Extreme Networks ExtremeWare 7.2e Installation And User Manual Download Page 143 | Manualshive

Page: 143 / 344

background image

IP Access Lists (ACLs)

ExtremeWare 7.2e Installation and User Guide

143

to compare with the incoming packets, and an action to take for packets that match. When you create
an access list, you must specify a value for each of the fields that make up the access mask used by the
list.

To create an access list, use the following command:

create access-list <name> access-mask <access-mask name> {dest-mac <dest_mac}

{source-mac <src_mac>} {vlan <name>} {ethertype [IP | ARP | <hex_value>]} {tos

<ip_precedence> | code-point <code_point>} {ipprotocol [tcp | udp | icmp | igmp |

<prococol_num>]} {dest-ip <dest_IP>/<mask length>} {dest-L4port <dest_port>}

{source-ip <src_IP>/<mask length>} {source-L4port <src_port> [permit {qosprofile

<qosprofile>} {set code-point <code_point>} {set dot1p <dot1p_value} |

permit-established | deny]

NOTE

The parameters of the create access list command must match identically to the parameters of the
create access-mask. The order of the parameters is also important. If the parameter are out-of-order,
many of the options become unavailable to the user.

For packets that match a particular access list, you can specify the following actions:

• Deny

—Matching packets are not forwarded.

• Permit-established

—Drop the packet if it would initiate a new TCP session (see, “The

permit-established Keyword” on page 145).

• Permit

—Forward the packet. You can send the packet to a particular QoS profile, and modify the

packet’s 802.1p value and/or DiffServ code point.

If a packet matches more than one access list, the switch uses the following rules to govern the actions
of the packet:

•

If the actions specified by the matching ACLs do not conflict, all of the actions are carried out.

•

If the actions conflict, the associated access mask precedence determines the course of action. The
access list with the highest precedence access-mask prevails.

To display information about one or more access lists, use the following command:

show access-list {<name> | port <portlist>}

To delete an access list, use the following command:

delete access-list <name>

Rate Limits

Rate limits are almost identical to access control lists. Incoming packets that match a rate limit access
control list are allowed as long as they do not exceed a pre-defined rate. Excess packets are either
dropped, or modified by resetting their DiffServ code point.

Each entry that makes up a rate limit contains a unique name and specifies a previously created access
mask. Like an access list, a rate limit includes a list of values to compare with the incoming packets and
an action to take for packets that match. Additionally, a rate limit specifies an action to take when

«
...
141
142
143
144
145
...
»

Summary of Contents for ExtremeWare 7.2e

Page 1: ...s Inc 3585 Monroe Street Santa Clara California 95051 888 257 3000 http www extremenetworks com ExtremeWare 7 2e Installation and User Guide Software Version 7 2e Published June 11 2004 Part number 10...

Page 2: ...r respective owners 2004 Extreme Networks Inc All Rights Reserved Specifications are subject to change without notice Adobe and Reader are registered trademarks of Adobe Systems Incorporated NetWare a...

Page 3: ...tures 21 Summit 400 48t Switch Front View 21 Summit 400 48t Switch Rear View 22 Summit 400 48t Switch LEDs 23 Mini GBIC Type and Support 24 Mini GBIC Type and Specifications 25 Port Connections 27 Upl...

Page 4: ...First Time 39 Installing Optional Features 39 Installing the Summit XEN Card 40 Installing the External Power System 42 Rack Mounting the EPS T 42 Adding a second EPS 160 to the EPS T 45 Removing an...

Page 5: ...er 70 Command Shortcuts 70 Switch Numerical Ranges 71 Names 71 Symbols 71 Limits 72 Line Editing Keys 72 Command History 72 Common Commands 72 Configuring Management Access 74 User Account 75 Administ...

Page 6: ...tocol 89 Configuring Automatic Failover for Combination Ports 89 Automatic Failover Examples 90 Chapter 5 Virtual LANs VLANs Overview of Virtual LANs 91 Benefits 91 Types of VLANs 92 Port Based VLANs...

Page 7: ...Class of Service 802 1p and DiffServ Traffic Groupings 115 Configuring DiffServ 117 Physical and Logical Groupings 119 Verifying Configuration and Performance 120 QoS Monitor 120 Displaying QoS Profil...

Page 8: ...t and Rate Limit Entries 145 Deleting Access Mask Access List and Rate Limit Entries 146 Verifying Access Control List Configurations 146 Access Control List Examples 147 Network Login 150 Authenticat...

Page 9: ...tch 179 Chapter 10 Ethernet Automatic Protection Switching Overview of the EAPS Protocol 181 EAPS Terms 183 Fault Detection and Recovery 184 Link Down Message Sent by a Transit Node 185 Ring Port Down...

Page 10: ...STP Settings 216 Chapter 12 IP Unicast Routing Overview of IP Unicast Routing 219 Router Interfaces 220 Populating the Routing Table 221 Subnet Directed Broadcast Forwarding 222 Proxy ARP 222 ARP Inc...

Page 11: ...ait Interval 242 OSPF Configuration Example 243 Configuration for ABR1 244 Configuration for IR1 244 Displaying OSPF Settings 245 OSPF LSDB Display 245 Authentication 245 Summarizing Level 1 IP Routin...

Page 12: ...using ExtremeWare Vista 261 IP Forwarding 262 License 263 OSPF 264 Ports 270 RIP 272 SNMP 275 Spanning Tree 277 Switch 281 User Accounts 281 Virtual LAN 282 Access List 284 Reviewing ExtremeWare Vista...

Page 13: ...Configuration 320 Using TFTP to Download the Configuration 321 Downloading a Complete Configuration 321 Downloading an Incremental Configuration 321 Scheduled Incremental Configuration Download 322 R...

Page 14: ...14 ExtremeWare 7 2 0 Software User Guide Contents...

Page 15: ...nsible for installing and setting up network equipment It assumes a basic working knowledge of Local area networks LANs Ethernet concepts Ethernet switching and bridging concepts Routing concepts Inte...

Page 16: ...ption Screen displays This typeface indicates command syntax or represents information as it appears on the screen The words enter and type When you see the word enter in this guide you must type some...

Page 17: ...d information in the command reference guide PDF file This quick referencing capability enables you to easily find detailed information in the command reference guide for any command mentioned in the...

Page 18: ...18 ExtremeWare 7 2e Installation and User Guide Preface...

Page 19: ...efaults on page 32 Switch Installation on page 33 Determining the Switch Location on page 33 Following Safety Information on page 33 Installing the Switch on page 34 Installing or Replacing a Mini Gig...

Page 20: ...re queues Policy Based Quality of Service PB QoS Wire speed Internet Protocol IP routing Extreme Standby Router Protocol ESRP Aware support Ethernet Automated Protection Switching EAPS support Jumbo f...

Page 21: ...uplink redundancy When sharing ports only the fiber port or only the copper port can be active at the same time For more information on cabling and configuring this feature see Uplink Redundancy on p...

Page 22: ...not recommend that you use the management port to route traffic to any front panel port on the switch The management port is designed only for switch management purposes There are two LEDs for the ma...

Page 23: ...t status Each of the 48 copper 10 100 1000BASE T ports has an associated LED located above the port Fiber port status Each of the four optical fiber ports has an associated LED located above the port...

Page 24: ...d Amber blinking Off The internal power supply is operating normally The internal power supply has failed or the AC cord is not connected Check the cord connection If the power supply has failed repla...

Page 25: ...ble length restriction LX Mini GBIC Specifications Table 6 describes the specifications for the LX mini GBIC Table 4 Mini GBIC types and distances Standard Media Type Mhz Km Rating Maximum Distance Me...

Page 26: ...alculating the maximum distance attainable using optical cable with a specified loss per kilometer for example 0 25 dB km Extreme Networks recommends that 3 dB of the total budget be reserved for loss...

Page 27: ...d the first four of the 10 100 1000BASE T ports are designed as combination ports for uplink redundancy When sharing ports only the fiber port or only the copper port can be active at the same time If...

Page 28: ...ity see Configuring Ports on page 81 The Summit 400 48 switch Gigabit Ethernet port failover from the fiber link to the copper link takes 4 5 seconds The Summit 400 48t switch Gigabit Ethernet port fa...

Page 29: ...bandwidth and priority For more information on Quality of Service see Chapter 7 Unicast Routing The switch can route IP traffic between the VLANs that are configured as virtual router interfaces Both...

Page 30: ...1Q tag on the connecting port or if only a single VLAN is involved as untagged To display ESRP aware information use the following command show esrp aware vlan vlan name The display includes the group...

Page 31: ...stalled it should not be necessary to enter the information again However we recommend keeping the certificate for your records You can upgrade the licensing of an existing product by purchasing a vou...

Page 32: ...Global Factory Defaults Item Default Setting Serial or Telnet user account admin with no password and user with no password Web network management Enabled Telnet Enabled SSH2 Disabled SNMP Enabled SN...

Page 33: ...ckets are supplied with the switch When deciding where to install the switch ensure that The switch is accessible and cables can be connected easily Water or moisture cannot enter the case of the unit...

Page 34: ...d fully tighten with a suitable screwdriver as shown in Figure 5 Figure 5 Fitting the mounting bracket 5 Repeat steps 2 through 4 for the other side of the switch 6 Leave a half rack space between the...

Page 35: ...read the safety information in this section WARNING Mini GBICs can emit invisible laser radiation Avoid direct eye exposure to beam Mini GBICs are a class 1 laser device Use only devices approved by E...

Page 36: ...of mini GBIC modules Figure 6 Mini GBIC modules Mini GBICs are a 3 3 V Class 1 laser device Use only devices approved by Extreme Networks WARNING Mini GBICs can emit invisible laser radiation Avoid d...

Page 37: ...nsole port settings are set as follows Baud rate 9600 Data bits 8 Stop bit 1 Parity None Flow control None NOTE If you set the switch console port flow control to XON XOFF rather than None you will be...

Page 38: ...orts are temporarily disabled the port LED is off and the MGMT LED flashes fast The MGMT LED flashes until the switch successfully passes the POST If the switch passes the POST the MGMT LED is blinkin...

Page 39: ...t by typing config vlan default ipaddress 123 45 67 8 255 255 255 0 Your changes take effect immediately 6 Save your configuration changes so that they will be in effect after the next switch reboot b...

Page 40: ...he Summit XEN Card 1 Disconnect the AC power from the Summit 400 2 Use a standard screwdriver to remove the blank plate to expose the opening for the card 3 Install the XENPAK optical transceiver modu...

Page 41: ...to the card by turning the two captive screws clockwise until they are hand tight 7 Place the Summit XEN Card into the supplied drawer and carefully slide the drawer into the switch housing until the...

Page 42: ...e EPS 160 installs into an existing EPS T rack mountable chassis Each individual EPS 160 ships with an AC cord for use in the USA and a special redundant power supply cable CAUTION The Extreme Externa...

Page 43: ...e mounting bracket 5 Repeat steps 2 through 4 for the other side of the EPS T 6 Insert the EPS T into a 19 inch rack CAUTION Do not attach the AC power cord to the EPS 160 until it is properly mounted...

Page 44: ...upply cable to the Extreme switch This connector end can only be inserted into the switch with the end marked TOP facing up Table 12 Connection Specifications for the Redundant Connector Diagram Pin W...

Page 45: ...it is ready Table 3 on page 23 shows all the indicators for the power supply Adding a second EPS 160 to the EPS T To install an individual EPS 160 into the EPS T 1 Remove the EPS 160 from the packing...

Page 46: ...46 ExtremeWare 7 2e Installation and User Guide Summit 400 48t Switch Overview and Installation...

Page 47: ...can manage the switch using the following methods Access the CLI by connecting a terminal or workstation with terminal emulation software to the console port Access the switch remotely using TCP IP th...

Page 48: ...The management port is a DTE port and is not capable of supporting switching or routing functions The TCP IP configuration for the management port is done using the same syntax as used for VLAN config...

Page 49: ...et up correctly on your network you must provide the following information to the BOOTP server Switch Media Access Control MAC address found on the rear label of the switch IP address Subnet address m...

Page 50: ...in prompt enter your user name and password Note that they are both case sensitive Ensure that you have entered a user name and password with administrator privileges If you are logging in for the fir...

Page 51: ...ivileges 2 Determine the session number of the session you want to terminate by using the following command show session 3 Terminate the session by using the following command clear session number Con...

Page 52: ...ch Network Manager provides its own user interface to the management facilities The following sections describe how to get started if you want to use an SNMP manager It assumes you are already familia...

Page 53: ...ded to the switch using the configure snmp add community command To configure a trap receiver on a switch use the following command configure snmp add trapreceiver ip address port number community hex...

Page 54: ...are enabled on the switch for all ports SNMPv1 traps for link up and link down are not supported ExtremeWare uses SNMPv2 traps You can disable or re enable the sending of these traps on a per port ba...

Page 55: ...ing private use the following command configure snmp add trapreceiver 10 20 30 44 port 9347 community private trap group link up down traps system traps Table 13 lists the currently defined SNMP trap...

Page 56: ...Model USM system traps extremeOverheat extremeFanFailed extremeFanOK extremePowerSupplyFail extremePowerSupplyGood extremeModuleStateChange extremeHealthCheckFailed extremeCpuUtilizationRisingTrap ex...

Page 57: ...t exchanges are sniffed examined and information is learned about the contents The access control subsystem provides the ability to configure whether access to a managed object in a local MIB is allow...

Page 58: ...eID will be propagated to both of the MSMs The snmpEngineID can be configured from the command line but once the snmpEngineID is changed default users will be reverted back to their original passwords...

Page 59: ...ead write view defines the subtree that can be written to and notify view defines the subtree that notifications can originate from MIB views are discussed in the section MIB Access Control There are...

Page 60: ...a 16 octet key is provided as input to DES CBS encryption protocol which generates an encrypted PDU to be transmitted DES uses bytes 1 7 to make a 56 bit key This key encrypted itself is placed in ms...

Page 61: ...messages sent from an agent to the network manager typically in response to some state change on the agent system With SNMPv3 you can define precisely which traps you want sent to which receiver by de...

Page 62: ...params hex param name user hex user name mp model snmpv1 snmpv2c snmpv3 sec model snmpv1 snmpv2c usm sec level noauth authnopriv priv volatile To display the options associated with a target paramete...

Page 63: ...iated with tags currently in an internal structure called snmpNotifyTable will be notified To add an entry to the table use the following command configure snmpv3 add notify hex notify name tag hex ta...

Page 64: ...login is a feature designed to control the admission of user packets into a network by giving addresses only to users that have been properly authenticated Network login is controlled by an administr...

Page 65: ...and time in terms of a floating day as follows configure timezone name MET 60 autodst name MDT begins every last sunday march at 1 ends every last sunday october at 1 You can also specify a specific d...

Page 66: ...for the sntp client update interval before querying again 5 Optionally the interval for which the SNTP client updates the real time clock of the switch can be changed using the following command conf...

Page 67: ...ST Yukon Standard 10 00 600 AHST Alaska Hawaii Standard CAT Central Alaska HST Hawaii Standard 11 00 660 NT Nome 12 00 720 IDLW International Date Line West 1 00 60 CET Central European FWT French Win...

Page 68: ...tch are as follows configure timezone 480 autodst configure sntp client update interval 1200 enable sntp client configure sntp client primary server 10 0 1 1 configure sntp client secondary server 10...

Page 69: ...ence Guide Some commands are also described in this user guide in order to describe how to use the features of the ExtremeWare software However only a subset of commands are described here and in some...

Page 70: ...ames followed by an ellipses to indicate that there are more names than can be displayed The syntax helper also provides assistance if you have entered an incorrect command Abbreviated Syntax Abbrevia...

Page 71: ...or example in the syntax configure vlan vlan name ipaddress ipaddress you must supply a VLAN name for vlan name and an address for ip_address when entering the command Do not type the angle brackets s...

Page 72: ...ine Editing Keys Key s Description Backspace Deletes character to left of cursor and shifts remainder of line to left Delete or Ctrl D Deletes character under cursor and shifts remainder of line to le...

Page 73: ..._timezone_ID GMT_offset autodst name dst_timezone_ID dst_offset begins every floatingday on absoluteday at time_of_day ends every floatingday on absoluteday at time_of_day noautodst Configures the tim...

Page 74: ...clear licensing information This license cannot be disabled once it is enabled on the switch enable ssh2 access profile access profile none port tcp_port_number Enables SSH2 sessions By default SSH2...

