Extreme Networks ExtremeWare XOS 11.1 Manual Download Page 228 | Manualshive

Page: 228 / 496

background image

Security

ExtremeWare XOS 11.1 Concepts Guide

228

For ports that have lock-down in effect, the following traffic will still flow to the port:

●

Packets destined for the permanent MAC and other non-blackholed MAC addresses

●

Broadcast traffic

●

EDP traffic

Traffic from the permanent MAC will still flow from the virtual port.

To remove MAC address lock down, use the

unlock-learning

option from the following command:

configure ports <portlist> vlan <vlan name> [limit-learning <number> | lock-learning |

unlimited-learning | unlock-learning]

When you remove the lock down using the unlock-learning option, the learning-limit is reset to
unlimited, and all associated entries in the FDB are flushed.

Network Login

Network login controls the admission of user packets into a network by giving addresses only to users
that are properly authenticated. Network login is controlled on a per port basis. When network login is
enabled on a port in a VLAN, that port does not forward any packets until authentication takes place.

There are three choices for types of authentication to use with Network Login, web-based, MAC-based,
and 802.1x, and there are two different modes of operation, Campus mode and ISP mode. The
authentication types and modes of operation can be used in any combination. The following sections
describe these choices.

When web-based network login is enabled on a switch port, that port is placed into a non-forwarding
state until authentication takes place. To authenticate, a user (supplicant) must open a web browser and
provide the appropriate credentials. These credentials are either approved, in which case the port is
placed in forwarding mode, or not approved, in which case the port remains blocked.

For 802.1x authentication, three failed login attempts disables the port for a configured length of time.
For both 802.1x and web-based authentication user logout can be initiated by submitting a logout
request or closing the logout window.

Web-Based, MAC-based, and 802.1x Authentication

Authentication is handled as a web-based process, or as described in the IEEE 802.1x specification. Web-
based network login does not require any specific client software and can work with any HTTP-
compliant web browser. By contrast, 802.1x authentication may require additional software installed on
the client workstation, making it less suitable for a user walk-up situation, such as a cyber-café or coffee
shop.

1

Extreme Networks supports a smooth transition from web-based to 802.1x authentication.

MAC-based authentication is used for supplicants that do not support a network login mode, or
supplicants that are not aware of the existence of such security measure, for example an IP phone.

1.

A workstation running Windows XP supports 802.1x natively and does not require additional authentica-
tion software.

«
...
226
227
228
229
230
...
»

Summary of Contents for ExtremeWare XOS 11.1

Page 1: ...s Inc 3585 Monroe Street Santa Clara California 95051 888 257 3000 408 579 2800 http www extremenetworks com ExtremeWare XOS Concepts Guide Software Version 11 1 Published December 2004 Part number 10...

Page 2: ...S operating system is based in part on the Linux operating system The machine readable copy of the corresponding source code is available for the cost of distribution Please direct requests to Extreme...

Page 3: ...Aspen 8810 Switch Only 27 Advanced Core License BlackDiamond 10K Switch Only 28 Security Licensing 29 Software Factory Defaults 29 Chapter 2 Accessing the Switch 31 Understanding the Command Syntax 31...

Page 4: ...Using the Trivial File Transfer Protocol 50 Connecting to Another Host Using TFTP 50 Understanding System Redundancy 51 Node Election 51 Replicating Data Between Nodes 52 Viewing Node Status 54 Under...

Page 5: ...Frames on the Aspen 8810 Switch Only 84 Enabling Jumbo Frames 84 Path MTU Discovery 84 IP Fragmentation with Jumbo Frames 85 IP Fragmentation within a VLAN 86 Load Sharing on the Switch 86 Load Sharin...

Page 6: ...us Monitoring 121 Viewing Port Statistics 121 Viewing Port Errors 122 Using the Port Monitoring Display Keys 123 Slot Diagnostics 123 Running Diagnostics on I O and Management Modules 124 Observing LE...

Page 7: ...figuration Examples 161 Displaying VLAN Settings 162 Displaying Protocol Information 163 Tunneling VMANs 163 Guidelines for Configuring VMANs 164 Configuring VMANs 165 Displaying VMAN Configurations 1...

Page 8: ...0 Routing Policy File Syntax 191 Policy Examples 195 Chapter 12 Quality of Service 201 Overview of Policy Based Quality of Service 201 Applications and Types of QoS 202 Voice Applications 202 Video Ap...

Page 9: ...Displaying Network Login Settings 236 Disabling Network Login 236 Additional Configuration Details 236 MAC Based Authentication 237 DHCP Server 238 DHCP Server on the Switch 238 Displaying DHCP Infor...

Page 10: ...Protected VLANs 278 Enabling and Disabling Fast Convergence 278 Enabling and Disabling an EAPS Domain 278 Enabling and Disabling EAPS on the Switch 278 Unconfiguring an EAPS Ring Port 279 Displaying...

Page 11: ...ation Example 321 RSTP 802 1w Configuration Example 322 Displaying STP Settings 323 Chapter 17 Extreme Standby Router Protocol 325 Overview of ESRP 325 ESRP Modes of Operation 325 ESRP and ELRP 326 Re...

Page 12: ...Chapter 18 Virtual Router Redundancy Protocol 355 Overview 355 Determining the VRRP Master 355 VRRP Tracking 356 Electing the Master Router 358 Additional VRRP Highlights 358 VRRP Operation 359 Simpl...

Page 13: ...Advertisement of VLANs 383 RIP Version 1 Versus RIP Version 2 383 Overview of OSPF 384 Licensing 384 OSPF Edge Mode 384 Link State Database 384 Areas 386 Point to Point Support 389 Route Redistributio...

Page 14: ...Image 421 Understanding the Image Version String 421 Software Signatures 422 Rebooting the Switch 422 Rebooting the Management Module 422 Understanding Hitless Upgrade BlackDiamond 10K Switch Only 42...

Page 15: ...view of the System Health Checker 446 Enabling and Disabling Backplane Diagnostic Packets on the Switch 447 Configuring Backplane Diagnostic Packets on the Switch 447 System Odometer 448 Temperature O...

Page 16: ...Contents ExtremeWare XOS 11 1 Concepts Guide 16...

Page 17: ...rks LANs Ethernet concepts Ethernet switching and bridging concepts Routing concepts Internet Protocol IP concepts Routing Information Protocol RIP and Open Shortest Path First OSPF Border Gateway Pro...

Page 18: ...tem damage or loss of data Warning Risk of severe personal injury Table 2 Text conventions Convention Description Screen displays This typeface indicates command syntax or represents information as it...

Page 19: ...ference guide for any command mentioned in the user guide To ensure that the quick referencing feature functions properly follow these steps 1 Download both the user guide PDF file and the command ref...

Page 20: ...Preface ExtremeWare XOS 11 1 Concepts Guide 20...

Page 21: ...1 Using ExtremeWare XOS...

Page 22: ......

Page 23: ...switches ExtremeWare XOS 10 1 and higher Aspen 8810 switch ExtremeWare XOS 11 1 and higher Summary of Features The features of ExtremeWare XOS include Virtual local area networks VLANs including supp...

Page 24: ...dditionally supports user created virtual routers ExtremeWare XOS supports virtual routers This capability allows a single physical switch to be split into multiple virtual routers This feature separa...

Page 25: ...formation For more information on SSH see Chapter 13 EAPS With software version 11 0 the switch supports Ethernet Automatic Protection Switching EAPS This Extreme Networks proprietary protocol provide...

Page 26: ...3 and Layer 2 redundancy can be used separately or together Using ESRP allows you to simplify your network and it works very well in meshed networks where Layer 2 loop protection and Layer 3 redundan...

Page 27: ...by using a software key Keys are typically unique to the switch and are not transferable Keys are stored in NVRAM and once enabled persist through reboots software upgrades power outages and reconfigu...

Page 28: ...y purchasing a license voucher from Extreme Networks Please contact your supplier to purchase a voucher The voucher contains information and instructions on obtaining a license key for the switch usin...

Page 29: ...ail address Ability to use a Web browser to download a file WinZip format to uncompress a zip file Security Features Under License Control ExtremeWare XOS software supports the SSH2 protocol which all...

Page 30: ...port and contains only that port The switch uses the Ethernet management port for host operation only not for switching or routing 802 1Q tagging All packets are untagged on the default VLAN default...

Page 31: ...tremeWare XOS commands You may enter configuration commands at the prompt At the prompt you may enter only monitoring commands not configuration commands As you are booting up you may see the command...

Page 32: ...wable abbreviation of a command or parameter Typically this is the first three letters of the command If you do not enter enough letters to allow the switch to determine which command you mean the syn...

Page 33: ...tes all ports on slot 3 You can specify a range of slots and ports For example port 2 3 4 5 indicates slot 2 port 3 through slot 4 port 5 Names All named components within a category of the switch con...

Page 34: ...s in a list one of which must be entered For example in the syntax configure snmp add community readonly readwrite alphanumeric_string you must specify either the read or write community string in the...

Page 35: ...Interrupts the current CLI command execution Table 6 Common commands Command Description clear session sessId all Terminates a Telnet session from the switch configure account name Configures a user a...

Page 36: ...characters create vlan vlan_name vr vr name Creates a VLAN NOTE The Aspen 8810 switch does not use the vr optional parameter delete account name Deletes a user account delete vlan vlan_name Deletes a...

Page 37: ...icular software feature license Specify license_key as an integer The command unconfigure switch all does not clear licensing information This license cannot be disabled once it is enabled on the swit...

Page 38: ...xt is taken from the SNMP sysname setting The number that follows the colon indicates the sequential line of the specific command or line If an asterisk appears in front of the command line prompt it...

Page 39: ...urse of action Creating a Management Account The switch can have a total of 16 management accounts You can use the default names admin and user or you can create new names and passwords for the accoun...

Page 40: ...this account Protect this information carefully To access your switch using the failsafe account you must connect to the serial port of the switch You cannot access the failsafe account through any o...

Page 41: ...ing command configure dns client default domain For example if you specify the domain xyz inc com as the default domain then a command such as ping accounting1 will be taken as if it had been entered...

Page 42: ...switch to trace the hops until the time to live has been exceeded for the switch port uses the specified UDP port number icmp uses ICMP echo messages to trace the routed path Table 8 Ping command par...

Page 43: ...following methods Access the command line interface CLI by connecting a terminal or workstation with terminal emulation software to the console port Access the switch remotely using TCP IP through one...

Page 44: ...he switch until a connection is terminated or you access the switch via the console If you configure a new limit only new incoming shell sessions are affected If you decrease the limit and the current...

Page 45: ...subnet_mask configure iproute add default gateway vr vrname metric multicast only unicast only Authenticating Users ExtremeWare XOS provides three methods to authenticate users who log in to the swit...

Page 46: ...bled and uses VR Mgmt by default NOTE Maximize the Telnet screen so that automatically updating screens display correctly If you use Telnet to establish a connection to the switch you must specify the...

Page 47: ...und on the rear label of the switch IP address Subnet address mask optional The switch contains a Bootstrap Protocol BOOTP and Dynamic Host Configuration Protocol DHCP client so if you have a BOOTP or...

Page 48: ...your terminal press Return one or more times until you see the login prompt 3 At the login prompt enter your user name and password Note that they are both case sensitive Ensure that you have entered...

Page 49: ...tch by typing logout or quit Configuring Telnet Access to the Switch By default Telnet services are enabled on the switch and all virtual routers listen for incoming Telnet requests NOTE The Aspen 881...

Page 50: ...the Trivial File Transfer Protocol ExtremeWare XOS supports the Trivial File Transfer Protocol TFTP based on RFC 1350 TFTP is a method used to transfer files from one network device to another The Ext...

Page 51: ...in slot A has master status The Device Manager collects the node health information and forwards that information to the Node Manager The Node Manager then computes the quality of the node which is l...

Page 52: ...ed to step 2 If the nodes are not synchronized and one MSM is running ExtremeWare XOS 10 1 or earlier proceed to step 3 If the nodes are synchronized proceed to step 3 2 Use the synchronize command to...

Page 53: ...y NOTE To ensure that all of the configuration commands in the backup s flash are updated issue the save command after you make any changes If a failover occurs the backup MSM continues to use the mas...

Page 54: ...tus collected by the switch Table 9 Node states Node State Description BACKUP In the backup state this node becomes the master node if the master fails or enters the DOWN state The backup node also re...

Page 55: ...ExtremeWare XOS boots up it reads and analyzes the installed I O modules ExtremeWare XOS considers the I O modules for power up from the lowest numbered slot to the highest numbered slot based on thei...

Page 56: ...can mix PSUs with 110V and 220V AC inputs but if any PSUs with 110V AC inputs are present the switch treats all PSUs as if they have 110V AC inputs Displaying Power Supply Information To view the sys...

Page 57: ...tly support SNMPv1 v2c and SNMPv3 The default is both types of SNMP enabled Network managers can access the device with either SNMPv1 v2c methods or SNMPv3 To enable concurrent support use the followi...

Page 58: ...e trapreceiver command Entries in the trap receiver list can also be created modified and deleted using the RMON2 trapDestTable MIB table as described in RFC 2021 Community strings The community strin...

Page 59: ...RFC 2575 View based Access Control Model V ACM for the Simple Network Management Protocol SNMP talks about VACM as a way to access the MIB The SNMPv3 standards for network management were primarily d...

Page 60: ...ty related aspects like authentication encryption of SNMP messages and defining users and their various access security levels This standard also encompasses protection against message delay and messa...

Page 61: ...rs use the following command show snmpv3 user hex hex_user_name user_name To delete a user use the following command configure snmpv3 delete user all non defaults hex hex_user_name user_name NOTE The...

Page 62: ...3 supports three security models SNMPv1 no security SNMPv2c community strings based security SNMPv3 USM security The default is USM You can select the security model based on the network manager in yo...

Page 63: ...in hex notation this is used for the ExtremeWare XOS CLI 1 3 6 1 2 1 1 fe To define a view that includes the entire MIB 2 use the following subtree mask 1 3 6 1 2 1 1 1 1 1 1 1 0 0 0 which in the CLI...

Page 64: ...t port_number from src_ip_address tag list tag_list volatile In configuring the target address you supply an address name that identifies the target address a parameters name that indicates the MP mod...

Page 65: ...target parameter name The filters that make up the profile are created and associated with the profile using a different command To create a filter profile use the following command configure snmpv3 a...

Page 66: ...otify hex hex_notify_name notify_name To delete an entry from the snmpNotifyTable use the following command configure snmpv3 delete notify hex hex_notify_name notify_name all non defaults You cannot d...

Page 67: ...u can set up automatic daylight savings adjustment with the command configure timezone GMT_offset autodst If your time zone uses starting and ending dates and times that differ from the default you ca...

Page 68: ...the switch waits for the sntp client update interval before querying again 5 Optionally the interval for which the SNTP client updates the real time clock of the switch can be changed using the follo...

Page 69: ...Casablanca Morocco 1 00 60 WAT West Africa Cape Verde Islands 2 00 120 AT Azores Azores 3 00 180 Brasilia Brazil Buenos Aires Argentina Georgetown Guyana 4 00 240 AST Atlantic Standard Caracas La Paz...

Page 70: ...0 0 1 2 4 00 240 ZP4 Russia Zone 3 Abu Dhabi UAE Muscat Tblisi Volgograd Kabul 5 00 300 ZP5 Russia Zone 4 5 30 330 IST India Standard Time New Delhi Pune Allahabad India 6 00 360 ZP6 Russia Zone 5 7 0...

Page 71: ...the ExtremeWare XOS applications Understanding the ExtremeWare XOS Software NOTE For information about downloading and upgrading a new software image saving configuration changes and upgrading the Bo...

Page 72: ...er using TFTP For detailed information about downloading switch configurations see Chapter A Software Upgrade and Boot Options For detailed information about downloading policies and ACLs see Chapter...

Page 73: ...ion policy files have a pol file extension When you copy a configuration or policy file from the system make sure you specify the appropriate file extension For example if you want to copy a policy fi...

Page 74: ...Jun 30 17 10 roytest cfg Deleting Files From the Switch To delete a configuration or policy file from your system use the following command rm memorycard file name Where the following is true memoryc...

Page 75: ...ry partition or another space The file names primary and secondary exist for backward compatibility with ExtremeWare Downloading configuration files ExtremeWare XOS uses the tftp command to download c...

Page 76: ...graceful Specifies that the process shutdown gracefully by closing all opened connections notifying peers on the network and other types of process cleanup slot Specifies the slot number of the MSM A...

Page 77: ...tness of the system By isolating and having separate memory space for each individual process you can more easily identify the process or processes that experience a problem To display the current sys...

Page 78: ...Managing the ExtremeWare XOS Software ExtremeWare XOS 11 1 Concepts Guide 78...

Page 79: ...therwise if the modular switch is rebooted or the module is removed from the slot the port VLAN and module configuration information is not saved NOTE For information on saving the configuration see A...

Page 80: ...a module consisting solely of data or I O ports The primary MSM must be in slot A in the Aspen 8810 switch which is referred to as slot 5 when working with the data ports If you have a secondary MSM...

Page 81: ...2 7 15 Refer to Displaying Port Configuration Information for information on displaying link status Configuring Switch Port Speed and Duplex Setting NOTE Refer to Displaying Port Configuration Informa...

Page 82: ...link back up and the traffic automatically resumes The Extreme Networks implementation of LFS conforms to the IEEE standard 802 3ae 2002 NOTE On the BlackDiamond 10K switch the 10 Gbps module must hav...

Page 83: ...t wire speed on all ports The configuration for jumbo frames is saved across reboots of the switch Jumbo frames are used between endstations that support larger frame sizes for more efficient transfer...

Page 84: ...nfigured maximum MTU size that does not include the additional 4 bytes of CRC Ensure that the NIC maximum MTU size is at or below the maximum MTU size configured on the switch Frames that are larger t...

Page 85: ...e host continues to set DF in all datagrams so that if the route changes and the new path MTU is lower the host can perform path MTU discovery again IP Fragmentation with Jumbo Frames NOTE The Aspen 8...

Page 86: ...r to the same feature which allows multiple physical ports to be aggregated into one logical port Refer to IEEE 802 3ad for more information on this feature The advantages to load sharing include an i...

Page 87: ...must go down before the software controlled redundant port takes effect Load Sharing Algorithms Load sharing or link aggregation algorithms allow you to select the distribution technique used by the...

Page 88: ...explicitly select an algorithm the port based scheme is used However the address based algorithm has a more even distribution and is the recommended choice Address based load sharing When you configur...

Page 89: ...switch 128 Aspen 8810 switch 32 The ports in the group do not need to be contiguous A load sharing group that spans multiple modules must use ports that have the same maximum bandwidth capability wit...

Page 90: ...he load sharing group will have those ports deleted from the VLAN when load sharing becomes enabled Address based load sharing can also span modules Single Module Load Sharing on a Modular Switch The...

Page 91: ...ts The monitor port can then be connected to a network analyzer or RMON probe for packet analysis The system uses a traffic filter that copies a group of traffic to the monitor port You can have only...

Page 92: ...e untagged ports send mirrored traffic to the monitor port that traffic also egresses the monitor port as tagged And if mirroring is enabled as untagged on the monitor port all traffic egressing the m...

Page 93: ...ng add port 6 5 ingress The following example selects slot 3 port 4 as the monitor port and send all traffic sent from slot 6 port 5 to the monitor port enable mirroring to port 3 4 configure mirrorin...

Page 94: ...EDP is used to by the switches to exchange topology information Information communicated using EDP includes Switch MAC address switch ID Switch software version information Switch IP address Switch V...

Page 95: ...39 2 40 2 4 1 2 42 Additionally you view EDP information by using the following command show edp port ports detail The following is sample output from the show edp ports 1 1 detail command Port 1 1 E...

Page 96: ...ort to active if the redundant port fails A typical configuration of software controlled redundant ports is a dual homed implementation Figure 1 This example maintains connectivity only if the link be...

Page 97: ...tional traffic the recovery is immediate NOTE On the BlackDiamond 10K switch 10 Gbps modules with a serial number lower than 804405 00 09 the software redundant port feature cover only those failures...

Page 98: ...undant software controlled redundancy ports use the following commands show ports information show port port_list information detail The following is sample output of the show port 1 1 information det...

Page 99: ...ll the ports or more detailed configuration information on specific ports The following sample output is from the show ports configuration command and displays the port configuration for all ports sho...

Page 100: ...State D Disabled E Enabled The show ports information command shows you either summary information on all the ports or more detailed information on specific ports The output from the command differs...

Page 101: ...nabled DLCS Unsupported lbDetect Unsupported Learning Enabled Flooding Enabled Jumbo Disabled BG QoS monitor Unsupported Egress Port Rate 128 Kbps Max Burst Size 200 Kb Broadcast Rate No limit Multica...

Page 102: ...Learning Enabled Flooding Enabled Jumbo Disabled BG QoS monitor Unsupported QoS Profile None configured Queue QP1 MinBw 0 MaxBw 100 Pri 1 QP2 MinBw 0 MaxBw 100 Pri 2 QP3 MinBw 0 MaxBw 100 Pri 3 QP4 Mi...

Page 103: ...e power distribution for PoE at the system slot and port levels Real time discovery and classification of 802 3af compliant PDs and many legacy devices Monitor and control of port PoE fault conditions...

Page 104: ...vides power to the PDs Enabling PoE to the Switch You enable or disable inline power to the entire switch or per slot or per port Then you must reserve power for each PoE Slot refer to Power Reserve B...

Page 105: ...umbered slots will be powered down NOTE PoE modules are not powered up at all even in data only mode if the reserved PoE power cannot be allocated to that slot To reset the reserved power budget for a...

Page 106: ...ommand configure inline power priority critical high low ports port_list To reset the PoE priority of the ports to the default value of low use the following command unconfigure inline power priority...

Page 107: ...s to all PoE modules the threshold measurement applies only to the percentage per slot of measured power to budgeted power use it does not apply to the amount of power used switchwide To configure the...

Page 108: ...g command unconfigure inline power operator limit ports all port_list If you attempt to set an operator limit outside the accepted range the system returns an error message LEDs Individual port LEDs o...

Page 109: ...using the following commands enable inline power enable inline power slot slot enable inline power ports all port_list NOTE If your chassis has an inline power module and there is not enough power to...

Page 110: ...NMP to generate this event When the actual power used by the PDs on a slot exceeds the power budgeted for that slot the switch refuses power to PDs There are two methods used by the switch to refuse p...

Page 111: ...wer in excess of the slot s reserved power budget the system allocates power to those ports with the highest priorities first If several ports have the same PoE priority the lower port numbers have hi...

Page 112: ...egacy detection method is enabled The switch unsuccessfully attempted to discover the PD using the standard resistance measurement method To enable the switch to detect legacy non standard PDs use the...

Page 113: ...list Power Cycling Connected PDs You can power cycle a connected PD without losing the power allocated to its port Use the following command reset inline power ports port_list Displaying PoE Settings...

Page 114: ...mation for each slot Inline power status The status of inline power The status conditions are Enabled Disabled Firmware status The operational status of the slot The status conditions are Operational...

Page 115: ...P Operational 111 00 110 00 1 00 Inline Power budgeted 2 loss 51 00 51 00 0 00 Slot 4 G48P Empty Slot 5 G8X Operational 0 00 0 00 0 00 Slot 6 G48T Operational 0 00 0 00 0 00 Slot 7 G48P Operational 11...

Page 116: ...available to the slot Measured power The amount of power in watts that currently being used by the slot Following is sample output from this command Budgeted Measured Slot Inline Power Firmware Statu...

Page 117: ...his command provides the following information Config Indicates whether the port is enabled to provide inline power Enabled The port can provide inline power Disabled The port cannot provide inline po...

Page 118: ...ass 0 device class1 class 1 device class2 class 2 device class3 class 3 device class4 class 4 device Volts Displays the measured voltage A value from 0 to 2 is valid for ports that are in a searching...

Page 119: ...tate Class Volts Curr Power Fault mA Watts 3 1 delivering class3 48 3 192 9 300 None 3 2 delivering class3 48 3 192 9 300 None 3 3 searching 0 0 0 0 0 None Following is sample output from the show inl...

Page 120: ...r of times the port had an invalid signature Denied Displays the number of times the port was denied Over current Displays the number of times the port entered an overcurrent state Short Displays the...

Page 121: ...this way statistics can help you get the best out of your network Status Monitoring The status monitoring facility provides information about the switch This information may be useful for your techni...

Page 122: ...ed to a multicast address Viewing Port Errors The switch keeps track of errors for each port To view port transmit errors use the following command show ports port_list txerrors The switch collects th...

Page 123: ...er of frames received by the port with a CRC error and not containing an integral number of octets Receive Frames Lost RX Lost The total number of frames received by the port that were lost because of...

Page 124: ...s offline and performs a simple ASIC and packet loopback test on all ports extended Takes the switch fabric and ports offline and performs extensive ASIC ASIC memory and packet loopback tests Extended...

Page 125: ...the Aspen MSM LED behavior during a diagnostic test While diagnostic tests are running the STAT LED blinks amber If a diagnostic test fails the SYS LED and the STAT LED go to solid amber After the MSM...

Page 126: ...controllers and fans By isolating faults to a specific module backplane connection control plane or component the system health checker notifies you of a possible hardware fault This section describe...

Page 127: ...stic packets from the I O module to determine the state and connectivity The other I O modules with backplane diagnostic packets disabled continue polling every 60 seconds by default System health che...

Page 128: ...seconds on the specified slot Only polling is enabled Aspen 8810 switch By default the system health checker discontinues sending backplane diagnostic packets to the specified slot Only polling is ena...

Page 129: ...ion Disabling Backplane Diagnostics Building upon the previous example the following example disables backplane diagnostics on slot 3 disable sys health check slot 3 Backplane diagnostic packets are n...

Page 130: ...ds using the following command configure sys health check interval 5 Setting the System Recovery Level You can configure the system either to take no action or to automatically reboot the switch after...

Page 131: ...owing sample output displays the temperature information PowerSupply 1 information Temperature 30 1 deg C To view the current temperature and status of the fan trays use the following command show fan...

Page 132: ...stored in memory buffer or NVRAM to a TFTP server Display counts of event occurrences even those not included in filter Display debug information using a consistent configuration method Sending Event...

Page 133: ...if any of the local targets NVRAM memory or console are matched If so that event gets processed The session and syslog targets are disabled on the backup MSM as they are handled on the primary If the...

Page 134: ...erbose and debug data require that debug mode be enabled which may cause a performance degradation See Displaying Debug Information on page 143 for more information about debugging Table 20 Severity l...

Page 135: ...target you further restrict the messages reaching that target The filter may allow only certain categories of messages to pass Only the messages that pass the filter and then pass the specified sever...

Page 136: ...or example if you want to see the message text and the parameters for the event condition STP InBPDU Trace use the following command show log events stp inbpdu trace details The output produced by the...

Page 137: ...lter add events stp All STP component events of at least the default threshold severity passes myFilter for the STP component the default severity threshold is error You can further modify this filter...

Page 138: ...item enables rewriting the filter If the new item is already included or excluded from the currently configured filter the new item is not added to the filter Matching Expressions You can configure t...

Page 139: ...event definitions the event text and parameter types Only those parameter types that are applicable given the events and severity specified are exposed on the CLI The syntax for the parameter types re...

Page 140: ...ddress In other words if the match keyword is specified an incident will pass a filter so long as all parameter values in the incident match those in the match criteria but all parameter types in the...

Page 141: ...essages on page 140 Displaying Event Logs The log stored in the memory buffer and the NVRAM can be displayed on the current session either the console display or telnet To display the log use the foll...

Page 142: ...s made to the system for further processing Both counters reflect totals accumulated since reboot or since the counters were cleared using the clear log counters or clear counters command The show log...

Page 143: ...applies only to commands that result in a configuration change To enable configuration logging use the following command enable cli config logging To disable configuration logging use the following co...

Page 144: ...mple is taken and the maximum number of samples allowed before throttling the sample gathering To configure sFlow on a switch you must do the following tasks Configure the local agent Configure the ad...

Page 145: ...ow globally with the following command disable sflow When you disable sFlow globally the individual ports are also put into the disabled state If you later enable the global sFlow state individual por...

Page 146: ...10K only At the hardware level all ports on the same slot are sampled at the same rate so if one port is configured to sample less frequently than another on the same slot the extra samples are discar...

Page 147: ...monitors port statistics and system variables The agent transfers the information to a management workstation on request or when a predefined threshold is crossed Information collected by RMON includ...

Page 148: ...group is used to detect changes in traffic and error patterns in critical areas of the network History The History group provides historical views of network performance by taking periodic samples of...

Page 149: ...re the probeHardwareRev object you can view the current hardware version of the monitored device probeDateTime If you configure the probeDateTime object you can view the current date and time of the p...

Page 150: ...ation file Runtime data is not stored in the configuration file and is subsequently lost after a system restart or MSM failover Event Actions The actions that you can define for each alarm are shown i...

Page 151: ...line interface CLI Benefits NOTE The system switches traffic within each VLAN using the Ethernet MAC address The system routes traffic between two VLANs using the IP addresses Implementing VLANs on yo...

Page 152: ...ate virtual routers ensure that you are creating each VLAN in the desired virtual router domain Also ensure that you are in the correct virtual router domain before you begin modifying each VLAN For i...

Page 153: ...e you must remove the untagged ports from the VLAN and reset the module To display the serial number of the module issue the show slot slot_number command All the modules on the Aspen 8810 switch supp...

Page 154: ...e port on each switch must be a member of the corresponding VLANs as well Figure 4 illustrates two VLANs spanning two switches On system 2 ports 25 through 29 are part of VLAN Accounting ports 21 thro...

Page 155: ...s can span multiple switches using one or more trunks In a port based VLAN each VLAN requires its own pair of trunk ports as shown in Figure 4 Using tags multiple VLANs can span two switches with a si...

Page 156: ...nected to port 25 on system 1 has a NIC that supports 802 1Q tagging The server connected to port 25 on system 1 is a member of both VLAN Marketing and VLAN Sales All other stations use untagged traff...

Page 157: ...VLAN and multiple tag based VLANs NOTE For the purposes of VLAN classification packets arriving on a port with an 802 1Q tag containing a VLANid of zero are treated as untagged Protocol Based VLANs P...

Page 158: ...zed protocol filter based on EtherType Logical Link Control LLC and or Subnetwork Access Protocol SNAP Up to six protocols may be part of a protocol filter To define a protocol filter 1 Create a proto...

Page 159: ...feff configure protocol fred add snap 9999 A maximum of 15 protocol filters each containing a maximum of 6 protocols can be defined No more than 7 protocols can be active and configured for use NOTE F...

Page 160: ...it the VLAN names have no significance to the other switch NOTE Extreme Networks recommends that you use VLAN names consistently across your entire network Default VLAN The switch ships with one defa...

Page 161: ...you must first delete that port from the default vlan if you attempt to add an untagged port to a VLAN prior to deleting it from the default VLAN you see the following error message Error Protocol con...

Page 162: ...etype 0xf0f0 configure protocol myprotocol add etype 0xffff create vlan myvlan configure myvlan protocol myprotocol Displaying VLAN Settings NOTE The Aspen 8810 switch does not support user created vi...

Page 163: ...tion for all the traffic on the specified VMAN The encapsulation allows the VMAN traffic to be switched over an Layer 2 infrastructure To encapsulate the packet the system adds a VMAN header that form...

Page 164: ...raffic flows from the egress trunk port onto the network thereafter without the VMAN tag Ensure that all the switch to switch ports in the VMAN tunnel are configured as tagged ports Configure the VMAN...

Page 165: ...a tag value to the VMAN 4 Add the ports in the tunnel to the VMAN 5 Configure VMAN member ports as tagged on switch to switch ports and untagged on the ingress and egress ports of the tunnel NOTE You...

Page 166: ...xample Aspen 8810 Switch The follow example shows the steps to configure VMAN 1 on the Aspen 8810 switch shown in Figure 9 Figure 9 Sample VMAN configuration on Aspen 8810 switch The VMAN is from the...

Page 167: ...nabled p PIM Enabled r RIP Enabled T Member of STP Domain v VRRP Enabled Total number of Vlan s 3 To display information on a specific VMAN use the following command show vman vlan_name The following...

Page 168: ...Virtual LANs ExtremeWare XOS 11 1 Concepts Guide 168...

Page 169: ...l switch some commands in ExtremeWare XOS now require you to specify to which virtual router the command applies For example when you use the ping command you must specify from which virtual router th...

Page 170: ...unications between all the modules and subsystems in the switch It has no external visible ports and you cannot assign any port to it This virtual router VR Control has no VLAN interface and no VLAN c...

Page 171: ...isted The virtual router configuration domain simplifies configuration because you do not have to specify the virtual router for each individual protocol configuration command The current configuratio...

Page 172: ...l be shut down and deleted gracefully Adding Ports to a Virtual Router By default all the user data ports belong to the system default virtual router VR Default and belong to the default VLAN Default...

Page 173: ...word to every command in every routing protocol Virtual router commands are applied to the current configuration domain The virtual router commands consist of all the BGP OSPF PIM and RIP commands as...

Page 174: ...virtual router commands affect the virtual router helix The VLAN helix accounting is created Ports that belong to the virtual router helix are added to the VLAN helix accounting The CLI prompt is show...

Page 175: ...it was received The age of the entry The number of IP FDB entries that use this MAC address as a next hop or last hop Flags Frames destined for MAC addresses that are not in the FDB are flooded to all...

Page 176: ...pdated as the switch continues to encounter the address in the packets it examines These entries are identified by the d flag in show fdb output Dynamic entries age that is a dynamic entry is removed...

Page 177: ...ot be present in the FDB during a destination lookup FDB Configuration Examples The following example adds a permanent static entry to the FDB create fdbentry 00 E0 2B 12 34 56 vlan marketing port 3 4...

Page 178: ...n about MAC based security see Chapter 13 Displaying FDB Entries To display FDB entries use the following command show fdb mac_addr broadcast mac permanent ports portlist vlan vlan_name where the foll...

Page 179: ...of the routing information based on the policy statements Policies are also used by the access control list ACL application to perform packet filtering and forwarding decisions on packets The ACL appl...

Page 180: ...i To insert text ahead of the initial cursor position a To append text after the initial cursor position To escape the input mode and return to the command mode press the Escape key There are several...

Page 181: ...be forwarded by the switch as the new ACL is being setup in the hardware You can disable this behavior To control the behavior of the switch during an ACL refresh use the following commands enable acc...

Page 182: ...e none To remove a routing policy use the none option in the command ACL Policies ACLs are used to perform packet filtering and forwarding decisions on incoming traffic Each packet arriving on an ingr...

Page 183: ...acket matches all the match conditions the action in the then statement is taken and the evaluation process terminates If a rule entry does not contain any match condition the packet is considered to...

Page 184: ...ion increments the counter named in the condition The QoS profile action forwards the packet to the specified QoS profile Aspen 8810 Only For the Aspen 8810 there is an additional action modifier mete...

Page 185: ...543 kpasswd 761 krb prop 754 krbupdate 760 kshell 544 idap 389 login 513 mobileip agent 434 mobileip mn 435 msdp 639 netbios dgm 138 netbios ns 137 netbios ssn 139 nfsd 2049 nntp 119 ntalk 518 ntp 123...

Page 186: ...edirect for tos and net 2 Time exceeded ttl eq zero during reassembly 1 ttl eq zero during transit 0 Unreachable communication prohibited by filtering 13 destination host prohibited 10 destination hos...

Page 187: ...ecedence among L3 L4 rules is determined by their relative position in the ACL file Rules are evaluated sequentially from top to bottom The precedence among L2 rules is determined by their position in...

Page 188: ...only matches fragmented packets An L4 rule with the fragments keyword is not valid see above With the first fragments keyword specified An L3 only rule with the first fragments keyword matches non fra...

Page 189: ...ount countername statement For example to associate the meter maxbw with an ACL use syntax similar to the following entry meter_bw if then meter maximum_bandwidth This example will take the actions sp...

Page 190: ...isplaying and Clearing ACL Counters To display the ACL counters use the following command show access list counter countername any ports portlist vlan vlanname ingress To clear the access list counter...

Page 191: ...or more match conditions If no match condition is specified every condition matches Zero or more actions If no action is specified the packet is permitted by default Each policy entry in the file use...

Page 192: ...s a multi character regular expression with 2 byte unsigned Integer being an Atom Regular expression will consist of the AS Numbers and various regular expression symbols Regular expressions must be e...

Page 193: ...tern 1 or ospf extern 2 Table 27 AS regular expression notation Character Definition N As number N1 N2 Range of AS numbers where N1 and N2 are AS numbers and N1 N2 Nx Ny Group of AS numbers where Nx a...

Page 194: ...umber 111 and ending with any additional AS number or beginning and ending with AS number 111 as path 111 Policy Action Statements Table 29 lists the possible action statements These are the actions t...

Page 195: ...e cost type for a route dampening half life minutes 1 45 reuse limit number 1 20000 suppress limit number 1 20000 max suppress minutes 1 255 Sets the BGP route flap dampening parameters deny Denies th...

Page 196: ...Yes 15 deny any 255 0 0 0 No 20 permit 10 10 0 0 255 255 192 0 No 25 deny 22 44 66 0 255 255 254 0 Yes Equivalent ExtremeWare XOS policy map definition entry entry 5 If nlri 22 16 0 0 14 then permit e...

Page 197: ...te maps on other Extreme Networks switches This example shows the policy equivalent to an ExtremeWare route map ExtremeWare route map Route Map rt Entry 10 Action permit match origin incomplete Entry...

Page 198: ...0 if community 6553800 then deny entry entry 30 if med 30 then next hop 10 201 23 10 as path 20 as path 30 as path 40 as path 40 permit entry entry 40 if then local preference 120 weight 2 permit entr...

Page 199: ...Routing Policies ExtremeWare XOS 11 1 Concepts Guide 199 entry entry 60 if next hop 192 168 1 5 then community add 949616660 permit entry deny_rest if then deny...

Page 200: ...Policies and ACLs ExtremeWare XOS 11 1 Concepts Guide 200...

Page 201: ...oS is an effective control mechanism for networks that have heterogeneous traffic patterns Using Policy based QoS you can specify the service level that a particular traffic type receives Policy based...

Page 202: ...nd impact of packet loss Voice Applications Voice applications typically demand small amounts of bandwidth However the bandwidth must be constant and predictable because voice applications are typical...

Page 203: ...latency jitter and some packet loss however small packet loss may have a large impact on perceived performance because of the nature of TCP The relevant parameter for protecting browser applications i...

Page 204: ...te traffic groupings Traffic grouping A classification or traffic type that has one or more attributes in common These can range from a physical port to IP Layer 4 port information You assign traffic...

Page 205: ...ctivity with large packets Weight This parameter is the relative weighting for each QoS profile 1 through 16 are the available weight values The default value for each QoS profile is 1 giving each que...

Page 206: ...figured either as a percentage of the total link bandwidth or using absolute peak rates in Kbps or Mbps The default value on all maximum bandwidth parameters is 100 Priority The level of priority assi...

Page 207: ...LAN association In the event that a given packet matches two or more grouping criteria there is a predetermined precedence for which traffic grouping applies The supported traffic groupings by precede...

Page 208: ...e bandwidth management and priority handling for that traffic grouping This level of packet filtering has no impact on performance Explicit Class of Service 802 1p and DiffServ Traffic Groupings This...

Page 209: ...specific queue when subsequently transmitting the packet The 802 1p priority field is located directly following the 802 1Q type field and preceding the 802 1Q VLAN ID as shown in Figure 10 Figure 10...

Page 210: ...groupings the related flow classifier causes the replacement However the switch is capable of inserting and or overwriting 802 1p priority information when it transmits an 802 1Q tagged frame If 802...

Page 211: ...ket NOTE This command affects only that traffic based on explicit packet class of service information and physical logical configuration Configuring DiffServ Contained in the header of every IP packet...

Page 212: ...fServ information can be enabled or disabled by default it is disabled To enable DiffServ examination use the following command enable diffserv examination port port_list all To disable DiffServ exami...

Page 213: ...ter the QoS profile you want to use to determine the replacement DiffServ code point value To replace DiffServ code points you must enable DiffServ replacement using the following commands enable diff...

Page 214: ...the same QoS configuration on every network switch To configure the switch follow these steps 1 Using ACLs assign a traffic grouping for traffic from network 10 1 2 x to QP3 configure access list qp3...

Page 215: ...raffic is transmitted out to any other port To configure a source port traffic grouping use the following command configure ports port_list qosprofile qosprofile In the following modular switch exampl...

Page 216: ...n detail Aspen 8810 switch display You display which QoS profile if any is configured on the Aspen 8810 switch using the show ports port_list information detail command Following is a sample output of...

Page 217: ...mple output of this command for a BlackDiamond 10K switch 10 Gbps port Port 8 1 Virtual router VR Default Type XENPAK Random Early drop Disabled Admin state Enabled with 10G full duplex Link State Rea...

Page 218: ...ble Tag none Mode 802 1D State FORWARDING Protocol Name Default Protocol ANY Match all protocols Trunking Load sharing is not enabled EDP Enabled DLCS Unsupported lbDetect Unsupported Learning Enabled...

Page 219: ...ns QoS features performance monitoring with a snapshot display of the monitored ports To view switch performance per port use the following command show ports port_list qosmonitor ingress egress NOTE...

Page 220: ...roupings Egress Traffic Rate Limiting Aspen 8810 Switch Only You can configure the maximum egress traffic allowed per port by specifying the committed rate or you can allow the egress traffic to pass...

Page 221: ...ort on the switch and from there to the backplane You can configure up to 8 ingress queues which send traffic to the backplane per physical port on the I O module By defining minimum and maximum bandw...

Page 222: ...ueues on physical ports The impact of the bandwidth setting is determined by the port speed 1 or 10 Gbps NOTE You may see slightly different bandwidths because the switch supports granularity down to...

Page 223: ...fine rate shaping on a port you assign a minimum and maximum bandwidth or rate plus a priority value to each queue on the ingress port see Table 38 for the number of queues available to each port on t...

Page 224: ...following commands show qosprofile ingress egress ports all port_list show ports port_list information detail Additionally you can monitor the performance on the BlackDiamond 10K switch by using the f...

Page 225: ...your network The features described in this chapter are part of an overall approach to network security Network Access Security Network access security features control devices accessing your network...

Page 226: ...ge is 0 to 500 000 addresses When the learned limit is reached all new source MAC addresses are blackholed at the ingress and egress points This prevent these MAC addresses from learning and respondin...

Page 227: ...MAC address limit on all S1 ports might prevent ESRP communication between S2 and S3 To resolve this you should add a back to back link between S2 and S3 This link is not needed if MAC address limitin...

Page 228: ...these choices When web based network login is enabled on a switch port that port is placed into a non forwarding state until authentication takes place To authenticate a user supplicant must open a we...

Page 229: ...ticated it is deprived of this address The client must obtain a operational address from another DHCP server in the network DHCP is not required for 802 1x because 802 1x uses only Layer 2 frames EAPO...

Page 230: ...cation refer to the documentation for your particular RADIUS server and 802 1x client on how to set up a PKI configuration Campus and ISP Modes Network login supports two modes of operation Campus and...

Page 231: ...ality Supplicant Side The supported 802 1x clients supplicants are Windows 2000 SP4 native client Windows XP native clients and Meetinghouse AEGIS Supported authentication types are MD5 TLS TTLS and P...

Page 232: ...al username password authentication These are used by network login and switch console login respectively Multiple Supplicant Support An important enhancement over the IEEE 802 1x standard is that Ext...

Page 233: ...he VLAN temp This kind of configuration provides better security as unauthenticated clients do not connect to the corporate subnet and will not be able to send or receive any data They have to get aut...

Page 234: ...corp add port 1 12 untagged configure vlan corp add port 1 13 untagged configure vlan corp add port 1 14 untagged Network Login Configuration configure vlan temp dhcp address range 198 162 32 20 198 1...

Page 235: ...In Campus Mode using web based authentication this requirement is mandatory after every logout and before login again as the port moves back and forth between the temporary and permanent VLANs On othe...

Page 236: ...etwork login settings use the following command show netlogin port portlist vlan vlan name dot1x detail mac web based Disabling Network Login Network login must be disabled on a port before you can de...

Page 237: ...ege for netlogin users to logout by popping up or not popping up the logout window Logout privilege is enabled by default To enable or disable network login use one of the following commands enable ne...

Page 238: ...sword encrypted 00 01 30 70 0C 00 48 yaqu 00 01 30 32 7D 00 48 ravdqsr 00 04 96 00 00 00 24 not configured 00 06 00 00 00 00 32 not configured default not configured The user name used to authenticate...

Page 239: ...table selected entries or all entries You would use this command to troubleshoot IP address allocation on the VLAN To clear entries use the following command clear vlan vlan_name dhcp address allocati...

Page 240: ...ackets to the CPU This ACL will remain in place to provide relief to the CPU Periodically the ACL will expire and if the attack is still occurring it will be re enabled With the ACL in place the CPU w...

Page 241: ...rts are not counted when checking for attacks To configure the trusted ports list use the following command configure dos protect trusted ports ports ports all add ports ports to add all delete ports...

Page 242: ...tion in the local switch database To configure the RADIUS servers use the following command configure radius primary secondary server ipaddress hostname udp_port client ip ipaddress vr vr_name To conf...

Page 243: ...able RADIUS authentication for accounting information to be generated You can enable and disable accounting without affecting the current state of RADIUS authentication To enable RADIUS accounting use...

Page 244: ...attribute in the Access Accept packet after successfully authenticating the user Extreme Networks switches grant a RADIUS authenticated user read write privilege if a Service Type value of 6 is transm...

Page 245: ...ed for this feature must reside on the same physical Radius server Standard Radius and Radius Accounting configuration is required as described earlier in this chapter 2 Modify the Funk SBR vendor ini...

Page 246: ...two RADIUS servers and enabling idle timeouts on all switches will greatly reduce the chance of a user gaining elevated access due to RADIUS server problems RADIUS Server Configuration Example Merit...

Page 247: ...h a user through the users file A profile with the permit on keywords allows use of only the listed commands A profile with the deny keyword allows use of all commands except the listed commands CLI c...

Page 248: ...tch PROFILE2 enable clear counters show management PROFILE3 deny create vlan configure iproute disable show fdb delete configure rip add TACACS Terminal Access Controller Access Control System Plus TA...

Page 249: ...If you have installed a software module and you terminate the newly installed process without saving your configuration your module may not be loaded when you attempt to restart the process with the...

Page 250: ...alid user name and password on the switch in order to log in to the switch after the SSH2 session has been established To view the status of SSH2 sessions on the switch use the show management command...

Page 251: ...h to your current Linux directory using SCP2 use the following command user linux server scp2 admin 192 168 0 120 config primary cfg primary cfg To copy the policy filename test pol from your Linux sy...

Page 252: ...Security ExtremeWare XOS 11 1 Concepts Guide 252...

Page 253: ...he changes of two counters over an interval For example you can monitor the ratio between TCP SYN and TCP packets An abnormally large ratio may indicate a SYN attack If the rule conditions are met the...

Page 254: ...port vlan vlanname any rule rulename detail Or to display all the rules use the following command show clear flow rule all When CLEARFlow is enabled any rules that satisfy the threshold will trigger a...

Page 255: ...ntries Each CLEARFlow rule specifies how often it should be evaluated The order of evaluation depends on the sampling time and when the CLEARFlow agent receives the counter statistics The order of the...

Page 256: ...low agent If not specified the default value is 5 seconds The actions will be discussed in the section CLEARFlow Rule Actions on page 259 See the section Count Rule Type Example on page 261 for an exa...

Page 257: ...eresis value is greater than the threshold value the hysteresis value will be set to zero The action lists will be discussed in the section CLEARFlow Rule Actions on page 259 See the section Delta Rul...

Page 258: ...rom one sample to the next for each of the two counters The ratio of the differences is then compared to the threshold value The following is the syntax for a CLEARFlow delta ratio rule entry CLFrulen...

Page 259: ...ill be set to zero The action lists will be discussed in the section CLEARFlow Rule Actions on page 259 See the section Delta Ratio Rule Type Example on page 264 for an example CLEARFlow Rule Actions...

Page 260: ...n the rule is triggered The message is sent periodically with interval period seconds If period is zero or if this optional parameter is not present the message is sent only once when the rule is trig...

Page 261: ...er substitutions can be used per rule CLEARFlow Rule Examples In the examples that follow there are one to two ACL rule entries followed by a CLEARFlow rule entry The examples illustrate the four CLEA...

Page 262: ...ater than or equal to 1000 packets the CLEARFlow agent will send a trap message to the SNMP master and change the ACL acl_rule1 to move the traffic to QP3 In addition reduce the peak rate to 5 Kbps on...

Page 263: ...e ratio is greater than 5 then the agent will execute the actions in the then clause which consists of logging a message to the syslog server Before logging the syslog string the agent will replace th...

Page 264: ...deny all SYN traffic on the interface No period value for the syslog message is given so the message will be logged once when the expression first becomes true When the expression transitions from tru...

Page 265: ...2 Using Switching and Routing Protocols...

Page 266: ......

Page 267: ...unning two or more EAPS rings having a switch belonging to multiple EAPS rings or configuring shared ports that allow multiple EAPS domains to share a common link you must have a Core software license...

Page 268: ...signated the master node see Figure 14 while all other nodes are designated as transit nodes Figure 13 Gigabit Ethernet fiber EAPS MAN ring One port of the master node is designated the master node s...

Page 269: ...nvergence for the entire switch not by EAPS domain Fault Detection and Recovery EAPS fault detection on a ring is based on a single control VLAN per EAPS domain This EAPS domain provides protection to...

Page 270: ...node also flushes its FDB and sends a message on the control VLAN to all of its associated transit nodes to flush their forwarding databases as well so that all of the switches can learn the new paths...

Page 271: ...the master receives its health check packet back on its secondary port and once again declares the ring to be complete Again the master node logically Blocks the protected VLANs on its secondary port...

Page 272: ...tch a figure eight topology In this example there is an EAPS domain with its own control VLAN running on ring 1 and another EAPS domain with its own control VLAN running on ring 2 A data VLAN that spa...

Page 273: ...ins Multiple EAPS Rings Sharing a Common Link When you configure EAPS on multiple rings with a common link you may experience a loop situation across both rings To solve this problem you can configure...

Page 274: ...vironment in this software release you can use the existing solution of configuring EAPS plus STP Configuring EAPS on a Switch To configure and enable an EAPS domain complete the following steps 1 Cre...

Page 275: ...identifying keyword as well as the actual name If you do not use the keyword the system may return an error message The following command example creates an EAPS domain named eaps_1 create eaps eaps_1...

Page 276: ...e the failtimer expires The seconds parameter must be greater than the configured value for hellotime The default value is 3 seconds To configure the action taken if there is a break in the ring use t...

Page 277: ...S messages NOTE A control VLAN cannot belong to more than one EAPS domain If the domain is active you cannot delete the domain or modify the configuration of the control VLAN To configure the EAPS con...

Page 278: ...NOTE As long as the ring is complete the master node blocks the protected VLANs on its secondary port The following command example adds the protected VLAN orchid to the EAPS domain eaps_1 configure...

Page 279: ...primary port Displaying EAPS Status Information To display EAPS status information use the following command show eaps This example displays summary EAPS information EAPS Enabled Yes EAPS Fast Conver...

Page 280: ...nsit node The display from the show eaps detail command shows all the information shown in the show eaps eapsDomain command but displays information for all configured EAPS domains Table 42 explains t...

Page 281: ...completed Pre Complete The EAPS domain has started operation for Complete state and has sent a request to lower hardware layers to block the secondary port It is in transient state waiting for acknowl...

Page 282: ...been added as the control VLAN to this EAPS domain or this port has not been added to the control VLAN Hello Timer interval The configured value of the timer in seconds specifying the time that the m...

Page 283: ...to be in the ready state After EAPS has converged and the EAPS master node has blocked its own secondary ports the controller puts all its ports into forwarding and goes back to ready state Figure 19...

Page 284: ...t they have converged and blocked their secondary ports the controller opens all ports If you have an EAPS configuration with multiple common links and a second common link fails the controllers conti...

Page 285: ...r This end does not participate in any form of blocking It is responsible for only sending and receiving health check messages To configure the mode of the shared port use the following command config...

Page 286: ...APS shared port status information use the following command show eaps shared port port detail If you enter the show eaps shared port command without an argument or keyword the command displays a summ...

Page 287: ...APS domains sharing this common link Nbr Displays one of the following states Yes Indicates that the EAPS instance on the other end of the common link is configured with matching link ID and opposite...

Page 288: ...gment port as one of its ring ports Vlan port count available with the detail keyword or by specifying a shared port The total number of VLANs being protected under this segment port Adjacent Blocking...

Page 289: ...y up to two shared ports per switch There cannot be more than one controller on a switch Valid combinations on any one switch are 1 controller 1 partner 1 controller and 1 partner 2 partners A shared...

Page 290: ...gle configuration there must be two common links configured on one of the switches Figure 23 shows a Right Angle configuration Figure 23 EAPS shared port right angle configuration EW_096 S4 S3 S2 S1 P...

Page 291: ...and Right Angle configuration Figure 24 Basic core and right angle configuration EW_098 S7 S3 S4 S2 S1 EAPS5 EAPS2 EAPS1 S8 S12 S11 S5 Controller S14 S15 S13 S9 S10 Common link Partner S6 Common link...

Page 292: ...hanging off of it This is an extension of a basic core configuration Figure 25 Large core and access ring configuration EW_099 S4 S10 S1 S7 EAPS5 EAPS2 EAPS1 Controller Partner Master Controller Part...

Page 293: ...Right Angle configuration Figure 26 Advanced configuration EW_101 S2 S1 S8 S9 S11 S10 Controller S14 S3 S13 S12 S7 S4 S5 Common link Common link Common link Common link S6 EAPS3 EAPS6 EAPS4 EAPS2 EAP...

Page 294: ...Ethernet Automatic Protection Switching ExtremeWare XOS 11 1 Concepts Guide 294...

Page 295: ...STP in terms used by the IEEE 802 1D specification the switch will be referred to as a bridge Overview of the Spanning Tree Protocol STP is a bridge based mechanism for providing fault tolerance on n...

Page 296: ...ports that belong to the STPD and the 802 1Q tag used to transport EMISTP or PVST encapsulated BPDUs see Encapsulation Modes on page 297 for more information about encapsulating STP BPDUs Only one ca...

Page 297: ...ee RSTP When configured in this mode all rapid configuration mechanisms are enabled The benefit of this mode is available on point to point links only and when the peer is likewise configured in 802 1...

Page 298: ...s It is possible for the physical port to run in different modes for different domains to which it belongs To configure the BPDU encapsulation mode for one or more STP ports use the following command...

Page 299: ...to an STPD are manually and automatically By default ports are manually added to an STPD NOTE The default VLAN and STPD S0 are already on the switch Manually Binding Ports To manually bind ports use o...

Page 300: ...t of ports that you remove from a carrier VLAN are automatically removed from the STPD This feature allows the STPD to increase or decrease its span as ports are added to or removed from a carrier VLA...

Page 301: ...witch s management functions and the backup acts in a standby role Hitless failover transfers switch management control from the primary to the backup and maintains the state of STP STP supports hitle...

Page 302: ...g four VLANs have been defined Sales is defined on switch A switch B and switch M Personnel is defined on switch A switch B and switch M Manufacturing is defined on switch Y switch Z and switch M Engi...

Page 303: ...loops are prevented The protected VLAN Marketing which has been assigned to both STPD1 and STPD2 communicates using all five switches The topology has no loops because STP has already blocked the port...

Page 304: ...ed in an STP topology All VLANs in each switch are members of the same STPD STP can block traffic between switch 1 and switch 3 by disabling the trunk ports for that connection on each switch Switch 2...

Page 305: ...and S2 still correspond to VLANs A and B respectively you can fine tune STP parameters to make the left link active in S1 and blocking in S2 while the right link is active in S2 and blocking in S1 Onc...

Page 306: ...local to other VLANs Figure 30 VLAN spanning multiple STPDs In addition the configuration in Figure 30 has these features Each site can be administered by a different organization or department withi...

Page 307: ...Figure 32 VLAN red the only VLAN in the figure spans STPDs 1 2 and 3 Inside each domain STP produces a loop free topology However VLAN red is still looped because the three domains form a ring among...

Page 308: ...on the physical port Third party PVST devices send VLAN 1 packets in a special manner ExtremeWare XOS does not support PVST for VLAN 1 Therefore when the switch receives a packet for VLAN 1 the packet...

Page 309: ...STPD RSTP tries to rapidly move designated point to point links into the forwarding state when a network topology change or failure occurs For rapid convergence to occur the port must be configured as...

Page 310: ...k types Port Link Type Description Auto Specifies the switch to automatically determine the port link type An auto link behaves like a point to point link if the link is in full duplex mode or if link...

Page 311: ...the message age timer restarts The edge port remains in the blocking state until no further BPDUs are received and the message age timer expires Table 47 Derived timers Timer Description TCN The root...

Page 312: ...Is now a root port and no other ports have a recent role assignment that contradicts with its root port role Is a designated port and attaches to another bridge by a point to point link and receives...

Page 313: ...ing state RSTP requires that the recent root timer stop on the previous root port before the new root port can enter the forwarding state Designated Port Rapid Behavior When a port becomes a new desig...

Page 314: ...non edge ports entering the forwarding state cause a topology change A loss of network connectivity is not considered a topology change however a gain in network connectivity must be communicated Whe...

Page 315: ...ge E Figure 35 Down link detected 2 Bridge E believes that bridge A is the root bridge When bridge E receives the BPDU on its root port from bridge F bridge E Determines that it received an inferior B...

Page 316: ...the BPDU from bridge E on its alternate port bridge D Immediately begins the max age timer on its alternate port Performs a configuration update As shown in Figure 38 after the configuration update b...

Page 317: ...port status to neighbors 6 To complete the topology change as shown in Figure 40 Bridge D moves the port that received the agree message into the forwarding state Bridge F confirms that its receiving...

Page 318: ...setting which is 802 1w mode STP Rules and Restrictions This section summarizes the rules and restrictions for configuring STP as follows The carrier VLAN must span all ports of the STPD The StpdID m...

Page 319: ...ort_list dot1d emistp pvst plus 3 Define the carrier VLAN using the following command configure stpd stpd_name tag stpd_tag NOTE The carrier VLAN s VLANid must be identical to the StpdID of the STPD 4...

Page 320: ...ngineering Creates the VLAN Engineering Configures the VLANid Adds ports to the VLAN Engineering Creates an STPD named Backbone_st Configures the default encapsulation mode of dot1d for all ports adde...

Page 321: ...ure red add ports 1 1 1 4 tagged create vlan green configure green tag 200 configure green add ports 1 1 1 2 tagged create vlan yellow configure yellow tag 300 configure yellow add ports 1 3 1 4 tagge...

Page 322: ...Configure the port link types Enable STP Figure 43 RSTP example In this example the commands configure switch A in STPD1 for rapid reconvergence Use the same commands to configure each switch and STP...

Page 323: ...play STP settings use the following command show stpd stpd_name detail This command displays the following information STPD name STPD state STPD mode of operation Rapid Root Failover Tag Ports Active...

Page 324: ...y the STP configuration of the ports assigned to that specific VLAN The command displays the following STPD port configuration STPD port mode of operation STPD path cost STPD priority STPD state root...

Page 325: ...ides Layer 2 redundancy You can use these layered redundancy features in combination or independently You do not have to configure the switch for routing to make valuable use of ESRP The Layer 2 redun...

Page 326: ...maximum of two switches can participate in providing redundant Layer 3 or Layer 2 services to a single Virtual LAN VLAN If you configure and use ESRP groups more than two switches can provide redunda...

Page 327: ...or other unpredictable behavior may occur If you have an untagged master VLAN you must specify an ESRP domain ID The domain ID must be identical on all switches participating in ESRP for that particu...

Page 328: ...ESRP aware you must create an ESRP domain on the aware switch add a master VLAN to that ESRP domain and configure a domain ID if necessary To participate as an ESRP aware switch the following must be...

Page 329: ...e requesting switch For example if a slave switch wants to become the master it enters the pre master state notifies the neighbor switch and forces the neighbor to acknowledge the change The neighbor...

Page 330: ...messages This reduces the amount of packet processing increases the amount of available link bandwidth and does not impact communicating state changes between switches ESRP Domains ESRP domains allow...

Page 331: ...ic Module MSM modules in a BlackDiamond chassis one MSM assumes the role of primary and the other assumes the role of backup MSM The primary MSM executes the switch s management functions and the back...

Page 332: ...earned routes from the IP route table Ping Tracks ICMP ping connectivity to specified devices Environment health checks Tracks the environment of the switch including power supply and chassis temperat...

Page 333: ...a neutral state the switch waits for ESRP to initialize and run A neutral switch does not participate in ESRP elections If the switch leaves the neutral state it enters the slave state Electing the Ma...

Page 334: ...guration passive A passive configuration acts as a stub area and helps increase the time it takes for recalculating the network A passive configuration also maintains a stable OSPF core For more infor...

Page 335: ...consider election factors in the following order Stickiness active ports tracking information ESRP priority sticky ports track priority mac Specifies that this ESRP domain should consider election fac...

Page 336: ...see Chapter 5 Virtual LANs For more information about ESRP master and member VLANs see Adding VLANs to an ESRP Domain on page 337 You can also configure other ESRP domain parameters including ESRP Mod...

Page 337: ...ain ID see ESRP Domains on page 330 To configure an ESRP domain ID use the following command configure esrp esrpDomain domain id number The number parameter specifies the number of the domain ID The u...

Page 338: ...main The state of the ESRP device determines whether the member VLAN is in the forwarding or blocking state To add a member VLAN to an ESRP domain use the following command configure esrp esrpDomain a...

Page 339: ...rmines the maximum available power required for the switch by calculating the number of power supplies and the power required by the installed modules Enabling environmental tracking on the switch wit...

Page 340: ...Domain add track iproute ipaddress masklength configure esrp esrpDomain delete track iproute ipaddress masklength ESRP Ping Tracking You can configure ESRP to track connectivity using a simple ping to...

Page 341: ...lowing command configure esrp esrp1 add track iproute 10 10 10 0 24 The route specified in this command must exist in the IP routing table When the route is no longer available the switch implements a...

Page 342: ...ion with the ESRP switch To remove a port from the restart configuration delete the port from the VLAN and re add it ESRP Host Attach ESRP host attach HA is an optional ESRP configuration that allows...

Page 343: ...net Automatic Protection Switching EAPS or VRRP A broadcast storm may occur To configure a port to be a host port use the following command configure esrp ports ports mode host normal ESRP Port Weight...

Page 344: ...le ESRP groups is when two or more sets of ESRP switches are providing fast failover protection within a subnet A maximum of seven distinct ESRP groups can be supported on a single ESRP switch and a m...

Page 345: ...gure ESRP refer to the ExtremeWare XOS Command Reference Guide Using ELRP with ESRP Extreme Loop Recovery Protocol ELRP is a feature of ExtremeWare XOS that allows you to prevent detect and recover fr...

Page 346: ...its ESRP domain ports If the master switch receives an ELRP PDU that it sent the master transitions to the slave While in the slave state the switch transitions to the pre master rate and periodically...

Page 347: ...is 1 second and the range is 1 to 64 seconds To disable the use of ELRP by ESRP in the master state use the following command configure esrp esrpDomain elrp master poll disable Configuring Ports You c...

Page 348: ...of Extreme Networks devices as edge switches that perform Layer 2 switching for ESRP domain esrp1 and VLAN Sales The edge switches are dual homed to the BlackDiamond 10808 switches The BlackDiamond 1...

Page 349: ...ion The edge switches being ESRP aware allow traffic within the VLAN to failover quickly because these edge switches sense when a master slave transition occurs and flush FDB entries associated with t...

Page 350: ...ExtremeWare XOS switches operate in ESRP standard mode To change the mode of operation use the configure esrp mode extended standard command The commands used to configure the BlackDiamond switches ar...

Page 351: ...the first BlackDiamond 10808 switch uses 802 1Q tagging to carry traffic from both VLANs traffic on one link The BlackDiamond switch counts the link active for each VLAN The second BlackDiamond switch...

Page 352: ...d master sales configure esrp esrp1 priority 5 enable esrp esrp1 create esrp esrp2 configure esrp esrp2 domain id 4097 configure esrp esrp2 add master engineering enable esrp esrp2 Configuration comma...

Page 353: ...nd a VLAN but you must do so on separate devices You should be careful to maintain ESRP connectivity between ESRP master and slave switches when you design a network that uses ESRP and STP ESRP and VR...

Page 354: ...Extreme Standby Router Protocol ExtremeWare XOS 11 1 Concepts Guide 354...

Page 355: ...sers VRRP is used to eliminate the single point of failure associated with manually configuring a default gateway address on each host in a network Without using VRRP if the configured default gateway...

Page 356: ...lover If any of the configured routes are not available within the route table the router automatically relinquishes master status and remains in INIT mode To add or delete a tracked route use the fol...

Page 357: ...routing table When the route is no longer available the switch implements a VRRP failover to the backup To configure ping tracking as shown in Figure 50 use the following command configure vlan vrrp1...

Page 358: ...all backup routers This signals the backup routers that they do not need to wait for the master down interval to expire and the master election process for a new master can begin immediately The maste...

Page 359: ...ckup router The master router is responsible for forwarding packets sent to the virtual router When the VRRP network becomes active the master router broadcasts an ARP request that contains the virtua...

Page 360: ...Fully redundant VRRP configuration In Figure 52 switch A is configured as follows IP address 192 168 1 3 Master router for VRID 1 Backup router for VRID 2 MAC address 00 00 5E 00 01 01 Switch B is con...

Page 361: ...p_address This is the IP address associated with this virtual router You can associate one or more IP addresses to a virtual router This parameter has no default value advertisement_interval This is t...

Page 362: ...ch A are as follows configure vlan vlan1 ipaddress 192 168 1 3 24 create vrrp vlan vlan1 vrid 1 configure vrrp vlan vlan1 vrid 1 prioirty 255 configure vrrp vlan vlan1 vrid 1 add 192 168 1 3 enable vr...

Page 363: ...vlan vlan1 vrid 1 add 192 168 1 3 create vrrp vlan vlan1 vrid 2 configure vrrp vlan vlan1 vrid 2 add 192 168 1 5 enable vrrp The configuration commands for switch B are as follows configure vlan vlan...

Page 364: ...onfigured with IP addresses 1 1 1 1 24 and 2 2 2 2 24 the following configurations are allowed VRRP VR on VLAN v1 with VRID 99 with virtual IP addresses 1 1 1 2 and 1 1 1 3 VRRP VR on VLAN v1 with VRI...

Page 365: ...protocols see Chapter 21 Overview of IP Unicast Routing The switch provides full Layer 3 IP unicast routing It exchanges routing information with other routers on the network using either the Routing...

Page 366: ...affic within each VLAN is switched using the Ethernet MAC addresses Traffic between the two VLANs is routed using the IP addresses Figure 55 Routing between VLANs Populating the Routing Table The swit...

Page 367: ...e advertised using one of the following commands enable rip export bgp direct e bgp i bgp ospf ospf extern1 ospf extern2 ospf inter ospf intra static cost number tag number policy policy name or disab...

Page 368: ...ts on behalf of ARP incapable devices Proxy ARP can also be used to achieve router redundancy and to simplify IP client configuration The switch supports proxy ARP for this type of network configurati...

Page 369: ...th the host at address 100 101 45 67 the IP hosts communicates as if the two hosts are on the same subnet and sends out an IP ARP request The switch answers on behalf of the device at address 100 101...

Page 370: ...VLANs using the following command enable ipforwarding broadcast vlan vlan_name 5 Turn on RIP or OSPF using one of the following commands enable rip enable ospf Verifying the IP Unicast Routing Config...

Page 371: ...ter by way of the VLAN Finance Ports on slots 2 and 4 reach the router by way of the VLAN Personnel All other traffic NetBIOS is part of the VLAN MyCompany The example in Figure 56 is configured as fo...

Page 372: ...prior to that supported a multinetting implementation that required separate VLANs for each IP network The implementation introduced in ExtremeWare XOS 11 0 is simpler to configure does not require t...

Page 373: ...Transfer Protocol TFTP Secure Shell 2 SSH2 and others to the switch from a host residing in either the primary or the secondary subnet of the VLAN Other host functions such as traceroute are also supp...

Page 374: ...figured on per VLAN basis There is no way to configure a routing protocol on an individual primary or secondary interface Configuring a protocol parameter on a VLAN automatically configures the parame...

Page 375: ...ondary interface addresses can be used as the source interface for a BGP neighbor Direct routes corresponding to secondary interfaces can be exported into the BGP domain by enabling export of direct r...

Page 376: ...on that host DHCP Relay When the switch is configured as a DHCP relay agent it will forward the DHCP request received from a client to the DHCP server When doing so the system sets the GIADDR field i...

Page 377: ...d 1 1 1 99 one virtual IP address is owned by the switch and one is not VRRP VR on v1 with VRID of 100 with virtual IP addresses of 2 2 2 2 and 2 2 2 99 one virtual IP address is owned by the switch a...

Page 378: ...tocol DHCP or BOOTP requests coming from clients on subnets being serviced by the switch and going to hosts on different subnets This feature can be used in various applications including DHCP service...

Page 379: ...nces a DHCP server may not properly handle a DHCP request packet containing a relay agent option To prevent DHCP reply packets with invalid or missing relay agent options from being forwarded to the c...

Page 380: ...echo packets to measure the transit time for data between the transmitting and receiving end To enable UDP echo server support use the following command enable udp echo server vr vrid udp port port To...

Page 381: ...65 OSPF Database Overflow RFC 2370 The OSPF Opaque LSA Option RFC 3101 The OSPF Not So Stubby Area NSSA Option Interconnections Bridges and Routers by Radia Perlman ISBN 0 201 56332 0 Published by Add...

Page 382: ...tination networks A large amount of bandwidth taken up by periodic broadcasts of the entire routing table Slow convergence Routing decisions based on hop count no concept of link costs or delay Flat n...

Page 383: ...s a hop count of 16 which defines that router as unreachable Triggered Updates Triggered updates occur whenever a router changes the metric for a route The router is required to send an update message...

Page 384: ...License for the switch from Extreme Networks A subset of OSPF called OSPF Edge Mode is available with an Advanced Edge license OSPF Edge Mode OSPF Edge Mode is a subset of OSPF available on platforms...

Page 385: ...ds after which the system ceases to be in overflow state A timeout value of zero leaves the system in overflow state until OSPF is disabled and re enabled Opaque LSAs Opaque LSAs are a generic OSPF me...

Page 386: ...0 and then expand into other areas NOTE Area 0 0 0 0 exists by default and cannot be deleted or changed The backbone allows summary information to be exchanged between ABRs Every ABR hears the area su...

Page 387: ...order routers where translation is to be enforced If translate is not used on any NSSA border router in a NSSA one of the ABRs for that NSSA is elected to perform translation as indicated in the NSSA...

Page 388: ...area For example in Figure 59 if the connection between ABR1 and the backbone fails the connection using ABR2 provides redundancy so that the discontiguous area can continue to communicate with the b...

Page 389: ...nk types Link Type Number of Routers Description Auto Varies ExtremeWare XOS automatically determines the OSPF link type based on the interface type This is the default setting Broadcast Any Routers m...

Page 390: ...SPF Likewise for any other combinations of protocols you must separately configure each to export routes to the other Redistributing Routes into OSPF Enable or disable the exporting of BGP RIP static...

Page 391: ...export bgp direct e bgp i bgp ospf ospf extern1 ospf extern2 ospf inter ospf intra static cost number tag number policy policy name disable rip export bgp direct e bgp i bgp ospf ospf extern1 ospf ext...

Page 392: ...raffic from stations connected to slots 1 and 3 have access to the router by way of the VLAN Finance Ports on slots 2 and 4 reach the router by way of the VLAN Personnel All other traffic NetBIOS is p...

Page 393: ...e under all circumstances To specify the timer intervals use the following commands configure ospf area area identifier timer retransmit interval transit delay hello interval dead interval wait timer...

Page 394: ...he hello interval the network synchronizes very quickly but might not elect the correct DR or BDR The default value is equal to the dead router wait interval NOTE The OSPF standard specifies that wait...

Page 395: ...internal routers Uses default routes for inter area routing Two router configurations for the example in Figure 62 are provided in the following section Configuration for ABR1 The router labeled ABR1...

Page 396: ...n about all OSPF interfaces in a detail format ExtremeWare XOS provides several filtering criteria for the show ospf lsdb command You can specify multiple search criteria and only those results matchi...

Page 397: ...ons for BGP RFC 1966 BGP Route Reflection RFC 1997 BGP Communities Attribute RFC 1745 BGP IDRP for IP OSPF Interaction RFC 2385 Protection of BGP Sessions via the TCP MD5 Signature Option RFC 2439 BGP...

Page 398: ...ocol IGP Exterior Gateway Protocol EGP and incomplete AS_Path The list of ASs that are traversed for this route Next_hop The IP address of the next hop BGP router to reach the destination listed in th...

Page 399: ...o serve as a central routing point for the AS A cluster is formed by the route reflector and its client routers Peer routers that are not part of the cluster must be fully meshed according to the rule...

Page 400: ...configure vlan to_nc ipaddress 10 0 0 2 24 enable ipforwarding vlan to_nc create vlan to_c1 configure vlan to_c1 add port 1 2 configure vlan to_c1 ipaddress 20 0 0 2 24 enable ipforwarding vlan to_c1...

Page 401: ...to multiple sub ASs and to group these sub ASs into a routing confederation Within the confederation each sub AS must be fully meshed The confederation is advertised to other networks as a single AS R...

Page 402: ...or 192 1 1 5 remote AS number 65001 create bgp neighbor 192 1 1 18 remote AS number 65001 enable bgp neighbor all To configure router B use the following commands create vlan ba configure vlan ba add...

Page 403: ...bgp neighbor 192 1 1 17 remote AS number 65001 enable bgp neighbor all To configure router D use the following commands create vlan db configure vlan db add port 1 configure vlan db ipaddress 192 1 1...

Page 404: ...se BGP route aggregation 1 Enable aggregation using the following command enable bgp aggregation 2 Create an aggregate route using the following command configure bgp add aggregate address address fam...

Page 405: ...atory parameters are inherited from the peer group If you specify the acquire all option all of the parameters of the peer group are inherited This command disables the neighbor before adding it to th...

Page 406: ...ften a route has flapped once it stops flapping it will again be advertised after the maximum route suppression time Configuring Route Flap Dampening Using a route map you enable BGP route flap dampen...

Page 407: ...st AS path lowest origin code lowest Multi Exit Discriminator MED route from external peer lowest cost to next hop lowest routerID Stripping Out Private AS Numbers from Route Updates Private AS number...

Page 408: ...interface routes to BGP use the following commands enable bgp export direct ospf ospf extern1 ospf extern2 ospf inter ospf intra rip static address family ipv4 unicast ipv4 multicast export policy po...

Page 409: ...is a function that allows a single IP host to send a packet to a group of IP hosts This group of hosts can include devices that reside on or outside the local network and within or across a routing d...

Page 410: ...o prune and graft multicast routes PIM DM routers perform reverse path multicasting RPM However instead of exchanging its own unicast route tables for the RPM algorithm PIM DM uses the existing unicas...

Page 411: ...r the switch can be configured to disable the generation of periodic IGMP query packets IGMP should be enabled when the switch is configured to perform IP unicast or IP multicast routing IGMP Snooping...

Page 412: ...e igmp snooping vlan vlanname ports portlist delete static group ip_address all configure igmp snooping vlan vlanname ports portlist delete static router To display the IGMP snooping static groups use...

Page 413: ...PF configuration on a switch See Chapter 20 for more information about configuring OSPF PIM DM Configuration Example In Figure 65 the system labeled IR 1 is configured for IP multicast routing using P...

Page 414: ...ABR1 is configured for IP multicast routing using PIM SM Figure 66 IP multicast routing using PIM SM configuration example The router labeled ABR1 has the following configuration configure vlan HQ_10_...

Page 415: ...48 2 2 255 255 255 0 configure vlan CHI_160_26_26 ipaddress 160 26 26 1 255 255 255 0 configure ospf add vlan all area 0 0 0 0 enable ipforwarding enable ipmcforwarding configure pim add vlan all spar...

Page 416: ...IP Multicast Routing ExtremeWare XOS 11 1 Concepts Guide 416...

Page 417: ...3 Appendixes...

Page 418: ......

Page 419: ...lash slot of the Management Switch Fabric Module MSM Downloading a new image involves the following steps Loading the new image onto a TFTP server on your network if you will be using TFTP Loading the...

Page 420: ...s named with the file extension xmod while the core images use the file extension xos Modular software packages are built at the same time as core images and are designed to work in concert with the c...

Page 421: ...active partition use the following command show switch Output from this command includes the selected and booted images and if they are in the primary or secondary partition If two MSMs are installed...

Page 422: ...dd yyyy hh mm ss NOTE When you configure a timed reboot of the switch use the show switch command to see the scheduled time To reboot the switch immediately use the following command reboot If you do...

Page 423: ...MSM which allows the backup to take over the management functions of the primary NOTE If you download an image to the backup MSM the image passes through the primary MSM before the image is downloaded...

Page 424: ...up MSM is installed in slot A specify msm A Before the download begins the switch prompts you to install the image immediately after the download is finished If you install the image immediately after...

Page 425: ...software packages see Installing a Modular Software Package on page 420 To perform a hitless upgrade follow the steps described in the previous section Performing a Hitless Upgrade Hitless Upgrade Ex...

Page 426: ...er the name of the file in the CLI the system automatically adds the cfg file extension If you have made a mistake or you must revert to the configuration as it was before you started making changes y...

Page 427: ...s use the following command unconfigure switch This command resets the entire configuration with the exception of user accounts and passwords that have been configured and the date and time To erase t...

Page 428: ...ress g r remote_file Where the following is true host name Is the host name of the TFTP server ip_address Is the IP address of the TFTP server g Gets the specified file from the TFTP server and copies...

Page 429: ...s the old configuration files on the backup MSM only upon a successful file synchronization If an error occurs the switch does not delete the old configuration files on the backup MSM For example if y...

Page 430: ...d image is booted If you do not specify an image name the default image is booted Selecting a configuration To select a different configuration from the one currently running use the config default fi...

Page 431: ...ation auto install install on demand Where the following is true auto install Specifies ExtremeWare XOS to automatically upgrade the firmware if the software detects a newer firmware image is availabl...

Page 432: ...Software Upgrade and Boot Options ExtremeWare XOS 11 1 Concepts Guide 432...

Page 433: ...he PoE Module Aspen 8810 Switch Only on page 449 Untagged Frames on the 10 Gbps Module BlackDiamond 10K Switch Only on page 449 Running MSM Diagnostics from the Bootloader BlackDiamond 10K Switch Only...

Page 434: ...for a related I O module error If the error is an inserted I O module that conflicts with the software configuration use one of the following commands to reset the slot configuration clear slot confi...

Page 435: ...elnet facility Telnet access is enabled for the switch If you attempt to log in and the maximum number of Telnet sessions are being used you should receive an error message indicating so Traps are not...

Page 436: ...over cable This is a CAT5 cable that has pins 1 and 2 on one end connected to pins 3 and 6 on the other end Excessive RX CRC errors When a device that has autonegotiation disabled is connected to an E...

Page 437: ...Error Protocol conflict when adding untagged port 1 1 Either add this port as tagged or assign another protocol to this VLAN you already have a VLAN using untagged traffic on a port Only one VLAN usi...

Page 438: ...domain You might be attempting to add Another 802 1D mode STP port to a physical port that already contains an 802 1D mode STP port only one 802 1D encapsulation STP port can be configured on a parti...

Page 439: ...se the VLANid as the domain ID you must specify a different domain ID You cannot delete the master VLAN from the ESRP domain If you attempt to remove the master VLAN before disabling the ESRP domain y...

Page 440: ...cates a loop in the Layer 2 network Once a loop is detected through ELRP different recovery actions can be taken such as blocking certain ports to prevent loop or logging a message to system log The a...

Page 441: ...ecified ports of a VLAN using a particular count and interval use one of the following commands configure elrp client one shot vlan_name ports ports all interval sec retry count log print print and lo...

Page 442: ...mary and secondary images of the compact flash To use the rescue software image you must be running ExtremeWare XOS 11 1 or later Earlier versions of ExtremeWare XOS do not support the rescue software...

Page 443: ...the BOOTLOADER command prompt After you download the ExtremeWare XOS image file the switch installs the software and reboots After the switch reboots the switch enters an uninitialized state At this...

Page 444: ...rd Specifies that saving debug information to the external memory card is enabled off Specifies that saving debug information to the external memory card is disabled This is the default behavior To sa...

Page 445: ...e the file extensions the file may be unrecognized by the system For example if you have an existing configuration file named test cfg the new filename must include the cfg file extension Copying File...

Page 446: ...FC 2348 TFTP Blocksize Option to enable faster file downloads and larger file downloads System Health Check This section provides a brief overview the system health check functionality of the followin...

Page 447: ...eceives diagnostic packets from the I O module to determine the state and connectivity If you disable backplane diagnostics the system health checker stops sending backplane diagnostic packets Enablin...

Page 448: ...irst Recorded Field Replaceable Units Days Start Date Chassis BD 10808 107 Feb 23 2004 Slot 1 G60X 99 Dec 10 2003 Slot 2 G60X 74 Mar 22 2004 Slot 3 G60X 151 Jan 12 2004 Slot 4 Slot 5 10G6X 49 Apr 09 2...

Page 449: ...onfigured inline power budget for that slot However actual aggregate power can be delivered up to the configured inline power budget for the slot for example when delivered power from ports increases...

Page 450: ...tics for image 2 initiates diagnostics for the secondary image For example to run diagnostics on the primary image use the following command boot 3 When the test is finished the MSM reboots and runs t...

Page 451: ...address for transmission on Ethernet hardware RFC 2338 Virtual Router Redundancy Protocol Draft VRRP spec v2 06 minor modifications to RFC 2338 Extreme Standby Router Protocol ESRP IEEE 802 1D 1998 S...

Page 452: ...1997 BGP Communities Attribute RFC 1745 BGP4 IDRP for IP OSPF Interaction RFC 2385 Protection of BGP Sessions via the TCP MD5 Signature Option RFC 2439 BGP Route Flap Dampening MBGP PoE RFC 3621 Power...

Page 453: ...sing and Dispatching for the Simple Network Management Protocol SNMP RFC 2573 Simple Network Management Protocol SNMP Applications RFC 2574 User based Security Model USM for version 3 of the Simple Ne...

Page 454: ...pts Guide 454 DiffServ Standards and MIBs RFC 2474 Definition of the Differentiated Services Field DS Field in the IPv4 and IPv6 Headers RFC 2475 An Architecture for Differentiated Services RFC 2597 A...

Page 455: ...on Protocol ARP is part of the TCP IP suite used to dynamically associate a device s physical address MAC address with its logical address IP address The system broadcasts an ARP request containing th...

Page 456: ...the new DR The BDR is elected by the protocol each hello packet has a field that specifies the BDR for the network BGP Border Gateway Protocol BGP is a router protocol in the IP suite designed to exch...

Page 457: ...ween clients on the same radio So bridged traffic can be forwarded from one AP to another AP without having to pass through the switch on the wired network broadcast A broadcast message is forwarded t...

Page 458: ...d to a given STPD not just to one individual port The encapsulation modes are 802 1d This mode is used for backward compatibility with previous STP versions and for compatibility with third party swit...

Page 459: ...R Designated router In OSPF the DR generates an LSA for the multiaccess network and has other special responsibilities in the running of the protocol The DR is elected by the OSPF protocol dropped pac...

Page 460: ...u can configure ports within an STPD to accept specific BPDU encapsulations The three encapsulation modes are 802 1D This mode is used for backward compatibility with previous STP versions and for com...

Page 461: ...r the entire switch not by EAPS domain FDB Forwarding database The switch maintains a database of all MAC address received on all of its ports and uses this information to decide whether a frame shoul...

Page 462: ...hin an AS ICMP Internet Control Message Protocol ICMP is the part of the TCP IP protocol that allows generation of error messages test packets and operating messages For example the ping command allow...

Page 463: ...Although you can have a static IP address many IP addresses are assigned dynamically from a pool Many corporate networks and online services economize on the number of IP addresses they use by sharing...

Page 464: ...etwork interface card on each device MAN Metropolitan area network A MAN is a data network designed for a town or city MANs may be operated by one organization such as a corporation with several offic...

Page 465: ...e This Extreme Networks proprietary name refers to the module that holds both the control plane and the switch fabric for switches that run the ExtremeWare XOS software One MSM is required for switch...

Page 466: ...nager performs the process of node election which selects the master or primary MSM when you have two MSMS installed in the chassis The Node Manager is useful for system redundancy NSSA Not so stubby...

Page 467: ...er table updates throughout the network This protocol is more efficient and scalable than vector distance routing protocols P packet This is the unit of data sent across a network Packet is a generic...

Page 468: ...r the POST completes contact your supplier for advice primary port In EAPS a primary port is a port on the master node that is designated the primary port to the ring protected VLAN In STP protected V...

Page 469: ...parameters for networking RIP Routing Information Protocol This IGP vector distance routing protocol is part of the TCP IP suite and maintains tables of all known destinations and the number of hops r...

Page 470: ...port is a port on the master node that is designated the secondary port to the ring The transit node ignores the secondary port distinction as long as the node is configured as a transit node SMF Sing...

Page 471: ...D The two modes of operation are 802 1d Compatible with legacy STP and other devices using the IEEE 802 1d standard 802 1w Compatible with Rapid Spanning Tree RSTP stub areas In OSPF a stub area is co...

Page 472: ...4 protocol unicast A unicast packet is communication between a single sender and a single receiver over a network untagged VLAN A VLAN remains untagged unless you specifically configure the IEEE 802 1...

Page 473: ...switch It has no ports and you cannot assign any ports to it It also cannot be associated with VLANs or routing protocols Referred to as VR 1 in earlier ExtremeWare XOS software versions VR Default Th...

Page 474: ...r router become unavailable In case the master router fails the virtual IP address is mapped to a backup router s IP address this backup becomes the master router This allows any of the virtual router...

Page 475: ...igure eaps secondary port 277 configure eaps shared port domain 285 configure eaps shared port mode 285 configure eaps shared port segment timeout 285 configure edp advertisement interval 95 configure...

Page 476: ...ty 58 configure snmp add trapreceiver community 58 configure snmp delete trapreceiver 58 configure snmpv3 add access 61 configure snmpv3 add filter subtree type 65 configure snmpv3 add filter profile...

Page 477: ...e power slot 109 disable ipforwarding 247 disable learning port 177 disable log debug mode 443 disable log target 133 disable netlogin 237 disable netlogin logout privilege 237 disable netlogin ports...

Page 478: ...re 431 install image 420 424 425 L logout 49 ls 51 73 74 75 445 M mv 72 75 445 N nslookup 41 P ping 37 41 42 Q quit 49 R reboot 53 54 422 refresh policy 181 reset inline power ports 107 113 rm 74 75 4...

Page 479: ...62 show snmpv3 filter 65 show snmpv3 filter profile 65 show snmpv3 group 62 show snmpv3 mib view 63 show snmpv3 notify 66 show snmpv3 target addr 64 show snmpv3 target params 65 show snmpv3 user 61 sh...

Page 480: ...ExtremeWare XOS 11 1 Concepts Guide 480 Index of Commands use configuration 75 426 use image 421 424 V virtual router 173...

Page 481: ...n statements policy 194 actions ACL 184 active interface 410 Address Resolution Protocol See ARP address based load sharing 87 88 admin account 38 Advanced Core license 28 advertisement interval EDP 9...

Page 482: ...g 429 exiting 430 prompt 430 BOOTP relay configuring 378 viewing 379 BOOTP server 47 BOOTP using 47 BootROM upgrading 430 Bootstrap Protocol See BOOTP Border Gateway Protocol See BGP bulk checkpointin...

Page 483: ...29 users 38 default VLAN 160 denial of service protection 239 DHCP network login and 229 requirement for web based network login 229 DHCP relay and IP multinetting 376 configuring 378 viewing 379 DHC...

Page 484: ...ormation 95 100 egress traffic rate limiting 220 election algorithms ESRP 334 ELRP and ESRP 346 description 345 loop detection 440 master behavior ESRP 346 pre master behavior ESRP 346 standalone 440...

Page 485: ...8 Ether type 167 Ethernet Automatic Protection Switching See EAPS Event Management System See EMS Events RMON 149 explicit packet marking QoS 208 extended mode ESRP domain 325 329 Extreme Discovery Pr...

Page 486: ...aces router 365 Internet Group Management Protocol See IGMP Internet Router Discovery Protocol See IRDP interoperability requirements 231 IP address entering 48 IP fragmentation 85 IP multicast routin...

Page 487: ...tabase See LSDB link state protocol description 382 load sharing algorithms 87 88 and control protocols 87 and ESRP don t count 343 and ESRP host attach 343 and software controlled redundant ports 87...

Page 488: ...ewing 54 non aging entries FDB 176 normal area OSPF 387 notification tags SNMPv3 66 notification SNMPv3 64 Not So Stubby Area See NSSA NSSA 387 See also OSPF O opaque LSAs OSPF 385 Open Shortest Path...

Page 489: ...ts 194 autonomous system expressions 193 examples translating a route map 197 translating an access profile 195 file syntax 191 rule entry 191 policy file copying 73 445 deleting 74 445 displaying 74...

Page 490: ...h devices outside subnet 369 conditions 368 configuring 368 description 368 MAC address in response 368 proxy ARP continued responding to requests 368 subnets 369 public community SNMP 58 PVST descrip...

Page 491: ...rate limiting displaying 100 egress traffic 220 rate shaping bi directional See bi directional rate shaping read only switch access 58 read write switch access 58 reboot MSM 422 switch 422 receive er...

Page 492: ...421 Secure Shell 2 See SSH2 protocol security license 29 security name SNMPv3 61 sessions console 43 deleting 50 maximum number of 43 shell 44 SSH2 50 Telnet 46 TFTP 50 severity levels EMS 134 sFlow c...

Page 493: ...ing setting 99 100 speed ports configuring 82 displaying 99 100 split horizon RIP 383 SSH2 license 29 SSH2 protocol authentication key 249 description 50 249 enabling 249 maximum number of sessions 50...

Page 494: ...7 modes of operation BlackDiamond 10K switch 127 system health monitoring 126 system LEDs 433 system location SNMP 58 system name SNMP 58 system odometer 448 system recovery 130 system redundancy bulk...

Page 495: ...tual routers 24 VLANs 153 155 160 161 437 VMANs 83 VRRP 364 439 VRRP and ESRP 364 trunks 155 tunneling 163 167 See also VMANs Type of Service See TOS U UDP echo server 380 untagged frames VLANs 153 16...

Page 496: ...ring 87 and virtual routers 164 configuring 165 description 163 displaying 167 displaying settings 100 example 165 166 guidelines 164 jumbo frames 83 names 33 tagging ports 164 troubleshooting 87 165...

Reviews:

No comments

Related manuals for ExtremeWare XOS 11.1

Brand: Xerox Pages: 28

RayTech RNS 5.0

Brand: Raymarine Pages: 152

IBM LOTUS NOTES-DOMINO V 11.3 - INSTALLATION AND ...

Brand: Tandberg Data Pages: 49

VIRUSSCAN HOME EDITION 7.0

Brand: McAfee Pages: 56

Pilot for Android

Brand: Garmin Pages: 150

Brand: FarmerGPS Pages: 60

1210SA - Serial ATA RAID Controller

Brand: Adaptec Pages: 88

Brand: GameShark Pages: 15

Application Accelerator

Brand: Intel Pages: 90

GPS Information

Brand: Globalsat Pages: 7

Brand: VERITAS Pages: 580

VIRTUALBOX 3.0.0

Brand: Sun Microsystems Pages: 259

Brand: QMS Pages: 50

Brand: TerraTec Pages: 20

MEDIASTUDIO PRO 6.0

Brand: Ulead Pages: 360

Brand: KapLogic Pages: 24

ANTI-VIRUS 5.0 - FOR SENDMAIL WITH MILTER...

Brand: KAPERSKY Pages: 100

ANTI-EXECUTABLE STANDARD

Brand: FARONICS Pages: 46

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands