EPICenter can help you configure, monitor, and manage the components of your network on a network-wide basis. Topics include: • Configuring multiple devices concurrently using user-defined Telnet macros • Network-wide configuration of VLANs •...
Page 78: User-Defined Telnet Macros
You might use the Macro Player to enter a set of commands to be run on several devices at the request of Extreme Networks’ Technical Assistance Center to help in diagnosing a configuration problem, for example.
Page 79: Creating Telnet Macros For Re-Use
One example of a macro you would re-use is a macro to configure EPICenter as a Syslog server for your Extreme Networks switches. You could create and save a macro that used a system variable to specify the EPICenter server’s host name or IP address. To configure EPICenter as a syslog server with facility...
Page 80: Creating Macros To Be Run From A Menu
Configuring and Monitoring Your Network Example 2: A Macro to Configure a New Switch Another example of a re-usable macro would be a macro to configure new network devices with the existing network configurations for specific VLAN, ESRP, STP or other customizations. This example uses user-defined variables to enable the input of specific port and IP address information.
Page 81: Role-Based Telnet Macro Execution
User-Defined Telnet Macros NOTE The execution context and execution roles only affect how Telnet macros appear in menus outside the Telnet applet. Any user who has access to the Telnet applet can run any macro in any context. Figure 36 shows an example of a set of Telnet macros available from the Macros sub-menu of a right-click pop-up menu.
Page 82: Network-Wide Vlan Configuration
Configuring and Monitoring Your Network assistants logged in with the assistant role could configure a new device without needing access to the Telnet applet. Another common case would be allowing users with a read-only access role, such as the Monitor role, to run commands of various sorts on devices on the network for troubleshooting read-only.
Page 83: Graphical And Html-Based Configuration Monitoring
Graphical and HTML-based Configuration Monitoring the switches with ports in the VLAN). The VLAN Manager also provides a graphical user interface for creating new VLANs and adding and removing device ports to or from an existing VLAN. Due to multi-threading, EPICenter can perform a VLAN configuration on multiple devices concurrently, rather than having to configure each switch in a VLAN one at a time.
Page 84 Configuring and Monitoring Your Network • The EPICenter Reports feature provides a large number of HTML-based reports that can be used to monitor network configuration details. These reports are tabular in nature, but they can be printed out, and in some cases they can be exported to a file in a format that then be imported into another application for analysis.
Page 85: Managing Vlans
Managing VLANs This chapter describes how to configure, monitor, and manage VLANs. Topics include: • Graphically configuring and monitoring VLANs • Scalable multidevice network-wide VLAN functionality • Network-wide VLAN membership visibility • Displaying VLAN misconfigurations with Topology maps EPICenter provides a number of features that greatly simplify the management of VLANs on your network.
Page 86: Network-Wide Vlan Membership Visibility
Managing VLANs The Topology applet, on the other hand, lets you view your VLANs from the perspective of the network interconnections. By selecting a VLAN you can quickly see the device connectivity enabled by the VLAN. Through Topology Views you can: •...
Page 87 Network-wide VLAN Membership Visibility By default, VLAN information is not shown in the normal view of a topology map. To view VLAN information on a map you must enable the VLAN information display: 1 From the Display menu, select VLAN Information. This displays the VLAN field on the Topology map Toolbar.
Page 88: Network-Wide Multidevice Vlan Configuration
Managing VLANs Network-wide Multidevice VLAN Configuration Through the EPICenter VLAN Manager you can configure VLANs across multiple devices on your network in a single operation. When you create a VLAN in the VLAN Manager, you can specify ports from all the devices that should participate in the VLAN in one operation, and EPICenter will configure the VLAN on all the devices and ports you specify.
Page 89: Modifying Vlans From A Topology Map
Network-wide Multidevice VLAN Configuration Figure 41: Connection Information for a new port member of a VLAN When you click Apply to create the VLAN, EPICenter will create the VLAN on all the specified devices with the specified ports. By using multi-threading EPICenter can initiate these requests concurrently on multiple devices, thus reducing the overall elapsed time required to implement those changes on the devices.
Page 90: Displaying Vlan Misconfigurations With Topology Maps
Managing VLANs If you choose to add the links to an existing VLAN, you can specify whether the endpoints of the links should be added as tagged or untagged ports. If you choose to create a new VLAN, a further dialog lets you specify the VLAN name, tag, and protocol for the VLAN, as well as whether the endpoints should be added as tagged or untagged ports.
Page 91 Displaying VLAN Misconfigurations with Topology Maps Figure 42: Displaying a misconfigured VLAN You can solve the misconfiguration problem by selecting the link and using the Add Link to VLAN command to add the VLAN on the devices at both ends of the link. Or, if the VLAN should not be configured on either end of the link, you could use the VLAN Manager’s Modify VLAN or Modify VLAN Membership commands to remove port 19 on Bld1Core from the bld1-vlan VLAN.
Page 92 Managing VLANs EPICenter Concepts and Solutions Guide...
Page 93: Managing Network Device Configurations And Updates
Archiving Component Configurations You can use EPICenter to upload and store the configuration files from all your Extreme Networks devices. You can do this on an as needed basis, but you can also have EPICenter perform archival uploads on a regular schedule without requiring administrator intervention.
Page 94: Baseline Configurations
(those not individually scheduled) based on the global schedule. To upload configuration files from your Extreme Networks devices to EPICenter on a one-time basis, click the Upload button in the Configuration Manager toolbar (or select Upload from the Config menu).
Page 95: Identifying Changes In Configuration Files
Baseline Configurations good” configuration in case of configuration problems, and you can use it as a reference to compare against archived configuration files to identify any configuration changes that have been made. When you view information about the configuration files that have been uploaded for a device or a device group in the main Configuration Manager window, the display indicates whether a baseline file exists for the device.
Page 96: Device Configuration Management Log
Managing Network Device Configurations and Updates Figure 44: Configuration change report for changes detected in an archived configuration EPICenter will combine into one report any differences detected in archive operations that occur within a 10 hour time frame, to avoid generating many small reports. If you have a large number of devices that you are archiving, you may want to schedule them in groups with a time lapse in between that is sufficient for EPICenter to save and email a completed report.
Page 97: Managing Firmware Upgrades
Extreme Networks web site to your EPICenter server. You must have a support contract with Extreme Networks in order to download software; you will need to enter your Extreme Networks support user name and password in order to login to the Extreme Networks remote server.
Page 98 Managing Network Device Configurations and Updates and the software images, and you may need to do an intermediate software upgrade in order to upgrade to the most current version. If you request an upgrade that cannot be done in one step, the Firmware Manager will determine what the required steps are, and will provide that information to you as you proceed through the upgrade process.
Page 99: Managing Network Security
Network administrators must protect their networks from unauthorized external access as well as from internal access to sensitive company information. Extreme Networks products incorporate multiple security features, such as IP access control lists and virtual LANs (VLANs), to protect enterprise networks from unauthorized access.
Page 100: Using Radius For User Authentication
Setting up EPICenter Roles using RADIUS Fundamental to administrator access and control of your Extreme Networks products is setting up one or more administrator roles on each switch. A role determines what actions the administrative user is allowed on the switch or through EPICenter.
Page 101 Management Access Security The EPICenter Inventory Manager can discover SNMPv3 devices in your enterprise network. Click on the Discover button to set the discovery options for building an inventory of your network. Select the SNMPv3 discovery checkbox to add SNMPv3-enabled devices to your inventory. You can also add a device to the Inventory Manager, manually entering the SNMPv3 settings for the device.
Page 102: Monitoring Configuration Changes
SNMPv1 for any reason, you can do so with minimal effort. Using SSHv2 to Access Network Devices. Extreme Networks products support the secure shell 2 (SSHv2) protocol to encrypt traffic between the switch management port and the network management application (EPICenter). This protects the sensitive data from being intercepted or altered by unauthorized access.
Page 103: Mac Address Finder
MAC Address Finder you EPICenter server is installed. You can configure the Diff Viewer using the Setup Viewers command from the Options submenu of the Config menu or the right-click pop-up menu in the Configuration Manager. See Chapter 6, “Managing Network Device Configurations and Updates” for more information on using these features of the Configuration Manager.
Page 104: Device Syslog History
Device Syslog History Syslog messages report important information about events in your network. Each Extreme Networks products acts as a syslog client, sending syslog messages to configured syslog servers. These messages include information that reveals the security status of your network. Using syslog messages, you can track events in your network that may affect security.
Page 105: Network Access Security
Network Access Security EPICenter creates a dynamic log of syslog messages in the Reports feature. Use this log to scan for critical security events such as: Table 3: Security-based Syslog Messages Error Message Explanation You have a duplicate IP address on the network (same as an <CRIT:IPHS>...
Page 106 LAN, but each is tagged with a different VLAN ID. Marketing traffic going through the same physical LAN switches will not reach Finance hosts because they exist on a separate VLAN. Extreme Networks switches can support a maximum of 4000 VLANs. VLANs on Extreme Networks switches can be created according to the following criteria: •...
Page 107: Using Ip Access Lists
Network Access Security See Chapter 5 “Managing VLANs” for more information about how EPICenter can help you manage the VLANs on your network. Using IP Access Lists IP access lists (ACLs) determine what traffic is allowed on your network. ACLs use a set of access rules you create to determine if each packet received on a switch port is allowed to pass through the switch, and if so, at what priority and with how much bandwidth, or is denied (dropped) at the ingress port.
Page 108 Managing Network Security 1 Select the “New” button to create a new policy within the Policy Manager. 2 Define the new policy based on network resources (groups, devices), users (hosts or groups of hosts), and the predefined list of network resource services (protocols, allowed or denied). 3 Save your new policy.
Page 109: Managing Wireless Networks
Managing Wireless Networks This chapter describes: • Wireless Networking Overview • Inventory Management Using Wireless Reports • Security Monitoring with Reports • Detecting Rogue Access Points • Detecting Clients with Weak or No Encryption • Wireless Network Status with Reports •...
Page 110: Inventory Management Using Wireless Reports
The EPICenter reports feature has a pre-defined Wireless AP Report that lists all the wireless Extreme Networks APs attached to Extreme switches. Click on any AP in the list to get a detailed inventory report for that AP.
Page 111: Client Mac Spoofing Report
Security Monitoring with Reports Client MAC spoofing report When the network detects two or more client stations with the same MAC address that are all in the data forwarding state on different wireless interfaces, the client might be using another client’s MAC address in an unauthorized way;...
Page 112: Detecting Rogue Access Points
Rogue APs. APs are marked as rogues in Extreme Networks switches by detecting when a new AP shows up on the network that does not appear in the list of authorized APs. The Rogue AP Report in EPICenter lists these unauthorized APs and gives details on the AP model, operating characteristics, and the interface that detected the rogue AP.
Page 113: Detecting Clients With Weak Or No Encryption
Detecting Clients with Weak or No Encryption Figure shows an example of the Rogue Access Point Detail Report. Note the Add to Safe List button near the top left corner. Use this button to add this AP to your Safe List Figure 50: Rogue AP Detail Report Example Detecting Clients with Weak or No Encryption Securing your wireless traffic is crucial to providing the flexibility of mobile, on-demand access to your...
Page 114: Wireless Network Status With Reports
Managing Wireless Networks Figure 51: Current Wireless Clients Report Example Wireless Network Status with Reports The EPICenter Reports feature provides multiple dynamic reports that can be used to monitor the status of your wireless network. These reports give a summary of the wireless network, as well as drill down details on access points, interfaces, network logins and clients.
Page 115: Debugging Access Issues With Syslog Reports
Debugging Access Issues with Syslog Reports Or, use the MIB Query tool to have EPICenter query the SNMP MIB variables for a one-shot update on the relevant statistics. Note that SNMP MIB objects with Counter or Counter64 syntax require you to compare the difference between two consecutive polls of the MIB object to collect relevant information on that statistic.
Page 116 Managing Wireless Networks EPICenter Concepts and Solutions Guide...
Page 117: Tuning And Debugging Epicenter
This chapter describes how to tune EPICenter performance and features to more effectively manage your network. It also describes some advanced features that are available to an EPICenter administrator (a user with an Administrator role) to help analyze EPICenter or Extreme Networks device operation. These include: •...
Page 118: Polling Types And Frequencies
Tuning and Debugging EPICenter • To take a device offline in EPICenter, go to the Inventory Manager, select the device in the Component Tree, and select Take Offline from the Inventory menu or from the right-click pop-up menu for the device. Note that this does not physically change the device; it just sets EPICenter to ignore the device as if it were offline.
Page 119: Performance Of The Epicenter Server
Monitoring and Tuning EPICenter Performance MAC address polling is enabled or disabled globally through the MAC Polling Server Properties in the Admin applet. If enabled, MAC address polling can then be enabled on a per device basis through the Inventory Manager. Through the MAC Polling Server Properties, you set the amount of load, which determines the amount of elapsed time between sets of FDB polling requests.
Page 120: Tuning The Alarm System
Tuning and Debugging EPICenter Tuning the Alarm System Alarm activity (processing traps and executing alarm actions) can consume a fairly significant amount of system resources if you have a large number of devices in your network, with many alarms enabled and scoped on all devices.
Page 121: Limiting The Scope Of Alarms
Tuning the Alarm System 3 Uncheck the Enabled checkbox to disable the alarm, then click OK. Note that disabling alarms that are not likely to occur will not have much performance impact. For example, if you do not use ESRP, the disabling the ESRP State Change alarm is not likely to have an impact, as those alarms should never occur.
Page 122 Tuning and Debugging EPICenter Figure 52: Defining the scope of an alarm You can scope an alarm to Device Groups and Port Groups as well as individual devices and ports. To change the alarm scope for an existing alarm: 1 Under the Alarm Definition tab in the Alarm System feature, select the alarm you want to scope, and click Modify.
Page 123: The Alarm And Event Log Archives
Using the MIB Poller Tools changing the membership of the relevant groups. You can add or remove links from a Port Group, or add or remove devices from a Device Group, and the scope of the alarm will automatically reflect the changed group membership.
Page 124: Defining A Mib Collection
Tuning and Debugging EPICenter Defining a MIB Collection A MIB Collection is defined in an XML file named that is stored in the EPICenter collections.xml directory of the EPICenter installation. You can specify both scalar and tabular user/collections OIDs. You must also specify the set of devices (by IP address) that should be polled for this data, and provide some additional properties such as the polling interval.
Page 125: The Mib Poller Summary
Using the MIB Poller Tools Table OIDs are defined in statements, included between <oid ... > <table> </table> statements. OIDs from different tables must be put in separate statements. The label portion of <table> the statement appears in the MIB Collections Detail report, and as a heading in the exported data file. Scalar OIDs are defined in statements included between a <oid ...
Page 126 Tuning and Debugging EPICenter An EPICenter Administrator can start or stop polling for any or all of the collections, and can reload the file. collections.xml Loading, Starting and Stopping a Collection If a file named exists in the EPICenter server’s directory when collections.xml user/collections...
Page 127 Using the MIB Poller Tools Figure 54: MIB Collection Detail Report The top area of the MIB Collection Detail Report shows the properties of the collection, as defined in the file: collections.xml Collection Name The name of the collection Polling Interval The polling interval, in seconds Save Polled Data Whether the polled data is being saved in the database (Yes or No)
Page 128 Tuning and Debugging EPICenter The two tables below show the scalar and tabular MIB variables (OIDs) for which polling will be done. Each variable is identified by its OID and the data label that was provided in the xml file. The MIB Poller Detail Report The Poller Detail report simply shows the status of the collection for each device in the collection scope.
Page 129 Using the MIB Poller Tools Figure 56: A MIB Collection definition shown in XML Exporting the Collected Data One of the main purposes for collecting historical MIB data over time is to allow analysis to identify trends or patterns that may provide insights into your network usage. In order to do this, you need to export the collected MIB data so it can be used by other analysis tools.
Page 130: The Mib Query Tool
Tuning and Debugging EPICenter The MIB Query Tool The MIB Query Tool lets you retrieve the values of MIB variables on a one-time basis. It does not do any repeated polling, and does not store the results. Figure 57: A MIB Query example To perform a MIB query, you enter the required data into the appropriate fields: •...
Page 131: Reconfiguring Epicenter Ports
EPICenter installation: • In Windows this would be \Program Files\Extreme Networks\EPICenter 5.0\tomcat\conf\server.xml • In Solaris it would be /opt/extreme/epc5_0/tomcat/conf/server.xml Look for the statement defining the Coyote Connector, as shown here: ...
Page 132: Using The Epicenter Debugging Tools
• Check server internals: This creates a report of server internal status. • Query Database: Lets you enter an SQL query against the EPICenter database. This is for use only at the direction of Extreme Networks Technical Assistance Center personnel. EPICenter Concepts and Solutions Guide...
Page 133: Voip And Epicenter-Avaya Integrated Management
The EPICenter/Avaya integration has been developed jointly by Extreme Networks and Avaya to deliver a set of tools that enable managing and troubleshooting Avaya Voice and Extreme Networks infrastructure networks in a coordinated manner. Each product can discover and display devices from the other vendor, and can cross-launch both the network management application (EPICenter or the Avaya Network Management Console) and device managers embedded in the supported devices.
Page 134: Installation Considerations
Avaya Integration properties in the EPICenter Admin feature. • In the Properties display for an Extreme Networks device (accessed from the EPICenter display menu or from the right-click pop-up menu) an IP Phones tab is available. This tab shows the location, identity (MAC and IP addresses and extension if available) and status of any IP phones connected to the Extreme Networks device.
Page 135: Tftp Server Coordination
3 Type the path of the Avaya Integrated Management server TFTP root directory 4 Click Apply. Discovering Avaya Devices Discovering Avaya devices works just like discovering Extreme Networks devices or other MIB-2 compatible devices. 1 From within the Inventory Manager, click the Discover button or select Discover from the Inventory menu.
Page 136: Avaya Devices In Epicenter
Figure 59: The Discover Devices window when the Avaya Integrated Management server is co-resident on the system 3 Select the All MIB-2 Devices checkbox to discover non-Extreme Networks devices. 4 Click New. EPICenter will query the Avaya Information Manager for the devices it is managing, and will add those to the list of IP addresses to discover.
Page 137: Launching The Avaya Device Manager From The Devices Sub-Menu
Avaya Devices in EPICenter Figure 60: Device Details in the Inventory Manager for an Avaya device. The Device sub-menu, accessed from the right-click pop-up menu or the Tools menu, provides a command to launch the device manager for the selected Avaya device. The device manager appears in a separate window, either running in a browser window or as a separate application depending on whether your EPICenter client is running on the same system as the Avaya Integrated Management and EPICenter servers.
Page 138: Tools Menu Commands
VoIP and EPICenter-Avaya Integrated Management the embedded Device Manager is launched directly on the selected Avaya device instead of through the Avaya Network Management Suite. Tools Menu Commands When EPICenter detects that the Avaya Integrated Management server is co-resident on the system, it adds a submenu to the Tools menu specifically for Avaya.
Page 139: Launching The Avaya Integrated Management Console From Epicenter
If Avaya Integrated Management is not co-resident, these IP phones features are not available in EPICenter, even if IP phones are connected to Extreme Networks devices. Information about IP phone identity is kept by the Avaya Integrated Management server, and must be imported into EPICenter from the Avaya Integrated Management inventory.
Page 140 IP phone information. For IP phones connected to Avaya devices, however, the MAC Poller will only be able to detect the phone when it appears on a port on an Extreme Networks device. This can result in multiple phones appearing on a single port (the port connecting the Extreme device and the Avaya device), or a phone appearing on more than one port (if a second Avaya device contacts a phone on an Avaya device through an Extreme Networks device.
Page 141: Syncing Ip Phones
Monitoring IP Phones on Extreme Networks Devices Syncing IP Phones When an IP phone location has changed, the Properties display for the affected device(s) will reflect the new location, but the EPICenter database will continue to contain the outdated location information until you do a Sync IP Phones.
Page 142: Ip Phones Reports
VoIP and EPICenter-Avaya Integrated Management IP Address IP address of the IP phone Netmask Subnet Mask for the IP phone Model The model (type) of IP phone Status The phone status: • Active: its MAC address is present in the device’s operational FDB •...
Page 143: Epicenter System Properties For Avaya Integration
EPICenter System Properties for Avaya Integration The IP Phones report displays the following information about each phone: Extension The phone extension Extension/IP Address The phone extension, or the IP address (if the Avaya Integrated Management server is installed as a plug-in to HP OpenView, only the address is available, not the extension). Netmask Subnet Mask for the IP phone The MAC address of the IP phone...
Page 144 VoIP and EPICenter-Avaya Integrated Management Figure 65: The Avaya Integration Server Properties, Admin feature When you select Avaya Integration from the drop-down menu field at the top of the Properties panel, you can set the following properties: AIM Server Host The IP address (or host name) of the system running the Avaya Integrated Management server.
Page 145: Launching Epicenter From The Avaya Integrated Management Console
EPICenter can be launched from within the Avaya Integrated Management Console in the context of a specific Extreme Networks device. This will launch EPICenter and will display the Inventory Manager Device Details view for the device selected within the Avaya Integrated Management Console.
Page 146 VoIP and EPICenter-Avaya Integrated Management EPICenter Concepts and Solutions Guide...
Page 147: Policy Manager Overview
The EPICenter policy system is based on the policy-based QoS capabilities in the ExtremeWare software. For details on the capabilities and implementation of QoS in Extreme Networks switches, see the ExtremeWare Software User Guide or the ExtremeWare Release Note for the version(s) of the software running on your switches.
Page 148: Basic Epicenter Policy Definition
Policy Manager Overview The EPICenter Policy Manager is organized into two functional areas. • The Policies View, where you can create, view, and modify EPICenter policy definitions for Extreme Networks devices. The organizing principle within the Policies view is the policy definition. •...
Page 149: Policy Types
Policy Types Policy Types The EPICenter Policy Manager supports four types of policies: Access-based Security QoS policies, IP QoS (Access List) policies, Source Physical Port QoS policies, and VLAN QoS policies. These policies assign QoS profiles to traffic flows that are identified based on dynamically determined destination port, IP-based endpoint addressing information, physical port of origin, or VLAN origin.
Page 150 Policy Manager Overview (netlogin / 802.1x). This differs from the static IP, VLAN and source port policies which apply the ACL rules in a persistent manner on devices specified by the policy scope. In the EPICenter Policy Manager, the endpoints of the traffic flow for Access-based Security policies are defined as one or more services and users.
Page 151: Ip-Based Policies (Access List Policies)
Policy Types Figure 66: Access-based QoS policy An Access-based Security policy specifies traffic flow between two endpoints, one of which is dynamically determined when the user logs in on the network. The policy is applied only at the entry point to the system and does not need to be specified on each possible internal device that might be in the path for that policy.
Page 152 Policy Manager Overview an IP address. If you specify a group resource as an endpoint, only the resources within the group (and its subgroups) that can be mapped to an IP or subnet address will be used as policy endpoints. You can also further define the server-side traffic endpoints by specifying a named application or service, which translates to a protocol and L4 port, or by directly specifying a protocol and L4 port range.
Page 153 Policy Types Because they were defined through the EPICenter Grouping Manager, the Policy Manager can translate these high-level server and client names to IP addresses. Based on this information as well as the specified traffic direction, the Policy Manager generates the set of traffic flows shown in the table at the bottom of Figure 68.
Page 154: Source Port Policies
Policy Manager Overview specification. For example, if you specify policy endpoints as 10.2.0.0/16, 10.2.0.1, and 10.2.0.25, the Policy Manager will use only 10.2.0.0/16 The IP QoS rules generated from EPICenter IP policy definitions are also known as Access List rules, because they define and control IP-based access between endpoints.
Page 155: Vlan Policies
Policy Types which you can do using the EPICenter VLAN Manager applet. DiffServ examination must be enabled using the ExtremeWare CLI or through ExtremeWare Vista. See the ExtremeWare Software User Guide for versions 6.0 or later for details on using 802.1p and DiffServ. Source port QoS policies are supported on Extreme devices running ExtremeWare 5.0 or later—...
Page 156: Policy Named Components
Policy Manager Overview Like Source Port QoS, VLAN QoS rules are implemented only in the devices included in the policy scope that have the specified VLAN. To enforce QoS settings across switch/VLAN boundaries you must use 802.1Q tagging—specifically through explicit packet marking using 802.1p or DiffServ. If the switch ports used for output use 802.1Q tagging, the QoS profile assignment will be carried via the 802.1p priority bits to the next switch.
Page 157 Policy Named Components Figure 71: EPICenter Policy Manager components Device Group group Policy import import named components import Netlogin/DLCS import Device User Host Application as a Host Netlogin/DLCS import import System System Device L4 / VLAN IP/subnet QoS profile port L4 range Policy primitive components XM_020A...
Page 158 • Netlogin/DLCS indicates that the mapping may be obtained through Netlogin or the Dynamic Link Context System (DLCS) operating within Extreme Networks devices. • DNS indicates that the mapping may be obtained via a name lookup service such as DNS.
Page 159: Policy Access Domain And Scope
Policy Access Domain and Scope Policy Access Domain and Scope The policy type and policy traffic definitions specify how to identify a traffic flow of interest. The policy access domain (Security policy) or scope (IP policy) definition specifies how to handle that traffic flow on your network devices.
Page 160: Using Groups In Policy Definitions
Policy Manager Overview It is very important to understand the relationship of the target traffic flow, the QoS profile, and the profile configuration in each switch. The policy rules generated by the EPICenter Policy Manager associate a QoS profile with a particular traffic flow, but the configuration of that profile (its bandwidth and priority parameters) are defined in each individual switch.
Page 161: Precedence Relationships Within The Policy Manager
• Precedence between resources within the scope of a policy • Precedence between EPICenter policies • Precedence between the QoS rules implemented on an Extreme Networks device Each of these has a somewhat different use and effect. Precedence between the resources in a policy scope is used to determine which QoS profile specification should be used when a particular device is specified multiple times within a scope definition.
Page 162: Epicenter Policy Limitations
Policy Manager Overview • Changes made through the ExtremeWare CLI or ExtremeWare Vista on a device managed by the EPICenter server • A user login or end station reboot when DLCS is enabled • Saving a change to a policy within the Policy Manager If Auto Configuration is disabled, you must explicitly perform the configuration process using one of the directed configuration functions initiated using the Configure or Configure All buttons on the Policy Manager toolbar.
Page 163 Appendices...
Page 165: Troubleshooting
In Windows 2000/XP, enter one of the following commands at the prompt in a command window or in the Run field. If you have both server and client installed on the same system: c:\Program Files\Extreme Networks\EPICenter 5.0 > runclient.exe DEBUG DEBUG > <logfile> If you have the client only installed: c:\Program Files\Extreme Networks\EPICenter 5.0 >...
Page 166: Using The Browser-Based Client (Windows Only)
If you are using the browser-based client, please try to duplicate the problem with the Java Console enabled in Internet Explorer. Look at the Java Console window and copy/paste (using [Ctrl]+C and [Ctrl]+V on Windows 2000/XP) the contents into a text file. If a problem occurs, Extreme Networks customer support may require the Java Console output.
Page 167: Epicenter Client
EPICenter Client EPICenter Client Problem: Client is unable to connect to the EPICenter server. Verify that the EPICenter Server process is running. Verify that the server is running on the specified port. You can try to connect to the server’s HTTP port using a browser.
Page 168: Epicenter Database
Files\Extreme Networks\EPICenter 5.0 location, substitute the correct installation directory in the commands below. 2 Go to the EPICenter install directory: cd c:\Program Files\Extreme Networks\EPICenter 5.0 3 Add the EPICenter database directory to your path: set path=c:\Program Files\Extreme Networks\EPICenter 5.0\database;%path% 4 Execute the following command: database\dbeng9.exe -f basecamp.db...
Page 169: Epicenter Server Issues
EPICenter Server Issues 2 Go to the EPICenter install directory: cd /opt/extreme/epc5_0 3 Make sure the environment variable is set to the EPICenter directory installation LD_LIBRARY_PATH directory: setenv LD_LIBRARY_PATH /opt/extreme/epc5_0/database 4 Execute the following command: database/dbeng9.exe -f basecamp.db 5 Watch the output from this command. If the database program indicates it cannot recover the database, delete the database log: rm basecamp.log and try executing the previous command again:...
Page 170 Troubleshooting SmartTraps are sent, and the data is not refreshed. If you need to remove a trap receiver from a device running SNMPv1, use the command: config snmp delete trapreceiver <ipaddress> For devices running SNMPv3, use the commands: config snmpv3 delete target-addr <ipaddress> config snmpv3 delete target-params [ <param>...
Page 171 EPICenter Server Issues Exceeding the first limit (>20 traps in 28 seconds) is rare, and should be considered abnormal behavior in the managed device. If you are managing a large number of devices, you may reach the total (275) limit in normal circumstances.
Page 172: Vlan Manager
Troubleshooting will be asked to enter some information about yourself, and the license key will be sent to you by return e-mail. Follow the instructions in the EPICenter Installation and Upgrade Note or the EPICenter Release Notes to add this license to your EPICenter installation. VLAN Manager Problem: Multiple VLANs have the same name.
Page 173: Alarm System
• Check that the device is in your alarm scope. • Check that SNMP traps are enabled on the device. • For a non-Extreme Networks device, make sure you have set EPICenter as a trap receiver on the device (see Chapter 8).
Page 174: Esrp Monitor
Troubleshooting Problem: A program specified as an action for an alarm (in the Run Program field) does not get executed. It includes output to the desktop among its functions. If you are running the EPICenter server as a service, you must specifically tell it to allow output to the desktop.
Page 175: Inventory Manager
Inventory Manager Problem: Multiple switches have the same name. This is because the sysName of those switches is the same. Typically, Extreme Networks switches are shipped with the sysName set to the type of the switch “Summit48,” “Summit1i,” “Alpine3808,” and so on, depending on the type of switch.
Page 176: Grouping Manager
Troubleshooting Grouping Manager Problem: Cannot import users from Windows Domain Controller The EPICenter Server must be running with permissions that enable it to get user information from a Domain Controller. To verify and change permissions for the Web Server, do the following: 1 From the Start menu, highlight Settings, pull right, and click on the Control Panel.
Page 177: Stp Monitor
STP Monitor Problem: The Sync Links command removed legitimate links that were down. The EPICenter server cannot discover a link if the link is down. Therefore, when it rediscovers links it will only discover up links (or partially up links in the case of composite links). However, down links will automatically reappear when they come up again.
Page 178 Troubleshooting EPICenter Concepts and Solutions Guide...
Page 179: The Devcli Utility
EPICenter Utilities This appendix describes several utilities and scripts shipped with the EPICenter software: • The DevCLI utility, that can be used to add, modify, delete, and sync devices and device groups; and can be used to modify device configuration information from the EPICenter database using the devcli command •...
Page 180: Using The Devcli Commands
EPICenter Utilities Using the DevCLI Commands The utility is located in the root EPICenter install directory, by default \Program Files\Extreme in a Windows environment, or in a Solaris Networks\EPICenter 5.0 /opt/extreme/epc5_0 environment. The DevCLI utility supports the following four commands: •...
Page 181 The DevCLI Utility These commands support a set of options for specifying device information such as passwords and community strings, device group information such as device group names and member devices, as well as information about the EPICenter server, such as host name or IP address, port, and user name and password.
Page 182: Devcli Examples
EPICenter Utilities Most options default to the values equivalent to those used by default on Extreme Networks devices or in the EPICenter software. You can specify only one EPICenter server (database) in a command. If you want to add the same devices to multiple EPICenter databases, you must use a separate command for each server.
Page 183: Inventory Export Scripts
(Solaris) exports device information from the inv.bat <options> inv.sh <options> EPICenter database. To export device information to file under Windows, enter the command: devinfo.csv cd “\Program Files\Extreme Networks\EPICenter 5.0\user\scripts\bin” inv.bat -o devinfo.csv Under Solaris, enter the command: cd /opt/extreme/epc5_0/user/scripts/bin inv.sh -o devinfo.csv • (Windows), or (Solaris) exports slot information from the slots.bat <options>...
Page 184: Inventory Export Examples
EPICenter Utilities Windows, enter the command: cd “\Program Files\Extreme Networks\EPICenter 5.0\user\scripts\bin” msinv.bat -d -o alldevinfo.csv -s ..\config\servers.txt Under Solaris, enter the command: cd /opt/extreme/epc5_0/user/scripts/bin msinv.sh -d -o alldevinfo.csv -s ../config/servers.txt The server file defaults to the file in the directory. You can edit servers.txt...
Page 185: The Snmpcli Utility
The three scripts are located in the EPICenter directory under the EPICenter install user\scripts\bin directory (by default under Windows, or \Program Files\Extreme Networks\EPICenter 5.0 under Solaris). You must have the directory as your current /opt/extreme/epc5_0 user\scripts\bin directory in order to run these scripts.
Page 186: Snmpcli Examples
• To retrieve the values of the extremePrimaryPowerOperational extremeRedundantPowerStatus variables for the Extreme Networks device with IP address 10.205.0 99, with read community string “purple” and a timeout of 1000 ms, enter the following command: snmpcli snmpget -a 10.205.0.99 -r purple -t 1000 -o .1.3.6.1.4.1.1916.1.1.1.10.0 -o .1.3.6.1.4.1.1916.1.1.1.11.0...
Page 187: Port Configuration Utility
To run the Port Configuration utility, do the following: 1 Run the program from the Windows Start menu: Select Programs, then Extreme Networks, followed by EPICenter 5.0, then Port Configuration. The EPICenter Port Configuration window appears, as shown in Figure 72.
Page 188: The Alarmmgr Utility
EPICenter Utilities Figure 72: EPICenter Port Configuration Utility 2 Type in new port values for the ports you want to change. You can use the standard Windows Cut, Copy, and Paste functions from the Edit menu, or use the keyboard shortcuts ([Ctrl]+X, [Ctrl]+C, and [Ctrl]+V) to move values among the fields. The Apply button is enabled when there is text in some edit field.
Page 189: Using The Alarmmgr Command
. By <EPICenter_install_dir>/bin default this is in Windows, or \Program Files\Extreme Networks\EPICenter 5.0\bin in a UNIX environment. /opt/extreme/epc5_0/bin This command includes options for specifying EPICenter server access information and alarm filtering parameters. The syntax of the command is as follows: AlarmMgr -user <EPICenter username>...
Page 190 EPICenter Utilities Table 9: AlarmMgr command options (continued) Option Value Default -c <category> Display alarms that occur for a specific category. When these Category specification is case insensitive. Must options are categorie be quoted if category name includes spaces or combined, an other delimiters.
Page 191: Alarmmgr Output
The FindAddr Utility AlarmMgr Output The output from the AlarmMgr command is displayed as tab-delimited ascii text, one line per alarm. Each line contains the following information: Event ID of the alarm (assigned by the EPICenter server when the alarm is received) Name Name of the alarm Category...
Page 192: Using The Findaddr Command
. By <EPICenter_install_dir>/bin default this is in Windows, or \Program Files\Extreme Networks\EPICenter 5.0\bin in a UNIX environment. /opt/extreme/epc5_0/bin This command includes options for specifying EPICenter server access information, the address to be located, and a search domain (an individual device and ports, or a device or port group).
Page 193: Findaddr Output
The FindAddr Utility Table 10: FindAddr command options (continued) Option Value Default Search domain options: -dg <device group> Defines the search domain to include the At least one of -dip, None specified device group. -dg, or -pg must be provided. -pg <port group>...
Page 194: Findaddr Examples
. By <EPICenter_install_dir>/bin default this is in Windows, or \Program Files\Extreme Networks\EPICenter 5.0\bin in a UNIX environment. /opt/extreme/epc5_0/bin This command includes options for specifying EPICenter server access information, the transfer function to be performed (upload, download, incremental download, or ExtremeWare image download), the device on which to perform the operation on, and the file location on the server.
Page 195 The TransferMgr Utility The EPICenter user name, one of the four transfer options, and a device IP address are required. Other options are optional. EPICenter Concepts and Solutions Guide...
Page 196 EPICenter Utilities Table 11 specifies the options you can use with this command: Table 11: TransferMgr command options Option Value Default -user <username> EPICenter user name. This option is required. None -password <password> EPICenter user password. If the password is blank, do not No password include this argument.
Page 197: Transfermgr Examples
. You can change the location of the TFTP <EPICenter_install_dir>\user\tftp root directory by using the Server function of the EPICenter Configuration Manager applet. • Standard ExtremeWare software images as shipped by Extreme Networks are provided in the directory directory (by default <EPICenter_install_dir>\user\tftp\images...
Page 198: The Vlanmgr Utility
Assuming the default location for the TFTP root directory, and assuming that this command was executed on July 24, 2001 at 10:02 AM, this will place the device configuration information in the file \Program Files\Extreme Networks\EPICenter 5.0\user\tftp\configs\2001\07\24\10_20_30_40_1002.txt • To download version 6.1.8 b11 of the ExtremeWare to an i-series device, enter the following command: TransferMgr -user admin -software v618b11.xtr -dip 10.20.30.40...
Page 199 The VlanMgr Utility Table 12 specifies the options you can use with this command: Table 12: VlanMgr command options Option Value Default -user <username> EPICenter user name. This option is required. None -password <password> EPICenter user password. If the password is blank, do not include this argument.
Page 200 EPICenter Utilities Table 12: VlanMgr command options (continued) Option Value Default -port <ports> Ports to be included in the VLAN as untagged These options ports on the device specified by the preceding must immediately untagged -dip option. If this option is not included, any follow the -dip ports untagged ports configured on this device will be...
Page 201: Vlanmgr Output
The VlanMgr Utility VlanMgr Output The VlanMgr command displays output indicating the progress of the command as it configures the VLAN. VlanMgr Examples The following examples illustrate the usage of these commands. • To create untagged VLAN test1 consisting of untagged ports 2-5, on the switch with IP address 10.20.30.01, and add it to the EPICenter database running the local server with the default administrator name and password, enter the following command: VlanMgr -user admin -create test1 -dip 10.20.30.01 -port 2,3,4,5...
Page 202: The Importresources Utility
<EPICenter_install_dir>/bin By default this is in Windows, or \Program Files\Extreme Networks\EPICenter 5.0\bin in a UNIX environment. /opt/extreme/epc5_0/bin This command includes options for specifying EPICenter server access information, the operation to be performed (create, modify or delete), the name of the VLAN, and the devices in the VLAN with their configuration options.
Page 203: Importresources Examples
The ImportResources Utility Table 13 specifies the options you can use with this command: Table 13: ImportResources command options Option Value Default -user <username> EPICenter user name. This option is required. None -password <password> EPICenter user password. If the password is blank, do not No password include this argument.
Page 204 EPICenter Utilities This imports user data from the Windows Domain Controller that is serving the domain where the EPICenter server resides. EPICenter Concepts and Solutions Guide...
Page 205: Index
Index Numerics IP phones and EPICenter launching 802.1Q tag launching EPICenter Avaya, discovering devices Access Domain of a policy access levels. See user roles browser-based client Access List access list policies Access Points See APs Client History report Administrator access. See user roles client Tcl API.
Page 206 DLCS manually adding devices Dynamic Link Context System. See DLCS monitoring links organizing with device groups reports troubleshooting EPICenter uploading to Extreme Networks TAC architecture Inventory Export script components Inventory Manager feature summary IP address as policy components server components...
Page 207 policy types alarm event generation 55, 57 access-based security (QoS) alarm examples description event generation (figure) IP QoS (access lists) predefined alarms Source Physical Port QoS Startup Alarm VLAN threshold definition Port Configuration utility traps 22, 41, 42 ports Rogue AP Alarms report as policy components Rogue AP Detail report changing configuration...
Page 208 starting the client starting the server Tcl API wireless TCP SYN packets, blocking with IP policies client MAC spoofing Telnet applet clients with no encryption example macros interface report execution context monitoring unauthenticated clients execution role Spoofing Wireless Client Report terminology, About This Guide syslog reports third-party device support...

This manual is also suitable for:

Epicenter 5.0

Extreme Networks EPICenter Guide Manual

Preface

Introduction

Conventions

Related Publications

Chapter 1 Epicenter Overview

Introduction

Epicenter Features

Epicenter Software Architecture

Extreme Networks Switch Management

Chapter 2 Getting Started with Epicenter

Starting Epicenter

Getting Help

Working with the Epicenter Features

Epicenter User Roles

Creating the Device Inventory

Managing Device Configurations and Firmware

Using the Epicenter Alarm System

Using Topology Views

Using Basic Epicenter Reports

Chapter 3 Managing Your Network Assets

Creating a Network Component Inventory

Making Device Contact Information Changes

Organizing Your Inventory with Device Groups

Monitoring Critical Links with Port Groups

Inventory Reports

Chapter 4 Configuring and Monitoring Your Network

Scalable, Concurrent Multidevice Configuration

User-Defined Telnet Macros

Network-Wide VLAN Configuration

Graphical and HTML-Based Configuration Monitoring

Chapter 5 Managing Vlans

Graphical Configuration and Monitoring of Vlans

Network-Wide VLAN Membership Visibility

Network-Wide Multidevice VLAN Configuration

Displaying VLAN Misconfigurations with Topology Maps

Chapter 6 Managing Network Device Configurations and Updates

Archiving Component Configurations

Baseline Configurations

Device Configuration Management Log

Managing Firmware Upgrades

Chapter 7 Managing Network Security

Security Overview

Management Access Security

Monitoring Configuration Changes

Using Alarms to Monitor Potential Security Issues

MAC Address Finder

Device Syslog History

Network Access Security

Chapter 8 Managing Wireless Networks

Wireless Networking Overview

Inventory Management Using Wireless Reports

Security Monitoring with Reports

Detecting Rogue Access Points

Detecting Clients with Weak or no Encryption

Wireless Network Status with Reports

Performance Visibility with Reports

Debugging Access Issues with Syslog Reports

Fault Isolation with Reports

Chapter 9 Tuning and Debugging Epicenter

Monitoring and Tuning Epicenter Performance

Tuning the Alarm System

Using the MIB Poller Tools

Reconfiguring Epicenter Ports

Using the Epicenter Debugging Tools

Chapter 10 Voip and Epicenter-Avaya Integrated Management

Overview

Installation Considerations

Discovering Avaya Devices

Avaya Devices in Epicenter

Tools Menu Commands

Launching the Avaya Integrated Management Console from Epicenter

Monitoring IP Phones on Extreme Networks Devices

Epicenter System Properties for Avaya Integration

Launching Epicenter from the Avaya Integrated Management Console

Chapter 11 Policy Manager Overview

Overview of the Policy Manager

Basic Epicenter Policy Definition

Policy Types

Policy Named Components