Page 75: ...been terminated If you have logged on with administrator capabilities the command line prompt ends with a sign For example Summit18 Prompt Text The prompt text is taken from the SNMP sysname setting...

Page 76: ...ollowing command configure account user 4 Enter the new password at the prompt 5 Re enter the new password at the prompt NOTE If you forget your password while logged out of the command line interface...

Page 77: ...first create another administrator level account Remember to manually delete the default account again every time you download a configuration Domain Name Service Client Services The Domain Name Serv...

Page 78: ...s traceroute host name ip from source IP address ttl number port port number where ip_address is the IP address of the destination endstation hostname is the hostname of the destination endstation To...

Page 79: ...de 79 from uses the specified source address in the ICMP packet If not specified the address of the transmitting interface is used ttl configures the switch to trace the hops until the time to live ha...

Page 80: ...80 ExtremeWare 7 2e Installation and User Guide Accessing the Switch...

Page 81: ...Even though a port is disabled the link remains enabled for diagnostic purposes Configuring Switch Port Speed and Duplex Setting When configuring the speed and duplex setting for a port autonegotiatio...

Page 82: ...the system to autonegotiate use the following command configure ports portlist mgmt all auto on Summit 400 ports do not advertise or support flow control frames Turning Off Autonegotiation for a Gigab...

Page 83: ...en endstations that support larger frame sizes for more efficient transfers of bulk data Both endstations involved in the transfer must be capable of supporting jumbo frames The switch only performs I...

Page 84: ...nd DF set When the source host receives the message sometimes called a Datagram Too Big message the source host reduces its assumed path MTU and retransmits the datagrams The path MTU discovery proces...

Page 85: ...ragmentation can only be used for traffic that stays within the same VLAN To use IP fragmentation for traffic that is set to other VLANs you must configure all ports in the VLAN for jumbo frame suppor...

Page 86: ...llowing command configure sharing address based ip dest ip source ip source dest mac dest mac source mac source dest where ip dest Indicates that the switch should examine the IP destination address i...

Page 87: ...see the ExtremeWare Software User Guide To define a load sharing group you assign a group of ports to a single logical port number To enable or disable a load sharing group use the following commands...

Page 88: ...fic You can define the traffic filter based on the physical port All data that traverses the port regardless of VLAN configuration is copied to the monitor port Up to eight mirroring filters and one m...

Page 89: ...port configure mirroring add port 1 default Extreme Discovery Protocol The Extreme Discovery Protocol EDP is used to gather information about neighbor Extreme Networks switches EDP is used by the swi...

Page 90: ...k is not used even if available Automatic Failover Examples If we can establish port 4 as the primary uplink and port 4X as the redundant uplink port using the CLI configure ports 4 preferred medium c...

Page 91: ...m The segments are defined by flexible user groups you create with the command line interface Benefits Implementing VLANs on your networks has the following advantages VLANs help to control traffic Wi...

Page 92: ...port based VLAN you must remove it from the default VLAN unless the new VLAN uses a protocol other than the default protocol any A port can be a member of only one port based VLAN On the Summit 400 s...

Page 93: ...t 4 on system 1 the BlackDiamond switch and port 1X on system 2 the Summit 400 switch Figure 14 Single port based VLAN spanning two switches To create multiple VLANs that span two switches in a port b...

Page 94: ...ytes This may affect packet error counters in other devices and may also lead to connectivity problems if non 802 1Q bridges or routers are placed in the path Uses of Tagged VLANs Tagging is most comm...

Page 95: ...switch the switch determines in real time if each destination port should use tagged or untagged packet formats for that VLAN The switch adds and strips tags as required by the port configuration for...

Page 96: ...d goes to the other stations on this network is not tagged Mixing Port Based and Tagged VLANs You can configure the switch using a combination of port based and tagged VLANs A given port can be a memb...

Page 97: ...Default VLAN The switch ships with one default VLAN that has the following properties The VLAN name is default It contains all the ports on a new or initialized switch The default VLAN is untagged on...

Page 98: ...keyword vlan after you have created the unique VLAN name You can use the VLAN name alone The following example creates a tag based VLAN named video It assigns the VLANid 1000 Ports 4 through 8 are ad...

Page 99: ...rt MAC Based VLAN Guidelines When using the MAC to VLAN mapping consider the following guidelines A port can only accept connections from an endstation host and should not be connected to a layer 2 re...

Page 100: ...ted with it allowing it to be plugged into any port that is in MacVlanDiscover mode ports 10 15 in this case The MAC address 00 00 00 00 00 01 has a group number of 10 associated with it and can only...

Page 101: ...incremental configuration without the automatic rebooting of the switch The following example shows an incremental configuration file for MAC based VLAN information that updates the database and save...

Page 102: ...102 ExtremeWare 7 2e Installation and User Guide Virtual LANs VLANs...

Page 103: ...entifier for the port and VLAN on which it was received The age of the entry The number of IP FDB entries that use this MAC address as a next hop or last hop Flags Frames destined for MAC addresses th...

Page 104: ...ers the MAC address in the packets that it examines A permanent dynamic entry is typically used to associate QoS profiles with the FDB entry Permanent dynamic entries are identified by the p and d fla...

Page 105: ...en exceeded Blackhole entries are treated like permanent entries in the event of a switch reset or power off on cycle Blackhole entries are never aged out of the database Disabling MAC Address Learnin...

Page 106: ...order to use this feature you must create a wildcard permanent FDB entry named any mac and apply the QoS profile to the individual MAC entry NOTE For more information on QoS profiles see Chapter 7 FDB...

Page 107: ...tatic entries can be deleted if the switch is reset Displaying FDB Entries To display FDB entries use the following command show fdb mac_address permanent ports portlist vlan vlan name where the follo...

Page 108: ...108 ExtremeWare 7 2e Installation and User Guide Forwarding Database FDB...

Page 109: ...page 115 Configuring DiffServ on page 117 Physical and Logical Groupings on page 119 Verifying Configuration and Performance on page 120 Verifying Configuration and Performance on page 120 Modifying a...

Page 110: ...for each traffic type are given below and summarized in Table 21 Consider them as general guidelines and not strict recommendations Once QoS parameters are set you can monitor the performance of the...

Page 111: ...is may be created by some Java based applications In addition Web based applications are generally tolerant of latency jitter and some packet loss however small packet loss may have a large impact on...

Page 112: ...ttributes such as bandwidth The parameters that make up a QoS profile include Priority The level of priority assigned to a hardware queue on a physical port There are eight different available priorit...

Page 113: ...ermined precedence for which traffic grouping will apply In general the more specific traffic grouping takes precedence By default all traffic groupings are placed in the QoS profile Qp1 The supported...

Page 114: ...e 2000 create access list alist amask dest ip 10 1 2 1 24 source ip 10 1 1 1 24 permit qosprofile qp3 To create a MAC based traffic grouping use this command create fdbentry 00 11 22 33 44 55 vlan Def...

Page 115: ...nfigures the switch to not forward any packets to the destination MAC address on any ports for the VLAN specified The blackhole option is configured using the following command create fdbentry mac_add...

Page 116: ...priority field maps it to a specific hardware queue when subsequently transmitting the packet The 802 1p priority field is located directly following the 802 1Q type field and preceding the 802 1Q VL...

Page 117: ...nsmitting the packet This behavior is not affected by the switching or routing configuration of the switch However the switch is capable of replacing the 802 1p priority information To replace 802 1p...

Page 118: ...ble DiffServ information use the following command enable diffserv examination ports portlist all To disable DiffServ information use the following command disable diffserv examination ports portlist...

Page 119: ...e To display the DiffServ configuration use the following command show ports mgmt portlist info detail NOTE The show ports command displays only the default code point mapping Physical and Logical Gro...

Page 120: ...t hardware queues QP1 QP8 associated with any port s The QoS monitor keeps track of the number of frames and the frames per second that a specific ingress queue is responsible for transmitting on a ph...

Page 121: ...0 0 Displaying QoS Profile Information The QoS monitor can also be used to verify the QoS configuration and monitor the use of the QoS policies that are in place To display QoS information on the swi...

Page 122: ...al groupings of a source port or VLAN re apply the QoS profile to the source port or VLAN as documented You can also save and reboot the switch Traffic Rate Limiting The Summit 400 switch rate limitin...

Page 123: ...y for viewing port statistic information The summary information lists values for the current counter against each port on each operational module in the system and it is refreshed approximately every...

Page 124: ...expired Transmit Deferred Frames TX Deferred The total number of frames that were transmitted by the port after the first transmission attempt was deferred by other network traffic Transmit Errored Fr...

Page 125: ...eboot shutdown Where the following is true none Configures the level to no recovery all Configures ExtremeWare to log an error into the syslog and automatically reboot the system after any task except...

Page 126: ...played both on the console and from telnet sessions display stored log messages from the memory buffer or NVRAM upload event logs stored in memory to a TFTP server display counts of event occurrences...

Page 127: ...t matches any messages the expression that matches any message is displayed as Match none from the command line And finally each target has a format associated with it To display the current log confi...

Page 128: ...e filter can specify exactly which message it will pass Constructing a filter is discussed in the section Filtering By Components and Conditions Components and Conditions Beginning with the introducti...

Page 129: ...A component or subcomponent will often have several conditions associated with it To see the conditions associated with a component use the following command show log events event condition all event...

Page 130: ...event condition to pass You might create a filter from scratch if you wanted to pass a small set of events and block most If you want to exclude a small set of events there is a default filter that pa...

Page 131: ...or this filter since no match was configured for this filter Matches are discussed in the section Matching Expressions Each time a filter item is added to or deleted from a given filter the events spe...

Page 132: ...nvram session syslog host name ip udp port local0 local7 filter filter name severity severity only Each event in ExtremeWare is defined with a message format and zero or more parameter types The show...

Page 133: ...meter types in the match criteria need not be present in the event definition Formatting Event Messages Event messages are made up of a number of items The individual items can be formatted however EM...

Page 134: ...ing only affects the current session and is lost when you log off the session The messages that are displayed depend on the configuration and format of the target See the section Filtering Events Sent...

Page 135: ...rences of events Even when an event is filtered from all log targets the event is counted The exception to this is events of any of the debug severities which are only counted when the log debug mode...

Page 136: ...your targets will still affect which messages are passed on or blocked NOTE Previous versions of ExtremeWare used the debug trace command to enable debugging Not all systems in ExtremeWare were conver...

Page 137: ...mmand related to remote syslog hosts configure syslog add host name ip udp port local0 local7 severity is equivalent to the following two commands configure syslog add hostname IP udp port local0 loca...

Page 138: ...lligent remotely controlled device or software agent that continually collects statistics about a LAN segment or VLAN The probe transfers the information to a management workstation on request or when...

Page 139: ...both log and send a trap The RMON traps are defined in RFC 1757 for rising and falling thresholds Effective use of the Events group saves you time Rather than having to watch real time graphs for imp...

Page 140: ...you can define for each alarm are shown in Table 29 To be notified of events using SNMP traps you must configure one or more trap receivers as described in Chapter 2 Table 29 Event Actions Action High...

Page 141: ...sers Using RADIUS or TACACS on page 170 Secure Shell 2 SSH2 on page 177 Security Overview Extreme Networks products incorporate a number of features designed to enhance the security of your network No...

Page 142: ...describe how to use access control lists Access Masks There are sixteen access masks available in the Summit 400 48t depending on which features are enabled on the switch Each access mask is created w...

Page 143: ...initiate a new TCP session see The permit established Keyword on page 145 Permit Forward the packet You can send the packet to a particular QoS profile and modify the packet s 802 1p value and or Diff...

Page 144: ...limit value can be set at 8 16 24 32 1000 Mbps NOTE The rate limit specified in the command line does not precisely match the actual rate limit imposed by the hardware due to hardware constraints See...

Page 145: ...efault rule is specified the default behavior is to forward the packet NOTE If your default rule denies traffic you should not apply this rule to the Summit 400 48t port used as a management port Once...

Page 146: ...ntrol list using an access mask without ports defined will require 5 rules one for each of the 5 blocks of ports on the hardware The maximum number of rate limiting rules allowed is 315 63 5 This numb...

Page 147: ...10 10 100 and 10 10 20 100 IP Forwarding is enabled Figure 20 Permit established access list example topology The following sections describe the steps used to configure the example Step 1 Deny IP Tr...

Page 148: ...tocol tcp dest ip 10 10 20 100 32 source ip 10 10 10 100 32 ports 2 permit qp1 create access list tcp2_1 ip_addr_mask ipprotocol tcp dest ip 10 10 10 100 32 source ip 10 10 20 100 32 ports 10 permit q...

Page 149: ...t 23 ports 10 permit established NOTE This step may not be intuitive Pay attention to the destination and source address the ingress port that the rule is applied to and the desired affect NOTE This r...

Page 150: ...thenticated Network Login is controlled by an administrator on a per port per VLAN basis When Network Login is enabled on a port in a VLAN that port will not forward any packets until authentication t...

Page 151: ...e the switch so that the user is placed on the correct VLAN When a new user accesses the network 802 1x authenticates the user through a RADIUS server to a user in an NT domain The reply from the RADI...

Page 152: ...ation happens transparently Authentication happens at layer 2 Does not involve getting a temporary IP address and subsequent release of the address to a get a more permanent IP address Allows for peri...

Page 153: ...2 1x client if using 802 1x authentication Modes of Operation Network login has two modes of operation Campus mode ISP mode Campus Mode Campus mode is meant for mobile users who tend to move from one...

Page 154: ...alled in the computer certificate store and user authentication requires a certificate installed in the individual user s certificate store By default the XP machine performs computer authentication a...

Page 155: ...others use 802 1x There are certain restrictions for multiple supplicant support Web based mode will not support Campus mode for multiple supplicant because once the first MAC gets authenticated the...

Page 156: ...port has been added for Network Login Network Login and MAC limits cannot be used together on the same switch see Network Login on page 150 EAP NAK cannot be used to negotiate 802 1x authentication ty...

Page 157: ...needed files Once the user has installed the certificate from the Certificate Authority and downloaded the 802 1x client the user can reconnect to the network using 802 1x without the need to authenti...

Page 158: ...ess A page opens with a link for Network Login 6 Click the Network Login link A dialog box opens requesting a username and password 7 Enter the username and password configured on the RADIUS server Af...

Page 159: ...isplaying DHCP Information To display the DHCP configuration including the DHCP range DHCP lease timer network login lease timer DHCP enabled ports IP address MAC address and time assigned to each end...

Page 160: ...val Session refresh is disabled by default To enable or disable network login logout privilege use one of the following commands enable netlogin logout privilege disable netlogin logout privilege This...

Page 161: ...figuring an Access Profile Mode After the access profile is created you must configure the access profile mode The access profile mode determines whether the items in the list are to be permitted acce...

Page 162: ...and ignore all addresses within the subnet If you are using off byte boundary subnet masking the same logic applies but the configuration is more tricky For example the network address 141 251 24 128...

Page 163: ...AS number 1 followed by any AS number from 2 8 and ending with either AS number 11 13 or 15 configure access profile AS1 add 20 deny as path 111 2 8 This command configures the access profile to deny...

Page 164: ...le none Import Filter Use an access profile to determine which RIP routes are accepted as valid routes This policy can be combined with the trusted neighbor policy to accept selected routes only from...

Page 165: ...s to build the access policy would be create access profile nosales ipaddress configure access profile nosales mode deny configure access profile nosales add 10 2 1 0 24 configure rip vlan backbone im...

Page 166: ...iated LSAs in that area time out ASBR Filter For switches configured to support RIP and static route re distribution into OSPF an access profile can be used to limit the routes that are advertised int...

Page 167: ...Neighbor Use an access profile to determine trusted PIM router neighbors for the VLAN on the switch running PIM To configure a trusted neighbor policy use the following command configure pim vlan vla...

Page 168: ...U with packets requiring costly processing DoS Protection is designed to help prevent this degraded performance by attempting to characterize the problem and filter out the offending traffic so that o...

Page 169: ...but not class D address with checksum errors and non IP packets Broadcast traffic IP multicast unknown These are IPMC packets that do not have corresponding IPMC FDB entries Learning packets These ar...

Page 170: ...tremeWare provides two methods to authenticate users who login to the switch RADIUS client TACACS RADIUS Client Remote Authentication Dial In User Service RADIUS RFC 2138 is a mechanism for authentica...

Page 171: ...and disable radius Configuring RADIUS Accounting Extreme switches are capable of sending RADIUS accounting information As with RADIUS authentication you can specify two servers for receipt of accounti...

Page 172: ...erver for communicating back to the switch RADIUS RFC 2138 Attributes The RADIUS RFC 2138 optional attributes supported are as follows User Name User Password Service Type Login IP Host Using RADIUS S...

Page 173: ...secret is incorrectly sent to the switch resulting in an inability to authenticate As a work around do not configure a shared secret for RADIUS accounting and authentication servers on the switch Lim...

Page 174: ...articular command The asterisk cannot be used as the beginning of a command Reserved words for commands are matched exactly to those in the profiles file Due to the exact match it is not enough to sim...

Page 175: ...thentication enable the CLI authorization function and indicate a profile name for that user If authorization is enabled without specifying a valid profile the user is unable to perform any commands N...

Page 176: ...ve Profile Name Profile1 Filter Id unlim Extreme Extreme CLI Authorization Enabled lulu Password Service Type Administrative Profile Name Profile1 Filter Id unlim Extreme Extreme CLI Authorization Ena...

Page 177: ...the F Secure SSH client products from Data Fellows corporation These applications are available for most operating systems For more information see the Data Fellows website at http www datafellows co...

Page 178: ...pregenerated key The key generation process generates the SSH2 private host key The SSH2 public host key is derived from the private host key and is automatically transmitted to the SSH2 client at th...

Page 179: ...h can function as an SSH2 client This means you can connect from the switch to a remote device running an SSH2 server and send commands to that device You can also use SCP2 to transfer files to and fr...

Page 180: ...180 ExtremeWare 7 2e Installation and User Guide Security...

Page 181: ...ge of converging in less than a second when a link in the ring breaks An Ethernet ring built using EAPS can have resilience comparable to that provided by SONET rings at a lower cost and with fewer re...

Page 182: ...ks the secondary port for all non control traffic belonging to this EAPS domain thereby avoiding a loop in the ring like STP Layer 2 switching and learning mechanisms operate per existing standards on...

Page 183: ...ther information about neighbor Extreme switches Extreme switches use EDP to exchange topology information master node A switch or node that is designated the master in an EAPS domain ring The master...

Page 184: ...the switch for the master node to determine whether the ring is complete To avoid loops in the network the control VLAN must be NOT be configured with an IP address and ONLY ring ports may be added to...

Page 185: ...e master node will receive the health check packet on its secondary port the control VLAN is not blocked on the secondary port When the master node receives the health check packet it resets its failt...

Page 186: ...all its associated transit nodes to flush their forwarding databases When the transit nodes receive the message to flush their forwarding databases they perform these steps 1 Flush their forwarding d...

Page 187: ...hese commands apply only to the master node If you configure the polling timers for a transit node they will be ignored If you later reconfigure that transit node as the master node the polling timer...

Page 188: ...ports As part of the protection switching scheme one port must be configured as the primary port the other must be configured as the secondary port If the ring is complete the master node prevents a...

Page 189: ...High priority setting by itself should ensure that the control VLAN traffic gets through a congested port first you should not need to set the QoS profile minimum bandwidth minbw or maximum bandwidth...

Page 190: ...S port sets its internal configuration state to INVALID which causes the port to appear in the Idle state with a port status of Unknown when you use the show eaps name detail command to display the st...

Page 191: ...s 1 EAPSD Bridge links 2 Name eaps1 instance 0 State Links Up Running Yes Enabled Yes Mode Transit Primary port 10 Port status Up Tag status Tagged Secondary port 20 Port status Up Tag status Tagged H...

Page 192: ...tinue to remain in COMPLETE or INIT state with it s secondary port blocking Running Yes This EAPS domain is running No This EAPS domain is not running Enabled Indicates whether EAPS is enabled on this...

Page 193: ...This value is set internally by the EAPS software Last update 1 Displayed only for transit nodes indicates the last time the transit node received a hello packet from the master node identified by its...

Page 194: ...194 ExtremeWare 7 2e Installation and User Guide Ethernet Automatic Protection Switching...

Page 195: ...switch makes your network more fault tolerant The following sections explain more about STP and the STP features supported by ExtremeWare NOTE STP is a part of the 802 1d bridge specification defined...

Page 196: ...ning tree If you delete a STPD the VLANs that were members of that STPD are also deleted You must remove all VLANs associated with the STP before deleting the STPD to preserve the VLAN configuration S...

Page 197: ...STPDs running in this mode have a one to one relationship with VLANs and send and process packets in PVST format With this implementation on the Summit 400 PVST is also limited to supporting a single...

Page 198: ...spanning tree name detail STP Configurations When you assign VLANs to an STPD pay careful attention to the STP configuration and its effect on the forwarding of VLAN traffic This section describes tw...

Page 199: ...te and all bridging loops are prevented The VLAN Marketing which has been assigned to both STPD1 and STPD2 communicates using all five switches The topology has no loops because STP has already blocke...

Page 200: ...rketing Therefore if the trunk for VLAN marketing on switches 1 and 3 is blocked the traffic for VLAN marketing will not be able to traverse the switches NOTE If an STPD contains multiple VLANs all VL...

Page 201: ...STPDS you do not have to create a separate domain for VLAN red Instead VLAN red is piggybacked onto those domains local to other VLANs Figure 33 VLAN Spanning Multiple STPDs In addition the configurat...

Page 202: ...tiple non PVST VLANs to be in the same STP domain Native VLAN In PVST the native VLAN must be peered with default VLAN on Extreme devices as both are the only VLAN allowed to send and receive untagged...

Page 203: ...rtest path to the root bridge All bridges except the root bridge contain one root port For more information about the root port see Port Roles on page 203 designated port Provides the shortest path co...

Page 204: ...ent To prevent loops in the network there is only one designated port on each LAN segment To select the designated port all bridges that are connected to a particular segment listen to each other s BP...

Page 205: ...The range is 1 to 10 seconds Forward delay A port moving from the blocking state to the forwarding state uses the forward delay timer to transition through the listening and learning states In RSTP th...

Page 206: ...nfirmed If an edge port receives a BPDU it enters an inconsistency state An inconsistency state puts the edge port into the blocking state and starts the message age timer Every time the edge port rec...

Page 207: ...d bridge Figure 34 Example of root port rapid behavior If the backup port receives the BPDU first STP processes this packet and temporarily elects this port as the new root port while the designated p...

Page 208: ...forwarding state after receiving a single agree message Receiving Bridge Behavior The receiving bridge must decide whether or not to accept a proposal from a port Upon receiving a proposal for a root...

Page 209: ...n The preceding steps describe how the network reconverges 1 If the link between bridge A and bridge F goes down bridge F detects the root port is down At this point bridge F Immediately deletes that...

Page 210: ...update bridge E Regards itself as the new root bridge Sends BPDU messages on both of its root ports to bridges F and D respectively Figure 37 New root bridge selected 3 When bridge F receives the supe...

Page 211: ...t confirmation of its designated role and to rapidly move the port into the designated state Figure 39 Sending a propose message to confirm a port role 5 Upon receiving the proposal bridge E Performs...

Page 212: ...cting with legacy STP bridges Each RSTP bridge contains a port protocol migration state machine to ensure that the ports in the STPD operate in the correct configured mode The state machine is a proto...

Page 213: ...to that port If a port supports 802 1w STPD then the port must be configured with a default VLAN If not the BPDUs for that STPD are not flooded when the STPD is disabled If an STPD contains both PVST...

Page 214: ...his section provides three configuration examples Basic 802 1d STP RSTP 802 1w Basic 802 1d Configuration Example The following example creates and enables an STPD named Backbone_st It assigns the Man...

Page 215: ...lan personnel create vlan marketing configure vlan sales add ports 1 2 tagged configure vlan personnel add ports 1 2 tagged configure vlan marketing add ports 1 2 tagged configure stpd stpd1 add vlan...

Page 216: ...ree name ports portlist detail This command displays the following information STPD port configuration STPD port mode of operation STPD path cost STPD priority STPD state root bridge and so on Port ro...

Page 217: ...Displaying STP Settings ExtremeWare 7 2e Installation and User Guide 217 STPD port state forwarding blocking and so on Configured port link type Operational port link type...

Page 218: ...218 ExtremeWare 7 2e Installation and User Guide Spanning Tree Protocol STP...

Page 219: ...1256 ICMP Router Discovery Messages RFC 1812 Requirements for IP Version 4 Routers NOTE For more information on interior gateway protocols see Chapter 13 Overview of IP Unicast Routing The switch pro...

Page 220: ...igure the IP address belonging to the same subnet on different VLANs In Figure 44 a switch is depicted with two VLANs defined Finance and Personnel Port 8 15 are assigned to Finance ports 24 48 are as...

Page 221: ...le when an update for the network is not received for a period of time as determined by the routing protocol Static Routes Static routes are manually entered into the routing table Static routes are u...

Page 222: ...he path over which the traffic will travel Subnet Directed Broadcast Forwarding You can enable or disable the hardware forwarding of subnet directed broadcast IP packets This allows the switch to forw...

Page 223: ...some networks it is desirable to configure the IP host with a wider subnet than the actual subnet mask of the segment Proxy ARP can be used so that the router answers ARP Requests for devices outside...

Page 224: ...ress ipaddress netmask mask length Ensure that each VLAN has a unique IP address 3 Configure a default route using the following command configure iproute add default gateway metric Default routes are...

Page 225: ...t and VLAN for each host show ipconfig Displays configuration information for one or more VLANs Routing Configuration Example Figure 45 illustrates a switch that has three VLANs defined as follows Fin...

Page 226: ...chables time exceeded parameter problems redirects time stamp and address mask requests To enable or disable the generation of an ICMP address mask reply on one or all VLANs use the following commands...

Page 227: ...lists are described in Chapter 9 Configuring DHCP BOOTP Relay Once IP unicast routing is configured you can configure the switch to forward Dynamic Host Configuration Protocol DHCP or BOOTP requests c...

Page 228: ...o disable the DHCP relay agent option use the following command unconfigure bootprelay dhcp agent information option In some instances a DHCP server may not properly handle a DHCP request packet conta...

Page 229: ...packets by port number that are used and where they are to be forwarded You must give the profile a unique name in the same manner as a VLAN protocol filter or Spanning Tree Domain Next configure a VL...

Page 230: ...ver You can use UDP Echo packets to measure the transit time for data between the transmitting and receiving end To enable UDP echo server support use the following command enable udp echo server To d...

Page 231: ...ge 242 Configuring OSPF on page 242 OSPF Configuration Example on page 243 Displaying OSPF Settings on page 245 This chapter assumes that you are already familiar with IP unicast routing If not refer...

Page 232: ...dentical routing table created from information obtained from all routers in the autonomous system Each router builds a shortest path tree using itself as the root The link state protocol ensures that...

Page 233: ...ds default value or if there is a change to the overall routed topology also called triggered updates If a router does not receive an update message from its neighbor within the route timeout period 1...

Page 234: ...version 1 to include Variable Length Subnet Masks VLSMs Support for next hop addresses which allows for optimization of routes in certain environments Multicasting RIP version 2 packets can be multica...

Page 235: ...e domain which ensures that all routers have a consistent view of the network Consistency is achieved by Limiting the number of external LSAs in the database of each router Ensuring that all routers h...

Page 236: ...e capable router so that it becomes the elected DR For transmission to continue reliably across the network the backup designated router BDR must also support opaque LSAs NOTE Opaque LSAs are supporte...

Page 237: ...to reduce memory consumption and computation requirements on OSPF routers Use the following command to configure an OSPF area as a stub area configure ospf area stub stub default cost Not So Stubby A...

Page 238: ...area that connects to the backbone A virtual link must be established between two ABRs that have a common area with one ABR connected to the backbone Figure 46 illustrates a virtual link NOTE Virtual...

Page 239: ...e OSPF link type based on the interface type This is the default setting Broadcast Any Routers must elect a designated router DR and a backup designated router BDR during synchronization Ethernet is a...

Page 240: ...re distribution Configuring Route Re Distribution Exporting routes from one protocol to another and from that protocol to the first one are discreet configuration functions For example to run OSPF an...

Page 241: ...s ase type 1 Enable or disable the export of virtual IP addresses to other OSPF routers using the following commands enable ospf export direct rip static cost number ase type 1 ase type 2 tag number d...

Page 242: ...ddress 192 207 35 1 configure Personnel ipaddress 192 207 36 1 enable ipforwarding configure rip add vlan all enable rip Configuring OSPF Each switch that is configured to run OSPF must have a unique...

Page 243: ...alue is 5 seconds NOTE The OSPF standard specifies that wait times are equal to the dead router wait interval OSPF Configuration Example Figure 49 is an example of an autonomous system using OSPF rout...

Page 244: ...l routers Uses default routes for inter area routing Two router configurations for the example in Figure 49 are provided in the following section Configuration for ABR1 The router labeled ABR1 has the...

Page 245: ...ering criteria for the show ospf lsdb command You can specify multiple search criteria and only results matching all of the criteria are displayed This allows you to control the displayed entries in l...

Page 246: ...d on the level 1 area Matches are included in the level 2 LSP You can also configure the level 2 router to disregard the summary information This effectively acts as a filter preventing reachability i...

Page 247: ...ot attach to any level 1 2 switch it is part of a level 1 only network a switch that attaches to at least one level 1 2 switch but none of the level 1 2 switches are attached to a level 2 backbone net...

Page 248: ...248 ExtremeWare 7 2e Installation and User Guide Interior Gateway Protocols...

Page 249: ...04 The following URLs point to the Web sites for the IETF Working Groups IEFT PIM Working Group http www ietf org html charters pim charter html IP Multicast Routing Overview IP multicast routing is a...

Page 250: ...r receiving and distributing multicast packets RPs are elected by a bootstrap router BSR The job of the BSR is to broadcast bootstrap messages disseminate RP information and to elect the RP You may on...

Page 251: ...router neighbors for the VLAN on the switch running PIM To configure a trusted neighbor policy enter the following command configure pim vlan vlan name all trusted gateway access profile none For exa...

Page 252: ...hin a VLAN sends an IGMP leave message then the router will not receive any responses to the query and the router immediately will remove the VLAN from the multicast group Static IGMP In order to rece...

Page 253: ...d troubleshooting A request is sent to a multicast router and the router responds with the following information code version system multicast information interface information interface IP address in...

Page 254: ...timeout seconds maximum hops number Configuring IP Multicasting Routing To configure IP multicast routing you must do the following 1 Configure the system for IP unicast routing 2 Enable multicast ro...

Page 255: ...re ospf add vlan all enable ipforwarding enable ipmcforwarding configure pim add vlan all sparse create access profile rp list ipaddress configure rp list add ipaddress 224 0 0 0 240 0 0 0 enable loop...

Page 256: ...256 ExtremeWare 7 2e Installation and User Guide IP Multicast Routing...

Page 257: ...nly a subset of the CLI some commands for the Summit 400 are not available using ExtremeWare Vista If a particular command is not represented in ExtremeWare Vista you must use the CLI to achieve the d...

Page 258: ...maximize the amount of information displayed in the content frame The recommended resolution is 1024 x 768 pixels You can also use 800 x 600 pixels Turn off one or more of the browser toolbars to maxi...

Page 259: ...e Vista ExtremeWare 7 2e Installation and User Guide 259 Figure 51 Home Page for ExtremeWare Vista 2 Click Logon to open the Username and Password dialog box shown in Figure 52 Figure 52 Username and...

Page 260: ...remeWare Vista pages use a common HTML frameset comprised of two frames a content frame and a task frame The content frame contains the main body of information in ExtremeWare Vista The task frame con...

Page 261: ...ed by incorrectly configured settings Success Displays informational messages after you click Submit The message displayed reads Request was submitted successfully These informational messages indicat...

Page 262: ...across VLANs For an example of this window see Figure 55 In the top of the window is a table that shows each existing IP interface configuration The configuration box that follows allows you to use th...

Page 263: ...24 Subnet Directed Broadcast Forwarding on page 222 IP Multicast Routing Overview on page 249 Figure 55 IP Interface Configuration License The License window allows you to enable the Advanced Edge lic...

Page 264: ...IP static and direct interface routes to OSPF 2 Create or delete an OSPF area 3 Configure a range of IP addresses in an OSPF area 4 Configure an OSPF area 5 Configure an IP interface for OSPF 6 Config...

Page 265: ...ications Use 0 if you do not have specific requirements for using a tag The tag value in this instance has no relationship with 802 1Q VLAN tagging Set the OSPF router ID to a user specified value or...

Page 266: ...to add a range to an area set a netmask or to specify advertising If advertised the range is exported as a single LSA by the ABR You can also delete a range of IP addresses in an OSPF area Figure 58...

Page 267: ...ate a VLAN with an area ID Configure OSPF for each VLAN area Configure a route filter for non OSPF routes exported into OSPF Configure the timers for one interface in the same OSPF area Configure misc...

Page 268: ...F for each VLAN by VLAN name or area ID The third box shown in Figure 60 allows you to Select the VLAN by name that is being changed Enable or disable OSPF on the interface Specify whether the interfa...

Page 269: ...configure an interface This section is shown at the bottom of Figure 62 The table displays the interface and whether an interface type is currently configured The configuration box allows you to speci...

Page 270: ...either active or ready Autonegotiation Indicates whether to autonegotiate the port speed and the duplex mode Autonegotiation is either enabled or disabled Configuration Speed The setting for port spe...

Page 271: ...arameters before submitting the change The selectable fields are Port Number Port numbers 1 to 48 or from 1 to 50 if you have the optional XEN card installed State The port state either enabled or dis...

Page 272: ...window you can make multiple changes with a single update Enable or disable RIP for the switch Enable or disable aggregation Enable or disable redistribution of OSPF static routes through RIP Enable o...

Page 273: ...alues Use the Submit button to submit the changes to the system Figure 65 RIP Global Configuration For more information about setting RIP parameters globally see Overview of RIP on page 233 Configure...

Page 274: ...on used in receive mode Rx The RIP version used in transmission mode Tx Enable or disable RIP on a VLAN Configure RIP on a VLAN Set the Tx mode values for the selected VLANs The pull down menu allows...

Page 275: ...figuration for the VLAN to the default values Use the Submit button to submit the changes to the system SNMP The SNMP window is divided into two sections The top section allows you to enter system gro...

Page 276: ...ve a maximum of 127 characters and can be enclosed by double quotation marks Trap Information As shown in Figure 68 the lower section of the SNMP window allows you to enable SNMP and configure trap re...

Page 277: ...n and User Guide 277 Figure 68 Configure Trap Options Spanning Tree From this window you can configure all aspects of a Spanning Tree Domain STPD The window is divided into two sections In the top sec...

Page 278: ...col Data Units BPDUs from this STPD when it is the Root Bridge Bridge forward delay a value between 4 and 30 seconds default 15 seconds The bridge forward delay specifies the time that the ports in th...

Page 279: ...t port The range is 0 through 31 where 0 indicates the lowest priority The default setting is 16 Path Cost Specifies the path cost of the port in this STPD The range is 1 through 65 535 The switch aut...

Page 280: ...280 ExtremeWare 7 2e Installation and User Guide Using ExtremeWare Vista on the Summit 400 Figure 71 Spanning Tree Configuration 3 of 4 Figure 72 Spanning Tree Configuration 4 of 4...

Page 281: ...n the switch is rebooted To retain the settings and have them load when you reboot the switch you must save the configuration to nonvolatile storage The switch can store two different configurations a...

Page 282: ...s to the system Only users with read write authority have permission to change the switch s configuration There is also a checkbox to delete a user For more information on controlling user access see...

Page 283: ...n example of the Configure VLAN Information Use the following fields to make changes to a VLAN IP Address Either changes the IP address or unconfigures the IP address The Unconfigure button resets the...

Page 284: ...also known as access control lists ACLs are used to perform packet filtering and forwarding decisions on incoming traffic Each packet arriving on an ingress port is compared to the access list in seq...

Page 285: ...et mask Dest L4 Port Destination UDP layer 4 port Src IP Source IP address Src IP Mask Source IP subnet mask Src L4 Port ICMP Source UDP layer 4 port ICMP TCP Permit Estb TCP permit established Egr Po...

Page 286: ...st a rate limit can only be applied to a single port Each port has its own rate limit defined separately Each entry that makes up a rate limit contains a unique name and specifies a previously created...

Page 287: ...atistics in the task bar to reveal the submenu links The following links appear in the submenu Event Log Contains system event log entries FDB Contains Forwarding Database entries IP ARP Contains the...

Page 288: ...the levels of importance that the system can assign to a fault A fault level can either be classified as critical warning informational or debug By default log entries that are assigned a critical or...

Page 289: ...y information is located at the bottom of the view The summary information contains the Total Total number of entries in this database view Static Number of static entries in this view Permanent Numbe...

Page 290: ...P Use the IP ARP to find the MAC address associated with an IP address The IP ARP table contains the following fields Destination The destination IP address MAC Address The MAC address associated with...

Page 291: ...sabled Ipmc Routing Indicates whether IP multicast forwarding is enabled or disabled on the switch This setting is either enabled or disabled Use Redirects Indicates whether the switch can modify the...

Page 292: ...er advertisements The default setting is 450 seconds Lifetime The client aging timer setting the default is 1 800 seconds Preference The preference level of the router An IRDP client always uses the r...

Page 293: ...t unreachable messages type 3 code 3 when a TPC or UDP request is made to the switch and no application is waiting for the request or access policy denies the request IGMP IGMP is enabled or disabled...

Page 294: ...OSPFInter RIP OSPFExtern1 OSPFExtern2 BOOTP As shown in Figure 85 you can also use the View Options to restrict different aspects of the view For more information on IP routing see Populating the Rou...

Page 295: ...rough the switch As shown at the top of Figure 86 these statistics are grouped into four logical groups Inbound traffic Outbound traffic Bad packets received Other types of errors Figure 86 Global IP...

Page 296: ...nterface IP Statistics The Router Interface IP Statistics give detailed traffic details at the VLAN level as shown in Figure 88 For each interface the table provides VLAN name Interface ID IP Address...

Page 297: ...rface IP Statistics Ports This window provides information about active ports as reported by the Summit 400 hardware As shown in Figure 89 the report consists of the following fields Port Number Port...

Page 298: ...g ExtremeWare Vista on the Summit 400 Figure 89 Physical Port Statistics Port Collisions This window provides information about Ethernet collisions that occur when the port is operating in half duplex...

Page 299: ...lisions Port Errors In this window you can review Ethernet link errors As shown in Figure 91 the table reflects the following information for each active port Link State Rx Lost Rx Bad Cyclic Redundan...

Page 300: ...ort speed either 10 100 1000 or auto Link Status Either active A or ready R Rx Pkt Sec Received packets rate Peak Rx Pkt Sec Peak received packet rate Tx Pkt Sec Transmission packet rate Peak Tx Pkt S...

Page 301: ...on Protocol Statistics table shows the number of route changes and the number of queries As shown in Figure 93 at the interface level the Router Interface Statistics table shows the following fields V...

Page 302: ...age Selected Primary or secondary image and version number of the image Software Image Booted Actual image running Configuration Selected Either primary or secondary Configuration Booted Either primar...

Page 303: ...tatus Figure 94 Hardware Status Locating Support Information ExtremeWare Vista provides a central location to find support information and to download the most current software images Click Support in...

Page 304: ...e images using Trivial File Transfer Protocol TFTP from this window As shown in Figure 97 you need to provide the following information TFTP Server Address Obtain this address from your Customer Suppo...

Page 305: ...e 7 2e Installation and User Guide 305 Figure 96 TFTP Download Contact Support The Contact Support window contains the mailing address telephone number fax number and URL for Customer Support An examp...

Page 306: ...a on the Summit 400 Figure 97 Support Address Email Support When you click the submenu link for Email Support the browser closes the ExtremeWare Vista page and opens your browser s email window You ca...

Page 307: ...n and User Guide 307 Figure 98 Email Support Logging Out of ExtremeWare Vista When you click the Logout button in the task frame it causes an immediate exit from ExtremeWare Vista Be sure you want to...

Page 308: ...308 ExtremeWare 7 2e Installation and User Guide Using ExtremeWare Vista on the Summit 400...

Page 309: ...ons Height 1 73 inches 4 40 cm Width 17 6 inches 44 1 cm Depth 16 4 inches 41 6 cm Weight Weight 11 lbs 4 98 kg Temperature and Humidity Operating Temperature 0 to 40 C 32 to 104 F Storage Temperature...

Page 310: ...03 Class A Canada Emissions Europe 89 336 EEC EMC Directive ETSI EN 300 386 2001 EU Telecommunications Emissions and Immunity EN55022 1998 Class A European Emissions EN55024 1998 includes IEC EN 61000...

Page 311: ...etwork Ingress Filtering Defeating Denial of Service Attacks which employ IP Source Address Spoofing RPF Unicast Reverse Path Forwarding Control Wire speed ACLs Rate Limiting by ACLs IP Broadcast Forw...

Page 312: ...FC 2131 Dynamic Host Configuration Protocol RFC 1591 Domain Name System Structure and Delegation RFC 1122 Requirements for Internet Hosts Communication Layers RFC 768 User Datagram Protocol RFC 791 In...

Page 313: ...rotocol SNMPv3 RFC 3415 View based Access Control Model VACM for the Simple Network Management Protocol ExtremeWare vendor MIB includes ACL MAC FDB IP FDB MAC Address Security QoS policy and VLAN conf...

Page 314: ...GET but not SET support for a subset of the MPLS LSR MIB as defined in the Internet Draft draft ietf mpls lsr mib 07 txt and a subset of the MPLS LDP MIB as defined in the Internet Draft draft ietf m...

Page 315: ...ion SNMPv3 user based security with encryption authentication RFC 1492 An Access Control Protocol Sometimes Called TACACS RFC 2138 Remote Authentication Dial In User Service RADIUS RFC 2139 RADIUS Acc...

Page 316: ...316 ExtremeWare 7 2e Installation and User Guide Technical Specifications...

Page 317: ...cted to the serial port using the XMODEM protocol Downloading a new image involves the following steps Load the new image onto a TFTP server on your network if you will be using TFTP Load the new imag...

Page 318: ...r various ExtremeWare versions Table 44 Image version fields Field Description major Specifies the ExtremeWare Major version number sub_major Specifies the ExtremeWare Sub major version number minor S...

Page 319: ...meters that you have selected to run on the switch As you make configuration changes the new settings are stored in run time memory Settings that are stored in run time memory are not retained by the...

Page 320: ...py of the file to the same switch or to one or more different switches Send a copy of the configuration file to the Extreme Networks Technical Support department for problem solving purposes Automatic...

Page 321: ...TP you are prompted to reboot the switch The downloaded configuration file is stored in current switch memory during the rebooting process and is not retained if the switch has a power failure When th...

Page 322: ...d only when the save command is issued or if the configuration file itself contains the save command If the configuration currently running in the switch does not match the configuration that the swit...

Page 323: ...orming a serial download of an image For example to change the image that the switch boots from in flash memory press 1 for the image stored in primary or 2 for the image stored in secondary Then pres...

Page 324: ...324 ExtremeWare 7 2e Installation and User Guide Software Upgrade and Boot Options...

Page 325: ...are powered up Both ends of the Gigabit link are set to the same autonegotiation state The Gigabit link must be enabled or disabled on both sides If the two sides are different typically the side wit...

Page 326: ...there is an open or short For example the following command set tests the Ethernet cable inserted into port 1 The four copper pairs do not all have the same length which might indicate a kink in the...

Page 327: ...rrectly configured and that the device has been reset Ensure that you enter the IP address of the switch correctly when invoking the Telnet facility Check that Telnet access was not disabled for the s...

Page 328: ...switch to another hub or switch ensure that you are using a CAT5 cross over cable This is a CAT5 cable that has pins 1 2 on one end connected to pins 3 6 on the other end Also try running the cable d...

Page 329: ...1 2 ERROR Protocol conflict on port 1 5 you already have a VLAN using untagged traffic on a port Only one VLAN using untagged traffic can be configured on a single physical port VLAN configuration can...

Page 330: ...orwarding Database FDB Reduce the number of topology changes by disabling STP on those systems that do not use redundant paths Specify that the endstation entries are static or permanent Debug Tracing...

Page 331: ...EPROM You can use the show switch command to see how long an individual component has been in service since it was manufactured Reboot Loop Protection If the system reboots due to a failure that remai...

Page 332: ...k issue that you are unable to resolve contact Extreme Networks technical support Extreme Networks maintains several Technical Assistance Centers TACs around the world to answer networking questions a...

Page 333: ...ooping delete static router 252 configure igmp snooping filter 253 configure iparp add proxy 223 configure ip mtu vlan 83 85 configure iproute add default 48 51 224 configure iproute priority 224 conf...

Page 334: ...gure stpd mode 196 configure stpd port link type 205 configure syslog 137 configure sys recovery level 73 125 configure time 73 configure timezone 65 73 configure vlan ipaddress 50 224 configure vlan...

Page 335: ...able ospf export 241 enable ospf export rip 241 enable ospf export static 221 241 enable pim 254 enable ports 81 enable radius 171 enable radius accounting 172 enable rip 224 enable rip export 241 ena...

Page 336: ...dress based 86 show snmpv3 access 59 show snmpv3 filter 63 show snmpv3 filter profile 63 show snmpv3 group 59 show snmpv3 mib view 61 show snmpv3 notify 63 show snmpv3 target addr 62 show snmpv3 targe...

Page 337: ...ced Edge license 30 263 agent circuit ID sub option 228 agent remote ID sub option 228 aging entries FDB 104 alarm actions 140 Alarms RMON 139 areas OSPF 236 ARP communicating with devices outside sub...

Page 338: ...n 196 users 75 default route 330 default VLAN 97 delete access list 146 access masks 146 access profile 163 BOOTP relay 227 EAPS domain 186 filter 63 group 59 MIB view 61 OSPF area using ExtremeWare V...

Page 339: ...LED 23 FDB 103 to 107 adding an entry 103 aging entries 104 blackhole entries 105 contents 103 creating a permanent entry example 106 displaying 107 dynamic entries 104 entries 103 non aging entries 1...

Page 340: ...ring group description 85 master port 87 static 85 verifying the configuration 87 logging configuration changes 137 fault level 288 subsystem 288 timestamp 288 using ExtremeWare Vista 288 logging in 3...

Page 341: ...ys 125 priority STP 214 receive errors 124 statistics viewing 123 297 status LED 23 STP state displaying 216 transmit errors 124 troubleshooting 328 utilization 300 port based VLANs 92 port mirroring...

Page 342: ...s profile 161 to 164 deny 161 none 161 OSPF 165 permit 161 PIM 167 RIP 164 using 161 Routing Information Protocol See RIP routing table populating 221 routing See IP unicast routing RSTP alternate por...

Page 343: ...228 Summit 400 switch AC power socket 22 certification marks 310 dimensions 309 electromagnetic compatibility 310 environmental requirements 309 free standing installation 34 front view 21 hardware fe...

Page 344: ...ng 87 verifying the installation 38 video applications and QoS 110 viewing accounts 77 Virtual LANs See VLANs virtual link OSPF 238 Vista See ExtremeWare Vista VLAN tagging 94 VLAN traffic grouping 12...

Reviews:

No comments

Related manuals for ExtremeWare 7.2e

Brand: IBM Pages: 25

Brand: Barco Pages: 22

FIREWORKS 2-USING FIREWORKS

Brand: MACROMEDIA Pages: 20

INTERNET GATEKEEPER WINDOWS 2000-2003 SERVER 6.61...

Brand: F-SECURE Pages: 414

TextBridge PRO 8.5

Brand: ScanSoft Pages: 243

FLEX - DEVELOPING COMPONENTS AND THEMES

Brand: MACROMEDIA Pages: 82

Brand: Nortel Pages: 66

Call Detail Reporting

Brand: Altigen Pages: 97

Altiware OE 4.5

Brand: Altigen Pages: 455

dc5750 - Microtower PC

Brand: Promise Technology Pages: 114

Brand: Draytek Pages: 73

Brand: Adaptec Pages: 45

25366 - Camera Control Pro

Brand: Nikon Pages: 94

MAPCREATE 7 - ADDENDUM

Brand: LEI Extras Pages: 16

AUTOCAD ELECTRICAL -

Brand: Autodesk Pages: 16

Brand: Autodesk Pages: 22

46304-050008-1600A - Vault R4 Essentials Aotc

Brand: Autodesk Pages: 140

00126-050008-1620A - Autocad 2006 Essentials

Brand: Autodesk Pages: 235

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands