Extreme Networks ExtremeWare XOS 10.1 Manual Download Page 114 | Manualshive

Page: 114 / 256

background image

114

ExtremeWare XOS 10.1 Concepts Guide

Security

Access lists are typically applied to traffic that crosses layer 3 router boundaries, but it is possible to use
access lists within a layer 2 VLAN.

Access lists in ExtremeWare XOS apply to all traffic. This is somewhat different from the behavior in
ExtremeWare. For example, if you deny all the traffic to a port, no traffic, including control packets,
such as OSPF or RIP, will reach the switch and the adjacency will be dropped. You must explicitly allow
those type of packets (if desired). In ExtremeWare, an access list that denied “all” traffic would allow
control packets (those bound for the CPU) to reach the switch.

Access lists are often referred to as Access Control Lists (ACLs).

The following sections apply to IP access lists:

•

Creating IP Access Lists on page 114

•

ACL File Syntax on page 114

•

Example ACL Rule Entries on page 117

•

Using Access Lists on the Switch on page 118

•

Displaying and Clearing ACL Counters on page 119

Creating IP Access Lists

ACLs are created by writing a text file containing a number of rule entries. Name the text file with the
ACL name and use “.pol” as the filename extension. For example, the ACL name “zone3” refers to the
text file “zone3.pol”. Any common text editor can be used to create an access list file. The file is then
transferred to the switch using TFTP, and applied to some or all ports on the switch.

ACL File Syntax

The ACL file contains one or more rule entries. Each rule entry consists of:

•

a rule entry name, unique within the same ACL.

•

zero or more match conditions. If no match condition is specified, all packets are matched.

•

zero or one action. If no action is specified, the packet is permitted by default.

•

zero or more action modifiers.

Each rule entry in the file uses the following syntax:

entry <entry-name>{

if {

<match-conditions>;

} then {

<action>;

<action-modifiers>;

}

}

Here is an example of a rule entry:

entry udpacl {

if {

source-address 10.203.134.0/24;

destination-address 140.158.18.16/32;

«
...
112
113
114
115
116
...
»

Summary of Contents for ExtremeWare XOS 10.1

Page 1: ...Networks Inc 3585 Monroe Street Santa Clara California 95051 888 257 3000 http www extremenetworks com ExtremeWare XOS Concepts Guide Software Version 10 1 Published February 2004 Part number 100150 0...

Page 2: ...Specifications are subject to change without notice The ExtremeWare XOS operating system is based in part on the Linux operating system The machine readable copy of the corresponding source code is a...

Page 3: ...uters 17 Virtual LANs VLANs 18 Spanning Tree Protocol 18 Quality of Service 18 Unicast Routing 18 IP Multicast Routing 19 Load Sharing 19 Chapter 2 Accessing the Switch Understanding the Command Synta...

Page 4: ...ther Host Using Telnet 35 Configuring Switch IP Parameters 36 Disconnecting a Telnet Session 38 Using Trivial File Transfer Protocol TFTP 38 Connecting to Another Host Using TFTP 38 Enabling the TFTP...

Page 5: ...les 59 Verifying the Load Sharing Configuration 59 Switch Port Mirroring 59 Modular Switch Port Mirroring Example 60 Extreme Discovery Protocol 60 Chapter 5 Virtual LANs VLANs Overview of Virtual LANs...

Page 6: ...nd DiffServ Traffic Groupings 86 Configuring DiffServ 87 Physical Groupings 89 Verifying Configuration and Performance 89 QoS Monitor 90 Displaying QoS Profile Information 90 Chapter 8 Status Monitori...

Page 7: ...tries 117 Using Access Lists on the Switch 118 Displaying and Clearing ACL Counters 119 Switch Protection 119 Policies 120 Creating Policies 120 Policy File Syntax 120 Policy Examples 125 Using Polici...

Page 8: ...s 163 Chapter 11 Virtual Router Redundancy Protocol Overview 165 Determining the VRRP Master 166 VRRP Tracking 166 Electing the Master Router 168 Additional VRRP Highlights 168 VRRP Operation 169 Simp...

Page 9: ...1 Versus RIP Version 2 188 Overview of OSPF 188 Link State Database 188 Areas 189 Point to Point Support 193 Route Re Distribution 193 Configuring Route Re Distribution 194 OSPF Timers and Authentica...

Page 10: ...on for ABR1 223 Part 3 Appendixes Appendix A Software Upgrade and Boot Options Downloading a New Image 227 Selecting a Primary or a Secondary Image 228 Understanding the Image Version String 228 Softw...

Page 11: ...XOS 10 1 Concepts Guide 11 Contents Debug Mode 240 System Health Check 240 System Odometer 240 Contacting Extreme Technical Support 241 Appendix C Supported Protocols MIBs and Standards Index Index o...

Page 12: ...12 ExtremeWare XOS 10 1 Concepts Guide Contents...

Page 13: ...s LANs Ethernet concepts Ethernet switching and bridging concepts Routing concepts Internet Protocol IP concepts Routing Information Protocol RIP and Open Shortest Path First OSPF Border Gateway Proto...

Page 14: ...tion Risk of personal injury system damage or loss of data Warning Risk of severe personal injury Table 2 Text Conventions Convention Description Screen displays This typeface indicates command syntax...

Page 15: ...Part 1 Using ExtremeWare XOS...

Page 16: ......

Page 17: ...rmation and switch ports can belong to one and only one virtual router packets arriving at a port on one virtual router can never be switched to the ports on another In this release of ExtremeWare XOS...

Page 18: ...which is a bridge based mechanism for providing fault tolerance on networks STP enables you to implement parallel paths for network traffic and ensure that redundant paths are Disabled when the main...

Page 19: ...ned by the Protocol Independent Multicast dense mode or sparse mode NOTE For more information on IP multicast routing see Chapter 15 Load Sharing Load sharing allows you to increase bandwidth and resi...

Page 20: ...20 ExtremeWare XOS 10 1 Concepts Guide ExtremeWare XOS Overview...

Page 21: ...XOS software However only a subset of commands are described here and in some cases only a subset of the options that a command supports The ExtremeWare XOS Command Reference Guide should be consider...

Page 22: ...that might be used as the next option In situations where this list might be very long the syntax helper will list only one line of names followed by an ellipses to indicate that there are more names...

Page 23: ...se the parameter portlist in the syntax A portlist can be one port on a particular slot For example port 3 1 A portlist can be a range of numbers For example port 3 1 3 3 You can add additional slot a...

Page 24: ...are brackets Enclose a required value or list of required arguments One or more values or arguments can be specified For example in the syntax use image primary secondary you must specify either the p...

Page 25: ...left Right Arrow Moves cursor to right Home or Ctrl A Moves cursor to first character in line End or Ctrl E Moves cursor to last character in line Ctrl L Clears screen and movers cursor to beginning o...

Page 26: ...Reference Guide configure vlan vlan_name ipaddress ipaddress ipNetmask Configures an IP address and subnet mask for a VLAN create account admin user account name password Creates a user account This...

Page 27: ...level account can view and change all switch parameters It can also add and delete users and change the password associated with any account name The administrator can disconnect a management session...

Page 28: ...dd a default admin password by entering the following command configure account admin 4 Enter the new password at the prompt 5 Re enter the new password at the prompt To add a password to the default...

Page 29: ...at have been created you must have administrator privileges To see the accounts use the following command show accounts Deleting an Account To delete a account you must have administrator privileges T...

Page 30: ...tistics are tabulated after the ping is interrupted Traceroute The traceroute command enables you to trace the routed path between the switch and a destination endstation The traceroute command syntax...

Page 31: ...stname of the destination endstation To use the hostname you must first configure DNS from uses the specified source address in the ICMP packet If not specified the address of the transmitting interfa...

Page 32: ...32 ExtremeWare XOS 10 1 Concepts Guide Accessing the Switch...

Page 33: ...ds Access the CLI by connecting a terminal or workstation with terminal emulation software to the console port Access the switch remotely using TCP IP through one of the switch ports or through the de...

Page 34: ...itch concurrently If you configure a new limit only new incoming XOS shell sessions are affected If you decrease the limit and the current number of sessions already exceeds the new maximum the switch...

Page 35: ...active Telnet sessions can access the switch concurrently If idletimeouts are enabled the Telnet connection will time out after 20 minutes of inactivity If a connection to a Telnet session is lost in...

Page 36: ...P on a per VLAN basis by using the following commands disable bootp vlan vlan all disable dhcp vlan vlan_name all To view the current state of the BOOTP or DHCP client use the following command show d...

Page 37: ...able you to access all switch functions The default user names have no passwords assigned If you have been assigned a user name and password with administrator privileges enter them at the login promp...

Page 38: ...k device to another The ExtremeWare XOS TFTP client is a command line application used to contact an external TFTP server on the network For example XOS uses TFTP to download software image files swit...

Page 39: ...Manager provides its own user interface to the management facilities The following sections describe how to get started if you want to use an SNMP manager It assumes you are already familiar with SNMP...

Page 40: ...for individually for each trap receiver All community strings must also be added to the switch using the configure snmp add community command To configure a trap receiver on a switch use the following...

Page 41: ...3414 The User Based Security Model for Version 3 of the Simple Network Management Protocol SNMPv3 describes the User Based Security Model USM RFC 3415 View based Access Control Model V ACM for the Si...

Page 42: ...noauth authnopriv priv volatile SNMPv3 Security In SNMPv3 the User Based Security Model USM for SNMP was introduced USM deals with security related aspects like authentication encryption of SNMP messa...

Page 43: ...following command configure snmpv3 delete user all non defaults hex user_name NOTE The SNMPv3 specifications describe the concept of a security name In the ExtremeWare XOS implementation the user nam...

Page 44: ...oPriv Authentication no privacy Messages are tested only for authentication AuthPriv Authentication privacy This represents the highest level of security and requires every message exchange to pass th...

Page 45: ...iew has been created you can repeatedly use the configure snmpv3 add mib view command to include and or exclude MIB subtree mask combinations to precisely define the items you wish to control access t...

Page 46: ...e processing model security model security level and user name security name used for messages sent to the target address See Message Processing on page 42 and Users Groups and Security on page 43 for...

Page 47: ...tifier To delete a filter or all filters from a filter profile use the following command configure snmpv3 delete filter all hex profile_name subtree object_identifier To remove the association of a fi...

Page 48: ...Plus TACACS is a mechanism for providing authentication authorization and accounting on a centralized server similar in function to the RADIUS client The ExtremeWare XOS version of TACACS is used to...

Page 49: ...e starting and ending date and time in terms of a floating day as follows configure timezone name MET 60 autodst name MDT begins every last sunday march at 1 30 ends every last sunday october at 1 30...

Page 50: ...gain 5 Optionally the interval for which the SNTP client updates the real time clock of the switch can be changed using the following command configure sntp client update interval update interval The...

Page 51: ...kon Standard 10 00 600 AHST Alaska Hawaii Standard CAT Central Alaska HST Hawaii Standard 11 00 660 NT Nome 12 00 720 IDLW International Date Line West 1 00 60 CET Central European FWT French Winter M...

Page 52: ...switch are as follows configure timezone 480 autodst configure sntp client update interval 1200 enable sntp client configure sntp client primary 10 0 1 1 configure sntp client secondary 10 0 1 2 11 00...

Page 53: ...ot must be saved to non volatile storage Otherwise if the modular switch is rebooted or the module is removed from the slot the port VLAN and module configuration information is not saved NOTE For inf...

Page 54: ...the port number is as follows slot port For example if an I O module that has a total of four ports is installed in slot 2 of the chassis the following ports are valid 2 1 2 2 2 3 2 4 You can also us...

Page 55: ...and respond to pause frames 10 100 Mbps Ethernet ports also respond to pause frames but do not advertise support Neither 10 100 Mbps or Gigabit Ethernet ports initiate pause frames Flow Control is en...

Page 56: ...ommand enable jumbo frame ports port_list all NOTE Some network interface cards NICs have a configured maximum MTU size that does not include the additional 4 bytes of CRC Ensure that the NIC maximum...

Page 57: ...e to jumbo frame fragmentation is not supported Only jumbo frame to normal frame fragmentation is supported To configure VLANs for IP fragmentation 1 Enable jumbo frames on the incoming port 2 Add the...

Page 58: ...It can be thought of as the logical port representing the entire port group All the ports in a load sharing group must have the same exact configuration including auto negotiation duplex setting and...

Page 59: ...hes The following example defines a load sharing group that contains ports 9 through 12 on slot 3 and uses the first port as the master logical port 9 enable sharing 3 9 grouping 3 9 3 12 In this exam...

Page 60: ...Extreme Networks switches EDP is used to by the switches to exchange topology information Information communicated using EDP includes Switch MAC address switch ID Switch software version information...

Page 61: ...ed by flexible user groups you create with the command line interface Benefits Implementing VLANs on your networks has the following advantages VLANs help to control traffic With traditional networks...

Page 62: ...emove it from the default VLAN unless the new VLAN uses a protocol other than the default protocol any A port can be a member of only one port based VLAN On the Extreme switch in Figure 1 ports 9 thro...

Page 63: ...using slot 8 port 4 on system 1 the BlackDiamond switch and port 29 on system 2 the other switch Figure 2 Single port based VLAN spanning two switches To create multiple VLANs that span two switches...

Page 64: ...tch must have a dedicated port for each VLAN Each dedicated port must be connected to a port that is a member of its VLAN on the next switch Tagged VLANs Tagging is a process that inserts a marker cal...

Page 65: ...ip for the port must be accompanied by tags In addition to configuring the VLAN tag for the port the server must have a Network Interface Card NIC that supports 802 1Q tagging Assigning a VLAN Tag Eac...

Page 66: ...and VLAN Sales The trunk port on each switch is tagged The server connected to port 25 on system 1 has a NIC that supports 802 1Q tagging EX_064 System 1 Marketing Sales M S Tagged port Marketing Sal...

Page 67: ...other words a port can simultaneously be a member of one port based VLAN and multiple tag based VLANs NOTE For the purposes of VLAN classification packets arriving on a port with an 802 1Q tag contain...

Page 68: ...on EtherType Logical Link Control LLC and or Subnetwork Access Protocol SNAP Up to six protocols may be part of a protocol filter To define a protocol filter 1 Create a protocol using the following co...

Page 69: ...d add llc feff configure protocol fred add snap 9999 A maximum of 15 protocol filters each containing a maximum of six protocols can be defined On products that use the Inferno chip set all 15 protoco...

Page 70: ...re only meaningful to that switch If another switch is connected to it the VLAN names have no significance to the other switch NOTE You should use VLAN names consistently across your entire network De...

Page 71: ...guration Examples The following modular switch example creates a port based VLAN named accounting assigns the IP address 132 15 121 1 and assigns slot 2 ports 1 2 3 and 6 and slot 4 ports 1 and 2 to i...

Page 72: ...following modular switch example defines a protocol filter myprotocol and applies it to the VLAN named myvlan This is an example only and has no real world application create protocol myprotocol conf...

Page 73: ...pts Guide 73 Displaying Protocol Information To display protocol information use the following command show protocol name This show command displays protocol information which includes Protocol name L...

Page 74: ...74 ExtremeWare XOS 10 1 Concepts Guide Virtual LANs VLANs...

Page 75: ...received and the age of the entry Frames destined for MAC addresses that are not in the FDB are flooded to all members of the VLAN How FDB Entries Get Added Entries are added into the FDB in the foll...

Page 76: ...nd through the CLI but may then be updated as the switch encounters the MAC address in the packets that it examines A permanent dynamic entry is typically used to associate QoS profiles with the FDB e...

Page 77: ...ntries are useful as a security measure or in special circumstances where a specific source or destination address must be discarded Blackhole entries may be created through the CLI or they may be cre...

Page 78: ...permanent static entries can be deleted if the switch is reset Supported aging is between 15 and 1 000 000 seconds MAC Based Security MAC based security allows you to control the way the FDB is learne...

Page 79: ...f ff permanent Displays all permanent entries including the ingress and egress QoS profiles ports portlist Displays the entries for a set of ports or slots and ports remap Displays the remapped FDB en...

Page 80: ...80 ExtremeWare XOS 10 1 Concepts Guide Forwarding Database FDB...

Page 81: ...ffic Groupings on page 86 Configuring DiffServ on page 87 Physical Groupings on page 89 Verifying Configuration and Performance on page 89 Policy based Quality of Service QoS is a feature of ExtremeWa...

Page 82: ...rs are satisfied Up to eight physical queues per port are available NOTE Policy based QoS has no impact on switch performance Using even the most complex traffic groupings has no cost in terms of swit...

Page 83: ...ypically be distinguished from each other by their server source and destinations Most browser based applications are distinguished by the dataflow being asymmetric small dataflows from the browser cl...

Page 84: ...f these QoS components in detail QoS Profiles A QoS profile defines a class of service by specifying traffic behavior attributes such as bandwidth The parameters that make up a QoS profile include Min...

Page 85: ...traffic grouping is a classification of traffic that has one or more attributes in common Traffic is typically grouped based on the applications discussed starting on page 82 Traffic groupings are sep...

Page 86: ...penalty The documented capabilities for 802 1p priority markings or DiffServ capabilities if supported are not impacted by the switching or routing configuration of the switch For example 802 1p infor...

Page 87: ...QoS profile has configurable bandwidth parameters and priority In this way an 802 1p priority value seen on ingress can be mapped to a particular QoS profile and with specific bandwidth management and...

Page 88: ...erv information can be enabled or disabled by default it is disabled To view DiffServ information use the following command show diffserv Changing DiffServ Code point assignments in the Q0S Profile Be...

Page 89: ...ers of the QoS profile QP3 configure qp3 min 10 max 100 2 Configure the switch so that other switches can signal class of service that this switch should observe enable diffserv examination Physical G...

Page 90: ...per port performance use the following command show ports port_list qosmonitor Displaying QoS Profile Information The QoS monitor can also be used to verify the QoS configuration and monitor the use...

Page 91: ...oblems arising before they cause major network faults In this way statistics can help you get the best out of your network Status Monitoring The status monitoring facility provides information about t...

Page 92: ...and ports offline and performs extensive ASIC ASIC memory and packet loopback tests Extended diagnostic tests take a maximum of 15 minutes The CPU is not tested Console access is available during ext...

Page 93: ...rt statistics use the following command show ports port_list statistics The switch collects the following port statistic information Link Status The current status of the link Options are Ready the po...

Page 94: ...ns or excessive collisions Transmit Parity Frames TX Parity The bit summation has a parity mismatch To view port receive errors use the following command show ports port_list rxerrors The switch colle...

Page 95: ...CSimC2 20 20 Slot 3 PCSimC2 20 30 Slot 4 PCSimC2 20 40 Slot 5 PCSimC256 20 50 Slot 6 PCSimC256 20 60 Slot 7 PCSimC256 20 70 Slot 8 MSM A PCSimMSM 20 90 MSM B PCSimMSM 21 00 You can also view the tempe...

Page 96: ...ealth checker use the following command disable sys health check slot slot To configure the how often packets are forwarded use the following command configure sys health check interval interval Syste...

Page 97: ...tion of the number of links available and the total bandwidth of these links Software health This number represents the percent of processes available Software version Represents the software version...

Page 98: ...y node_pri To bring a node back online use the following command configure node slot slot_id online priority node_pri Relinquishing Primary Status You can force the primary node to failover to the bac...

Page 99: ...does not have the primary s active configuration it will use the configuration stored in its flash memory NOTE If you issue the reboot command before you save your configuration changes the switch pro...

Page 100: ...f logging targets for example syslog host and NVRAM Filter events on a per target basis by Component subcomponent or specific condition for example BGP messages IGMP Snooping messages or the IP Forwar...

Page 101: ...essages NVRAM messages remain after reboot Syslog host The first four types of targets exist by default but before enabling any syslog host the host s information needs to be added to the switch using...

Page 102: ...one of the severity level specified by the standard BSD syslog values RFC 3164 critical error warning notice and info plus three severity levels for extended debugging debug summary debug verbose and...

Page 103: ...certain categories of messages to pass Only the messages that pass the filter and then pass the specified severity level will reach the target Finally you can specify the severity levels of messages...

Page 104: ...U Ign Debug Summary 2 total STP InBPDU Mismatch Warning 2 total The display above lists the five conditions contained in the STP InBPDU component the severity of the condition and the number of parame...

Page 105: ...cluded events are blocked To configure your filter use the following command configure log filter name add delete exclude events event condition all event component severity severity only For example...

Page 106: ...st the current configuration of the filter to try to logically simplify the configuration Existing items will be replaced by logically simpler items if the new item enables rewriting the filter If the...

Page 107: ...show log events all command can be used to display event definitions the event text and parameter types Only those parameter types that are applicable given the events and severity specified are expos...

Page 108: ...ia but all parameter types in the match criteria need not be present in the event definition Formatting Event Messages Event messages are made up of a number of items The individual items can be forma...

Page 109: ...essages on page 108 Displaying Events Logs The log stored in the memory buffer and the NVRAM can be displayed on the current session either the console display or telnet To display the log use the fol...

Page 110: ...d One counter displays the number of times an event has occurred and the other displays the number of times that notification for the event was made to the system for further processing Both counters...

Page 111: ...er includes this event Notified of times this event has occurred when Included was Y es Displaying Debug Information By default a switch will not generate events of severity Debug Summary Debug Verbos...

Page 112: ...112 ExtremeWare XOS 10 1 Concepts Guide Status Monitoring and Statistics...

Page 113: ...of features in concert you can substantially improve the security of your network The features described in this chapter are part of an overall approach to network security Network Access Security Ne...

Page 114: ...ing Access Lists on the Switch on page 118 Displaying and Clearing ACL Counters on page 119 Creating IP Access Lists ACLs are created by writing a text file containing a number of rule entries Name th...

Page 115: ...hing any of them it is permitted Often an ACL will have a rule entry at the end of the ACL with no match conditions This entry will match any packets not otherwise processed so that user can specify a...

Page 116: ...761 krb prop 754 krbupdate 760 kshell 544 idap 389 login 513 mobileip agent 434 mobileip mn 435 msdp 639 netbios dgm 138 netbios ns 137 netbios ssn 139 nfsd 2049 nntp 119 ntalk 518 ntp 123 pop3 110 p...

Page 117: ...rect for tos and host 3 redirect for tos and net 2 Time exceeded ttl eq zero during reassembly 1 ttl eq zero during transit 0 Unreachable communication prohibited by filtering 13 destination host proh...

Page 118: ...ags syn_ack then accept count tcpcnt The following example denies ICMP echo request packets from the 10 203 134 0 24 subnet and increments the counter icmpcnt entry icmp if source address 10 203 134 0...

Page 119: ...se the following command show access list counter countername any ports portlist ingress To clear the access list counters use the following command clear access list counter countername any ports por...

Page 120: ...Any common text editor can be used to create a policy file The file is then transferred to the switch using TFTP and then applied To transfer policy files to the switch use the following command tftp...

Page 121: ...ements on page 124 Policy Match Conditions Table 23 lists the possible policy entry match conditions Table 23 Policy Match Conditions Match Condition Description as path as number as path regular expr...

Page 122: ...gin different from BGP route origin of a route A match statement route origin bgp will match routes whose origin are I bgp or e bgp or I mbgp or e mbgp Similarly the match statement route origin ospf...

Page 123: ...3 15 The following AS Path statement matches AS paths beginning with AS number 111 and ending with any AS number from 2 8 as path 111 2 8 The following AS Path statement matches AS paths beginning wit...

Page 124: ...remove Strips off the entire community attribute from a route Communities must be enclosed in double quotes cost cost 0 4261412864 Sets the cost metric for a route cost type ase type 1 ase type 2 ext...

Page 125: ...reme Networks switches This example shows the policy equivalent to an access profile ExtremeWare Access Profile Seq_No Action IP Address IP Mask Exact 5 permit 22 16 0 0 255 252 0 0 No 10 permit 192 1...

Page 126: ...policy above can be optimized by combining some of the if into a single expression The compact form of the policy will look like this entry permit_entry If match any nlri 22 16 0 0 14 nlri 192 168 0...

Page 127: ...permit match med 30 set next hop 10 201 23 10 set as path 20 set as path 30 set as path 40 set as path 40 Entry 40 Action permit set local preference 120 set weight 2 Entry 50 Action permit match ori...

Page 128: ...try 40 if then local preference 120 weight 2 permit entry entry 50 match any if origin incomplete community 19661200 then dampening half life 20 reuse limit 1000 suppress limit 3000 max suppress 40 pe...

Page 129: ...en a policy file is changed adding deleting an entry adding deleting modifying a statement etc the new file can be downloaded to the switch and the user must refresh the policy so that the latest copy...

Page 130: ...configure radius primary secondary server ipaddress hostname udp_port client ip ipaddress vr vr_name To configure the timeout if a server fails to respond use the following command configure radius t...

Page 131: ...fecting the current state of RADIUS authentication To enable RADIUS accounting use the following command enable radius accounting To disable RADIUS accounting use the following command disable radius...

Page 132: ...RADIUS when you configure users for read write access Configuring TACACS Terminal Access Controller Access Control System Plus TACACS is a mechanism for providing authentication authorization and acc...

Page 133: ...Part 2 Using Switching and Routing Protocols...

Page 134: ......

Page 135: ...col STP functionality of the switch makes your network more fault tolerant The following sections explain more about STP and the STP features supported by ExtremeWare XOS NOTE STP is a part of the 802...

Page 136: ...hird party switches running this version of STP For more information about how to configure the default encapsulation mode see Encapsulation Modes on page 139 encapsulation mode You can configure port...

Page 137: ...a VLAN to an STPD that VLAN becomes a member of the STPD The two types of member VLANs in an STPD are Carrier Protected Carrier VLAN A carrier VLAN defines the scope of the STPD which includes the ph...

Page 138: ...compatibility with third party switches using IEEE standard 802 1d When configured in this mode all rapid configuration mechanisms are disabled 802 1w mode Use this mode for compatibility with Rapid...

Page 139: ...TP The STPDs running in this mode have a one to one relationship with VLANs and send and process packets in PVST format These encapsulation modes are for STP ports not for physical ports When a physic...

Page 140: ...ng A port in the forwarding state accepts ingress traffic learns new MAC source addresses forwards traffic and receives and processes STP BPDUs Disabled A port in the disabled state does not participa...

Page 141: ...atically removed from the STPD This allows the STPD to increase or decrease its span as ports are added to or removed from a carrier VLAN NOTE The carrier VLAN s StpdID must be identical to the VLANid...

Page 142: ...reful attention to the STP configuration and its effect on the forwarding of VLAN traffic This section describes three types of STP configurations Basic STP Multiple STPDs on a single port EMISTP A VL...

Page 143: ...r STP converges all the VLANs can communicate and all bridging loops are prevented The protected VLAN Marketing which has been assigned to both STPD1 and STPD2 communicates using all five switches The...

Page 144: ...in an STP topology All VLANs in each switch are members of the same STPD STP can block traffic between switch 1 and switch 3 by disabling the trunk ports for that connection on each switch Switch 2 ha...

Page 145: ...1 and S2 still correspond to VLANs A and B respectively you can fine tune STP parameters to make the left link active in S1 and blocking in S2 while the right link is active in S2 and blocking in S1 O...

Page 146: ...e domains local to other VLANs Figure 12 VLAN spanning multiple STPDs In addition the configuration in Figure 12 has these features Each site can be administered by a different organization or departm...

Page 147: ...Figure 14 VLAN red the only VLAN in the figure spans domains 1 2 and 3 Inside each domain STP produces a loop free topology However VLAN red is still looped because the three domains form a ring among...

Page 148: ...s on the physical port Third party PVST devices send VLAN 1 packets in a special manner ExtremeWare XOS does not support PVST for VLAN 1 Therefore when the switch receives a packet for VLAN 1 the pack...

Page 149: ...t Supports the designated port on the same attached LAN segment Backup ports only exist when the bridge is connected as a self loop or to a shared media segment For more information about the backup p...

Page 150: ...If the link is in full duplex mode or if link aggregation is enabled on the port an auto link behaves like a point to point link edge Configures the ports as edge ports point to point Configures the p...

Page 151: ...to the forwarding state The default is 15 seconds The range is 4 to 30 seconds Table 32 Derived timers Timer Description TCN The root port uses the TCN timer when it detects a change in the network t...

Page 152: ...e in RSTP Their role does not need to be confirmed If an edge port receives a BPDU it enters an inconsistency state An inconsistency state puts the edge port into the blocking state and starts the mes...

Page 153: ...warding state there is a loop between these two ports To prevent this type of loop from occurring the recent backup timer starts The root port transition rule does not allow a new root port to be in t...

Page 154: ...es the new STP topology Synchronizes all of the designated ports if the receiving port is the root port of the new topology Puts all unsynced designated ports into the blocking state Sends down furthe...

Page 155: ...down bridge F detects the root port is down At this point bridge F Immediately disables that port from the STP Performs a configuration update After the configuration update bridge F Considers itself...

Page 156: ...bridge E Regards itself as the new root bridge Sends BPDU messages on both of its designated ports to bridges F and D respectively Figure 18 New root bridge selected 3 When bridge F receives the super...

Page 157: ...firmation of its designated role and to rapidly move the port into the designated state Figure 20 Sending a propose message to confirm a port role 5 Upon receiving the proposal bridge E Performs a con...

Page 158: ...cy STP bridges Each RSTP bridge contains a port protocol migration state machine to ensure that the ports in the STPD operate in the correct configured mode The state machine is a protocol entity with...

Page 159: ...h PVST and non PVST ports it must be enabled If it is disabled the BPDUs are flooded in the format of the incoming STP port which may be incompatible with those of the connected devices 802 1d ports m...

Page 160: ...Port priority Port mode NOTE The device supports the RFC 1493 Bridge MIB RSTP 03 and Extreme Networks STP MIB Parameters of the s0 default STPD support RFC 1493 and RSTP 03 Parameters of any other ST...

Page 161: ...defined STPDs is emistp EMISTP Configuration Example Figure 24 is an example of EMISTP Figure 24 EMISTP configuration example The following commands configure the switch located between S1 and S2 NOTE...

Page 162: ...w Configuration Example Figure 25 is an example of a network with multiple STPDs that can benefit from RSTP For RSTP to work you need to do the following Create an STPD Configure the mode of operation...

Page 163: ...ged configure vlan personnel add ports 1 1 2 1 tagged configure vlan marketing add ports 1 1 2 1 tagged configure stpd stpd1 add vlan sales ports all configure stpd stpd1 add vlan personnel ports all...

Page 164: ...ge port etc STPD port state forwarding blocking and so on Configured port link type Operational port link type If you have a VLAN that spans multiple STPDs use the show vlan vlan_name stpd command to...

Page 165: ...ocol VRRP RFC 2787 Definitions of Managed Objects for the Virtual Router Redundancy Protocol Draft IETF VRRP Specification v2 06 Overview VRRP is a protocol that allows multiple switches to provide re...

Page 166: ...r more physical devices that acts as the default gateway for hosts on the network The virtual router is identified by a virtual router identifier VRID and an IP address VRRP router Any router that is...

Page 167: ...wn in Figure 26 use the following command configure vlan vrrp1 add track iproute 10 10 10 0 24 The route specified in this command must exist in the IP routing table When the route is no longer availa...

Page 168: ...rs This signals the backup routers that they do not need to wait for the master down interval to expire and the master election process for a new master can begin immediately The master down interval...

Page 169: ...dcasts an ARP request that contains the virtual router MAC address in this case 00 00 5E 00 01 01 for each IP address associated with the virtual router Hosts on the network use the virtual router MAC...

Page 170: ...8 1 3 Master router for VRID 1 Backup router for VRID 2 MAC address 00 00 5E 00 01 01 Switch B is configured as follows IP address 192 168 1 5 Master router for VRID 2 Backup router for VRID 1 MAC add...

Page 171: ...range is 1 254 The default value is 100 ip_address One or more IP addresses associated with this virtual router This parameter has no default value advertisement_interval Time interval between adverti...

Page 172: ...1 3 24 configure vrrp vlan vlan1 vrid 1 configure vrrp vlan vlan1 vrid 1 prioirty 255 configure vrrp vlan vlan1 vrid 1 add 192 168 1 3 enable vrrp The configuration commands for switch B are as follo...

Page 173: ...an1 vrid 2 configure vrrp vlan vlan1 vrid 2 add 192 168 1 5 enable vrrp The configuration commands for switch B are as follows configure vlan vlan1 ipaddress 192 168 1 5 24 create vlan vlan1 vrid 2 co...

Page 174: ...174 ExtremeWare XOS 10 1 Concepts Guide Virtual Router Redundancy Protocol...

Page 175: ...quirements for IP Version 4 Routers NOTE For more information on interior gateway protocols see Chapter 13 For information on exterior gateway protocols see Chapter 14 Overview of IP Unicast Routing T...

Page 176: ...ferent VLANs In Figure 31 a BlackDiamond switch is depicted with two VLANs defined Finance and Personnel All ports on slots 1 and 3 are assigned to Finance all ports on slots 2 and 4 are assigned to P...

Page 177: ...outes are aged out of the table when an update for the network is not received for a period of time as determined by the routing protocol Static Routes Static routes are manually entered into the rout...

Page 178: ...how to use proxy ARP with the switch ARP Incapable Devices To configure the switch to respond to ARP Requests on behalf of devices that are incapable of doing so you must configure the IP address and...

Page 179: ...ets to 100 101 45 67 Relative Route Priorities Table 35 lists the relative priorities assigned to routes depending upon the learned source of the route NOTE Although these priorities can be changed do...

Page 180: ...spf Verifying the IP Unicast Routing Configuration Use the show iproute command to display the current configuration of IP unchaste routing for the switch and for each VLAN The show iproute command di...

Page 181: ...raffic is directed to the VLAN MyCompany In this configuration all IP traffic from stations connected to slots 1 and 3 have access to the router by way of the VLAN Finance Ports on slots 2 and 4 reach...

Page 182: ...from clients on subnets being serviced by the switch and going to hosts on different subnets This feature can be used in various applications including DHCP services between Windows NT servers and cl...

Page 183: ...P Echo Server You can use UDP Echo packets to measure the transit time for data between the transmitting and receiving end To enable UDP echo server support use the following command rtlookup To disab...

Page 184: ...184 ExtremeWare XOS 10 1 Concepts Guide IP Unicast Routing...

Page 185: ...on page 199 Displaying OSPF Settings on page 200 This chapter assumes that you are already familiar with IP unicast routing If not refer to the following publications for additional information RFC 10...

Page 186: ...ical routing table created from information obtained from all routers in the autonomous system Each router builds a shortest path tree using itself as the root The link state protocol ensures that upd...

Page 187: ...the route timeout period 180 seconds by default the router assumes the connection between it and its neighbor is no longer available Split Horizon Split horizon is a scheme for avoiding problems caus...

Page 188: ...ained from the perspective of that router From the link state database LSDB each router constructs a tree of shortest paths using itself as the root The shortest path tree provides the route to each d...

Page 189: ...n the OSPF database Opaque LSAs are most commonly used to support OSPF traffic engineering Normally support for opaque LSAs is auto negotiated between OSPF neighbors In the event that you experience i...

Page 190: ...from all other ABRs The ABR then forms a picture of the distance to all networks outside of its area by examining the collected advertisements and adding in the backbone distance to each advertising...

Page 191: ...is elected to perform translation as indicated in the NSSA specification The option should not be used on NSSA internal routers Doing so inhibits correct operation of the election algorithm Normal Are...

Page 192: ...area For example in Figure 34 if the connection between ABR1 and the backbone fails the connection using ABR2 provides redundancy so that the discontiguous area can continue to communicate with the b...

Page 193: ...mous system and a RIP autonomous system Table 37 OSPF Link Types Link Type Number of Routers Description Auto Varies ExtremeWare XOS automatically determines the OSPF link type based on the interface...

Page 194: ...tion functions For example to run OSPF and RIP simultaneously you must first configure both protocols and then verify the independent operation of each Then you can configure the routes to export from...

Page 195: ...ociated with the export command the policy is applied on every exported route The exported routes can also be filtered using policies Verify the configuration using the command show ospf Re Distributi...

Page 196: ...s on slots 2 and 4 have been assigned IP address 192 207 36 1 MyCompany Port based VLAN All ports on slots 1 through 4 have been assigned Figure 36 RIP configuration example The stations connected to...

Page 197: ...must have a unique router ID It is recommended that you manually set the router ID of the switches participating in OSPF instead of having the switch automatically choose its router ID based on the h...

Page 198: ...ets Smaller times allow routers to discover each other more quickly but also increase network traffic The default value is 10 seconds Dead router wait interval Dead Interval The interval after which a...

Page 199: ...ters ABR1 and ABR2 Network number 10 0 x x Two identified VLANs HQ_10_0_2 and HQ_10_0_3 Area 5 is connected to the backbone area by way of ABR1 and ABR2 It is located in Chicago and has the following...

Page 200: ...255 255 255 0 configure vlan LA_161_48_2 ipaddress 161 48 2 2 255 255 255 0 configure vlan Chi_160_26_26 ipaddress 160 26 26 1 255 255 255 0 create ospf area 0 0 0 5 create ospf area 0 0 0 6 enable i...

Page 201: ...ll of the criteria are displayed This allows you to control the displayed entries in large routing tables To display the current link state database use the following command show ospf lsdb detail sta...

Page 202: ...202 ExtremeWare XOS 10 1 Concepts Guide Interior Gateway Protocols...

Page 203: ...efer to the following documents RFC 1771 Border Gateway Protocol version 4 BGP 4 RFC 1965 Autonomous System Confederations for BGP RFC 1966 BGP Route Reflection RFC 1997 BGP Communities Attribute RFC...

Page 204: ...iminator Used to select a particular border router in another AS when multiple border routers exist Local_Preference Used to advertise this router s degree of preference to other routers within the AS...

Page 205: ...g the Loopback Interface on page 211 BGP Peer Groups on page 211 BGP Route Flap Dampening on page 212 BGP Route Selection on page 213 Route Re Distribution on page 214 BGP Static Network on page 215 R...

Page 206: ...ice versa Routes received from 1 1 1 1 will be reflected to all clients To configure router 1 1 1 1 use the following commands create vlan to_rr config vlan to_rr add port 1 1 config vlan to_rr ipaddr...

Page 207: ...o_rr config bgp router 3 3 3 3 config bgp as number 100 create bgp neighbor 20 0 0 2 remote as 100 enable bgp neighbor all enable bgp To configure router 4 4 4 4 use the following commands create vlan...

Page 208: ...confederation and outside ASs To configure router A use the following commands create vlan ab configure vlan ab add port 1 configure vlan ab ipaddress 192 1 1 6 30 enable ipforwarding vlan ab configur...

Page 209: ...routerid 192 1 1 22 configure bgp confederation id 200 enable bgp create bgp neighbor 192 1 1 6 remote AS number 65001 create bgp neighbor 192 1 1 21 remote AS number 65001 create bgp neighbor 192 1...

Page 210: ...ber 65002 configure bgp routerid 192 1 1 14 configure bgp confederation id 200 enable bgp create bgp neighbor 192 1 1 9 remote AS number 65001 create bgp neighbor 192 1 1 13 remote AS number 65002 con...

Page 211: ...gateway protocol you may decide to advertise the interface as available regardless of the status of any particular interface The loopback interface can also be used for EBGP multihop Using the loopbac...

Page 212: ...e route becomes available again an Advertisement message is sent and propagated throughout the network As a route repeatedly changes from available to unavailable large numbers of messages propagate t...

Page 213: ...esired parameters Disabling Route Flap Dampening To disable route flap dampening for a BGP neighbor disabling the dampening will also delete all the configured dampening parameters use the following c...

Page 214: ...remove private AS numbers Route Re Distribution BGP OSPF and RIP can be enabled simultaneously on the switch Route re distribution allows the switch to exchange routes including static direct and VIP...

Page 215: ...om the routing table to BGP If you use both commands to redistribute routes the routes redistributed using the network command take precedence over routes redistributed using the export command BGP St...

Page 216: ...216 ExtremeWare XOS 10 1 Concepts Guide Exterior Gateway Routing Protocols...

Page 217: ...ersion 2 The following URLs point to the Web sites for the IETF Working Groups IEFT PIM Working Group http www ietf org html charters pim charter html Overview IP multicast routing is a function that...

Page 218: ...s beneficial for large networks that have group members who are sparsely distributed Using PIM SM the router sends a join message to the rendezvous point RP The RP is a central multicast router that i...

Page 219: ...fic floods within a given VLAN IGMP snooping expects at least one device on every VLAN to periodically generate IGMP query messages The static IGMP snooping entries do not require periodic query but d...

Page 220: ...see Management Access Security on page 129 After you have created an policy file use the following command to associate the policy file and filter a set of ports configure igmp snooping vlan vlan name...

Page 221: ...outing using PIM DM In Figure 41 the system labeled ABR1 is configured for IP multicast routing using PIM SM PIM DM Configuration Example Figure 40 IP multicast routing using PIM DM configuration exam...

Page 222: ...ble ospf enable ipmcforwarding configure pim add vlan all dense enable pim The following example configures PIM SM Figure 41 IP multicast routing using PIM SM configuration example Area 0 10 0 1 1 10...

Page 223: ...HQ_10_0_3 ipaddress 10 0 3 1 255 255 255 0 configure vlan LA_161_48_2 ipaddress 161 48 2 2 255 255 255 0 configure vlan CHI_160_26_26 ipaddress 160 26 26 1 255 255 255 0 configure ospf add vlan all ar...

Page 224: ...224 ExtremeWare XOS 10 1 Concepts Guide IP Multicast Routing...

Page 225: ...Part 3 Appendixes...

Page 226: ......

Page 227: ...either a Trivial File Transfer Protocol TFTP server on the network or from a PC connected to the serial port using the XMODEM protocol Downloading a new image involves the following steps Loading the...

Page 228: ...ndary When downloading a new image you select which partition primary or secondary to install the new image If you do not specify a partition the software image is downloaded and installed into the cu...

Page 229: ...run on the switch As you make configuration changes the new settings are stored in run time memory Settings that are stored in run time memory are not retained by the switch when the switch is reboot...

Page 230: ...ges or n to cancel the process To use the configuration use the following command use configuration primary secondary file_name Where the following is true primary Specifies the primary saved configur...

Page 231: ...cified file from the local host and copies it to the TFTP server local_file Specifies the name of the configuration file that you want to save to the TFTP server If you upload a configuration file and...

Page 232: ...ion file and see the following message Error Transfer timed out Check to make sure that you entered the file name correctly including the cfg extension and that you entered the correct IP address for...

Page 233: ...show images command Selecting an image To change the image that the switch boots from in flash memory use the boot image name command If you specify image name the specified image is booted If you do...

Page 234: ...234 ExtremeWare XOS 10 1 Concepts Guide Software Upgrade and Boot Options...

Page 235: ...cure Cables are free from damage The devices at both ends of the link are powered up Both ends of the Gigabit link are set to the same autonegotiation state The Gigabit link must be enabled or disable...

Page 236: ...power up the switch If this does not work try using a different power source different power strip outlet and power cord Using the Command Line Interface The initial welcome prompt does not display C...

Page 237: ...device a problem with the original port is indicated Re examine the connections and cabling A network problem may be preventing you accessing the device over the network Try accessing the device thro...

Page 238: ...Extreme switch and another network device will cause poor network performance Viewing statistics using the show ports rxerrors command on the Extreme switch may display a constant increment of CRC err...

Page 239: ...should have a corresponding VLAN ID for the VLAN on the other switch If you are connecting to a third party device and have checked that the VLAN IDs are the same the Ethertype field used to identify...

Page 240: ...Statistics on page 91 System Health Check The system health check tests the backplane the CPU and I O modules by periodically forwarding packets and checking for the validity of these packets If you...

Page 241: ...pport If you have a network issue that you are unable to resolve contact Extreme Networks technical support Extreme Networks maintains several Technical Assistance Centers TACs around the world to ans...

Page 242: ...242 ExtremeWare XOS 10 1 Concepts Guide Troubleshooting...

Page 243: ...ess Resolution Protocol Or converting network protocol addresses to 48 bit Ethernet address for transmission on Ethernet hardware RFC 2338 Virtual Router Redundancy Protocol Draft VRRP spec v2 06 mino...

Page 244: ...ns for BGP RFC 2796 BGP Route Reflection An Alternative to Full Mesh IBGP RFC 1997 BGP Communities Attribute RFC 1745 BGP4 IDRP for IP OSPF Interaction RFC 2385 Protection of BGP Sessions via the TCP...

Page 245: ...imple Network Management Protocol SNMP Applications RFC 3414 User based Security Model USM for version 3 of the Simple Network Management Protocol SNMPv3 RFC 3415 View based Access Control Model VACM...

Page 246: ...and Standards DiffServ Standards and MIBs RFC 2474 Definition of the Differentiated Services Field DS Field in the IPv4 and IPv6 Headers RFC 2475 An Architecture for Differentiated Services RFC 2597 A...

Page 247: ...onomous system path 204 cluster 205 community 205 description 204 features 205 loopback interface 211 peer groups creating 211 description 211 mandatory parameters 211 neighbors 212 redistributing to...

Page 248: ...See FDB G Greenwich Mean Time Offsets table 51 groups 43 I IEEE 802 1Q 64 IGMP description 219 snooping 219 static 219 image downloading 227 primary and secondary 228 upgrading 227 interfaces router 1...

Page 249: ...stub area 190 virtual link 191 wait interval configuring 197 P partition 228 passwords default 28 forgetting 29 path MTU discovery 56 permanent entries FDB 77 Per VLAN Spanning Tree See PVST PIM mode...

Page 250: ...Routing Information Protocol See RIP routing table populating 177 routing See IP unicast routing RSTP configuring link types 150 designated port rapid behavior 154 link types 150 auto 150 broadcast 15...

Page 251: ...41 Telnet connecting to another host 35 disconnecting a session 38 maximum sessions 35 opening a session 35 using 35 Terminal Access Controller Access Control System Plus See TACACS TFTP connecting to...

Page 252: ...8 171 master router 166 multicast address 168 operation 169 preempt mode 171 priority 166 168 171 redundancy 170 route table tracking 166 skew time 168 171 tracking description 166 virtual router 166...

Page 253: ...configure node priority 98 configure osfp area nssa 191 configure osfp area stub 190 configure osfp ase limit 189 configure ospf area timer 197 configure ospf timer 197 configure ospf virtual link tim...

Page 254: ...01 disable ospf capability opaque lsa 189 disable ospf export 177 195 disable ports 26 54 disable radius 130 disable radius accounting 131 disable rip export 195 disable rip exportstatic 177 disable s...

Page 255: ...ow odometer 240 show ospf 195 200 show ospf area 201 show ospf interfaces 201 show ospf lsdb 201 show ospf lsdb area lstype 201 show ports info 89 90 show ports qosmonitor 90 show ports rxerrors 94 sh...

Page 256: ...4 ExtremeWare XOS 10 1 Concepts Guide Index of Commands...

Reviews:

No comments

Related manuals for ExtremeWare XOS 10.1

Brand: F-SECURE Pages: 18

PM1D Manager V2

Brand: Yamaha Pages: 24

Brand: I.R.I.S. Pages: 182

Membrain Software

Brand: SanDisk Pages: 14

BJ0NJML - Service And Asset Management

Brand: IBM Pages: 330

Brand: Omron Pages: 2

LIVE CYCLE 7.2 - INSTALLING AND CONFIGURING LIVECYCLE FOR JBOSS

Brand: Adobe Pages: 90

Advanced Calculator 2.2

Brand: CDML Pages: 48

Brand: HP Pages: 4

NECSAM RICHER APPT FINAL2

Brand: NEC Pages: 1

NECAM NEWSREL 070306

Brand: NEC Pages: 2

Brand: NEC Pages: 3

Brand: NEC Pages: 9

Brand: NEC Pages: 49

Brand: NEC Pages: 56

NEC Storage PathManager 3.1

Brand: NEC Pages: 65

MultiSync FP1375X

Brand: NEC Pages: 64

MultiSync FP955

Brand: NEC Pages: 68

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands