manualshive.com logo in svg

Extreme Networks ExtremeWare XOS 11.3, Manual

Get free access to the Extreme Networks ExtremeWare XOS 11.3 user manual for all your networking needs. Easily download the manual from manualshive.com to navigate the advanced features and functions of this cutting-edge product. Stay informed and make the most out of your networking experience with this comprehensive guide.

Share
Download
background image

Denial of Service Protection

 

ExtremeWare XOS 11.3 Concepts Guide

321

Configuring Denial of Service Protection

To enable or disable DoS protection, use the following commands:

enable dos-protect

disable dos-protect

After enabling DoS protection, the switch will count the packets handled by the CPU and periodically 
evaluate whether to send a notification and/or create an ACL to block offending traffic. You can 
configure a number of the values used by DoS protection if the default values are not appropriate for 
your situation. The values that you can configure are:

interval—How often, in seconds, the switch evaluates the DoS counter (default: 1 second)

alert threshold—The number of packets received in an interval that will generate an ACL (default: 
4000 packets)

notify threshold—The number of packets received in an interval that will generate a notice (default: 
3500 packets)

ACL expiration time—The amount of time, in seconds, that the ACL will remain in place (default: 5 
seconds) 

To configure the interval at which the switch checks for DoS attacks, use the following command:

configure dos-protect interval <seconds>

 

To configure the alert threshold, use the following command:

configure dos-protect type l3-protect alert-threshold <packets>

 

To configure the notification threshold, use the following command:

configure dos-protect type l3-protect notify-threshold <packets>

To configure the ACL expiration time, use the following command:

configure dos-protect acl-expire <seconds>

Configuring Trusted Ports

Traffic from trusted ports will be ignored when DoS protect counts the packets to the CPU. If we know 
that a machine connected to a certain port on the switch is a safe "trusted" machine, and we know that 
we will not get a DoS attack from that machine, the port where this machine is connected to can be 
configured as a trusted port, even though a large amount of traffic is going through this port.

To configure the trusted ports list, use the following command:

configure dos-protect trusted-ports [ports [<ports> | all] | add-ports [<ports-to-add> 

| all] | delete-ports [<ports-to-delete> | all] ]

Displaying DoS Protection Settings

To display the DoS protection settings, use the following command:

show dos-protect {detail}

Summary of Contents for ExtremeWare XOS 11.3

Page 1: ...s Inc 3585 Monroe Street Santa Clara California 95051 408 579 2800 888 257 3000 http www extremenetworks com ExtremeWare XOS Concepts Guide Software Version 11 3 Published September 2005 Part number 1...

Page 2: ...eWare XOS operating system is based in part on the Linux operating system The machine readable copy of the corresponding source code is available for the cost of distribution Please direct requests to...

Page 3: ...kDiamond 10K Switch Only 34 Obtaining a License Voucher 35 Enabling and Verifying Licenses 35 Security Licensing 35 Software Factory Defaults 36 Chapter 2 Accessing the Switch 39 Understanding the Com...

Page 4: ...elnet 64 Configuring Switch IP Parameters 64 Configuring Telnet Access to the Switch 66 Disconnecting a Telnet Session 68 Using Secure Shell 2 69 Using the Trivial File Transfer Protocol 69 Connecting...

Page 5: ...ng CPU Monitoring 106 Enabling CPU Monitoring 106 Displaying CPU Utilization History 107 Chapter 5 Configuring Slots and Ports on a Switch 109 Configuring a Slot on a Modular Switch BlackDiamond 10K S...

Page 6: ...tion Information 140 Port Display Summit X450 Switch Only 143 Port Display BlackDiamond 8800 Family of Switches Only 144 Port Display BlackDiamond 10K Series Switch Only 145 Chapter 6 Link Layer Disco...

Page 7: ...Switch Only 185 Observing LED Behavior During a Diagnostic Test 186 Displaying Diagnostic Test Results 189 System Health Checking Modular Switches Only 189 Understanding the System Health Checker Bla...

Page 8: ...228 Configuring VLANs on the Switch 229 VLAN Configuration Examples 229 Displaying VLAN Settings 230 Displaying Protocol Information 232 Tunneling VMANs 232 Overview 232 QoS Queue on Egress Port 234 G...

Page 9: ...achine 258 Checking Policies 258 Refreshing Policies 259 Applying Policies 259 Applying ACL Policies 259 Applying Routing Policies 260 Chapter 13 Access Lists ACLs 261 ACLs 261 ACL Policy File Syntax...

Page 10: ...0 Switch Only 309 Bi Directional Rate Shaping BlackDiamond 10K Switch Only 310 Bandwidth Settings 311 Configuring Bi Directional Rate Shaping 312 Chapter 16 Security 313 Security Overview 313 Safe Def...

Page 11: ...3 Web Based Authentication 363 Enabling and Disabling Web Based Network Login 364 Configuring the Base URL 364 Configuring the Redirect Page 364 Configuring Session Refresh 365 Configuring Logout Priv...

Page 12: ...imers 405 Configuring the Primary and Secondary Ports 406 Configuring the EAPS Control VLAN 406 Configuring the EAPS Protected VLANs 407 Enabling and Disabling Fast Convergence 407 Enabling and Disabl...

Page 13: ...s 447 Configuring STP on the Switch 447 STP Configuration Examples 448 Basic 802 1D Configuration Example 448 EMISTP Configuration Example 449 RSTP 802 1w Configuration Example 450 Displaying STP Sett...

Page 14: ...etting 484 ESRP and STP 484 ESRP and VRRP 484 ESRP Groups and Host Attach 484 Port Configurations and ESRP 484 Chapter 22 Virtual Router Redundancy Protocol 485 Overview 485 Determining the VRRP Maste...

Page 15: ...6 Addresses 516 Neighbor Discovery Protocol 518 Populating the Routing Table 519 Configuring IP Unicast Routing 522 Verifying the IP Unicast Routing Configuration 522 Routing Configuration Example 522...

Page 16: ...Configuring OSPF Wait Interval 551 OSPF Wait Interval Parameters 552 OSPF Configuration Example 553 Configuration for ABR1 554 Configuration for IR1 554 Displaying OSPF Settings 555 Chapter 28 OSPFv3...

Page 17: ...Selecting a Primary or a Secondary Image 593 Installing a Core Image 593 Installing a Modular Software Package 594 Rebooting the Switch 596 Rebooting the Management Module Modular Switches Only 597 Un...

Page 18: ...rmation 627 Copying Debug Information 627 Managing Files on the External Memory Card Modular Switches Only 627 TOP Command 629 TFTP Server Requirements 629 System Health Check Modular Switches Only 62...

Page 19: ...37 Enabling the CNA Agent 637 Connecting to the CNA Server 637 Configuring the Interface 638 Clearing the Counters 638 Displaying CNA Agent Information 638 Troubleshooting 639 Appendix D Supported Pro...

Page 20: ...Contents ExtremeWare XOS 11 3 Concepts Guide 20...

Page 21: ...rks LANs Ethernet concepts Ethernet switching and bridging concepts Routing concepts Internet Protocol IP concepts Routing Information Protocol RIP and Open Shortest Path First OSPF Border Gateway Pro...

Page 22: ...10 switch formerly known as Aspen Summit X450 switch BlackDiamond 8806 switch When a feature or feature implementation applies to specific platforms the specific platform is noted in the heading for t...

Page 23: ...nd reference guide for any command mentioned in the user guide To ensure that the quick referencing feature functions properly follow these steps 1 Download both the user guide PDF file and the comman...

Page 24: ...o the command reference PDF file when the command reference PDF file is closed that is not currently open on your computer desktop the system will close the user guide PDF file and open the command re...

Page 25: ...1 Using ExtremeWare XOS...

Page 26: ......

Page 27: ...her BlackDiamond 8810 switch formerly known as Aspen ExtremeWare XOS 11 1 and higher Summit X450 switch ExtremeWare XOS 11 2 and higher BlackDiamond 8806 switch ExtremeWare XOS 11 3 1 and higher NOTE...

Page 28: ...lient and per command authentication support TACACS support Console command line interface CLI connection Telnet CLI connection Secure Shell SSH2 connection Simple Network Management Protocol SNMP sup...

Page 29: ...gle virtual router that spans more than one physical router and allows multiple switches to provide redundant routing services to users For more information about VRRP see Chapter 22 For more informat...

Page 30: ...ee Chapter 15 sFlow sFlow is a technology for monitoring traffic in data networks containing switches and routers The technology relies on statistical sampling of packets from high speed networks plus...

Page 31: ...k its port connection is in an unauthenticated state denying any access to the network During authentication the user supplies a password to the switch using the host If authenticated the port connect...

Page 32: ...e Link Layer Discovery Protocol LLDP LLDP is a Layer 2 protocol IEEE standard 802 1ab that is used to determine the capabilities of devices such as repeaters bridges access points routers and wireless...

Page 33: ...Advanced Core license level to the Core license You have BGP functionality with a Core license When you are working with modular switches the license belongs with the switch chassis not with the parti...

Page 34: ...t for this feature at this license level Upgrading on the BlackDiamond 10K Switch Only The licensing levels on the BlackDiamond 10K switch depend on the MSM you have in your system The MSM 1 ships wit...

Page 35: ...etworks Technical Support at 800 998 2408 408 579 2826 Enabling and Verifying Licenses To enable the license use the following command enable license key To verify the current license level as well as...

Page 36: ...eparate software module to run SSH SNMP access Enabled SSL Disabled You must install a separate software module to run SSL SSH module SNMP read community string public SNMP write community string priv...

Page 37: ...l EMISTP Forwarding database aging period 300 seconds 5 minutes IPv4 Routing Disabled RIP Disabled OSPFv2 Disabled BGPv4 Disabled IPv6 Routing Disabled RIPng Disabled OSPFv3 Disabled Smart Redundancy...

Page 38: ...ExtremeWare XOS Overview ExtremeWare XOS 11 3 Concepts Guide 38...

Page 39: ...eatures of the ExtremeWare XOS software However only a subset of commands are described here and in some cases only a subset of the options that a command supports The ExtremeWare XOS Command Referenc...

Page 40: ...cursor at the end of the command you have entered so far ready for the next option If you enter an invalid command the syntax helper notifies you of your error and indicates where the error is located...

Page 41: ...d NOTE If you use the same name across categories for example STPD and VLAN names Extreme Networks recommends that you specify the identifying keyword as well as the actual name If you do not use the...

Page 42: ...an address for ipaddress when entering the command Do not type the angle brackets square brackets Enclose a required value or list of required arguments One or more values or arguments can be specifi...

Page 43: ...t has a total of four ports is installed in slot 2 of the chassis the following ports are valid 2 1 2 2 2 3 2 4 You can also use wildcard combinations to specify multiple modular slot and port combina...

Page 44: ...command Ctrl U Clears all characters typed from cursor to beginning of line Ctrl W Deletes previous word Ctrl C Interrupts the current CLI command execution Table 7 Common commands Command Descriptio...

Page 45: ...ssword Creates a user account This command is available to admin level users and to users with RADIUS command authorization The username is between 1 and 32 characters the password is between 0 and 32...

Page 46: ...g of the screen display when show command output reaches the end of the page The default setting is enabled enable idletimeout Enables a timer that disconnects all sessions both Telnet and console aft...

Page 47: ...of your network by taking the following actions change your admin password change your SNMP public and private strings consider using SNMPv3 to secure network management traffic All the changes you ma...

Page 48: ...he user logged on by way of the Telnet connection is notified that the session has been terminated If you have logged on with administrator capabilities the command line prompt ends with a sign For ex...

Page 49: ...specified account press Enter twice Viewing Accounts To view the accounts that have been created you must have administrator privileges To see the accounts use the following command show accounts Dele...

Page 50: ...p text Exit Use this command to exit the failsafe account and return to the login prompt Typically you use the Login command to correct the problem that initially required you to use the failsafe acco...

Page 51: ...rd while logged out of the CLI contact your local technical support representative who will advise on your next course of action Applying Security to Passwords You can increase the security of your sy...

Page 52: ...using the configure cli max failed logins num of logins command This command also sets the number of failed logins that terminate the particular session Once locked out using the configure account pa...

Page 53: ...ws a sample display from the show accounts command User Name Access LoginOK Failed admin R W 3 1 user RO 0 0 dbackman R W 0 0 ron RO 0 0 nocteam RO 0 0 Account locked Access to Both MSM Console Ports...

Page 54: ...commands when running them on VR Mgmt The switch offers the following commands for checking basic connectivity ping traceroute Ping The ping command enables you to send Internet Control Message Proto...

Page 55: ...ified the address of the transmitting interface is used host is the host of the destination endstation To use the hostname you must first configure DNS ttl configures the switch to trace the hops unti...

Page 56: ...tem Watchdog Enabled Current Time Wed May 19 11 04 32 2004 Timezone Auto DST Enabled GMT Offset 480 minutes name is PST DST of 0 minutes is currently in effect name is PDT DST begins every first Sunda...

Page 57: ...tes name is UTC Boot Time Fri Feb 13 23 57 48 2004 Next Reboot None scheduled Current State OPERATIONAL Image Selected primary Image Booted primary Primary ver 11 2 0 16 Secondary ver 11 2 0 10 Config...

Page 58: ...Accessing the Switch ExtremeWare XOS 11 3 Concepts Guide 58...

Page 59: ...e Protocol on page 92 Overview Using ExtremeWare XOS you can manage the switch using the following methods Access the command line interface CLI by connecting a terminal or workstation with terminal e...

Page 60: ...tion of eight Telnet and SSH connections can access the switch even though Telnet and SSH each support eight connections For example if you have six Telnet sessions and two SSH sessions no one else ca...

Page 61: ...primary MSM acquires the IP address of the previous primary MSM To configure the IP address and subnet mask for the VLAN mgmt use the following command configure vlan mgmt ipaddress ip_address subnet_...

Page 62: ...remeWare XOS version of TACACS is used to authenticate prospective users who are attempting to administer the switch TACACS is used to communicate between the switch and an authentication database For...

Page 63: ...e connection is established you see the switch prompt and you can log in The same is true if you use the switch to connect to another host From the CLI you must specify the IP address or host name of...

Page 64: ...nd you have a Bootstrap Protocol BOOTP server set up correctly on your network you must provide the following information to the BOOTP server Switch Media Access Control MAC address found on the rear...

Page 65: ...LAN NOTE For information on creating and configuring VLANs see Chapter 9 To manually configure the IP settings 1 Connect a terminal or workstation running terminal emulation software to the console po...

Page 66: ...log out of the switch by typing logout or quit Configuring Telnet Access to the Switch By default Telnet services are enabled on the switch and all virtual routers listen for incoming Telnet requests...

Page 67: ...two methods to load ACL policies to the switch Use the edit policy command to launch a VI like editor on the switch You can create the policy directly on the switch Use the tftp command to transfer a...

Page 68: ...of Telnet including the current TCP port the virtual router used to establish a Telnet session and whether ACLs are controlling Telnet access use the following command show management Disabling and En...

Page 69: ...al File Transfer Protocol ExtremeWare XOS supports the Trivial File Transfer Protocol TFTP based on RFC 1350 TFTP is a method used to transfer files from one network device to another The ExtremeWare...

Page 70: ...ver the management functions if the master MSM fails Node Election Node election is based on leader election between the MSMs installed in the chassis The MSM installed in slot A has master status The...

Page 71: ...the master MSM showing MASTER and the backup MSM showing BACKUP InSync A node may not be synchronized because checkpointing did not occur incompatible software is running on the master and backup or t...

Page 72: ...initialization of a standby or backup MSM the master s saved configuration is copied to local flash After the configuration is saved the master transfers the current active configuration to the backup...

Page 73: ...ys in percentages the amount of copying completed by each process and the traffic statistics between the process on both the master and the backup MSMs Viewing Node Status ExtremeWare XOS allows you t...

Page 74: ...lows but subsequent behavior depends on the routing protocols used Static layer 3 configurations and routes are hitless You must configure OSPF graceful restart for OSPF routes to be maintained See Ch...

Page 75: ...h the same ports set to forwarding blocking If the master fails over there is no change in the backup s state There should be no data loss If the backup MSM state is Preforwarding and the master MSM i...

Page 76: ...over all hardware and software caches are cleared and learning from the hardware is restarted This causes a traffic interruption since it is the same as if the switch rebooted for all Layer 3 multicas...

Page 77: ...relearns routes from all of them This causes an increase in control traffic onto the network No Power over Ethernet PoE The PoE configuration is checkpointed to the backup MSM This ensures that if the...

Page 78: ...ports to be able to pass traffic again I O modules not yet in the Operational state are powered off and the card state machine is restarted to bring them to the Operational state This results in a de...

Page 79: ...BlackDiamond 8800 family of switches there are specific power budget requirements and configurations associated with PoE that are not described in this section For more detailed information about PoE...

Page 80: ...as enough power to continue operation If you install or provide power to a new PSU I O modules powered down due to earlier insufficient power are considered for power up from the lowest slot number to...

Page 81: ...dules to power down To resume using automatic power supply management on a PSU use the configure power supply ps_num auto command The setting for each PSU is stored as part of the switch configuration...

Page 82: ...ommand show power controller num Using the Simple Network Management Protocol Any network manager program running the Simple Network Management Protocol SNMP can manage the switch provided the Managem...

Page 83: ...ord snmpv3 After a switch reboot all slots must be in the Operational state before SNMP can manage and access the slots To verify the current state of the slot use the show slot command Understanding...

Page 84: ...rc_ip_address mode trap_mode enhanced standard You can delete a trap receiver using the configure snmp delete trapreceiver command Entries in the trap receiver list can also be created modified and de...

Page 85: ...associated with an SNMPv3 engine RFC 2574 The User Based Security Model for Version 3 of the Simple Network Management Protocol SNMPv3 describes the User Based Security Model USM RFC 2575 View based...

Page 86: ...model snmpv1 snmpv2c snmpv3 sec model snmpv1 snmpv2c usm sec level noauth authnopriv priv volatile SNMPv3 Security In SNMPv3 the User Based Security Model USM for SNMP was introduced USM deals with se...

Page 87: ...The default password for admin is password For the other default users the default password is the user name To display information about a user or all users use the following command show snmpv3 use...

Page 88: ...user and a group use the following command configure snmpv3 delete group hex hex_group_name group_name user all non defaults hex hex_user_name user_name sec model snmpv1 snmpv2c usm Security Models an...

Page 89: ...B 2 is 1 3 6 1 2 and the System group is defined as MIB 2 1 1 or directly as 1 3 6 1 2 1 1 To define a MIB view which includes only the System group use the following subtree mask combination 1 3 6 1...

Page 90: ...dress use the following command configure snmpv3 add target addr hex hex_addr_name addr_name param hex hex_param_name param_name ipaddress ip_address netmask ip_address transport port port_number from...

Page 91: ...eate a filter profile you are associating only a filter profile name with a target parameter name The filters that make up the profile are created and associated with the profile using a different com...

Page 92: ...otify hex hex_notify_name notify_name To delete an entry from the snmpNotifyTable use the following command configure snmpv3 delete notify hex hex_notify_name notify_name all non defaults You cannot d...

Page 93: ...ing date and time in terms of a floating day as follows configure timezone name MET 60 autodst name MDT begins every last sunday march at 1 30 ends every last sunday october at 1 30 You can also speci...

Page 94: ...tch cannot obtain the time it restarts the query process Otherwise the switch waits for the sntp client update interval before querying again 5 Optionally the interval for which the SNTP client update...

Page 95: ...Mexico City Mexico 7 00 420 MST Mountain Standard Saskatchewan Canada 8 00 480 PST Pacific Standard Los Angeles CA Santa Clara CA Seattle WA USA 9 00 540 YST Yukon Standard 10 00 600 AHST Alaska Hawai...

Page 96: ...timezone 480 autodst configure sntp client update interval 1200 enable sntp client configure sntp client primary 10 0 1 1 configure sntp client secondary 10 0 1 2 10 00 600 EAST East Australian Standa...

Page 97: ...ation is a built in mechanism of ExtremeWare XOS The system infrastructure provides basic redundancy support and libraries for all of the ExtremeWare XOS applications Understanding the ExtremeWare XOS...

Page 98: ...xtremeWare XOS File System The file system in ExtremeWare XOS is the structure by which files are organized stored and named The switch can store multiple user defined configuration and policy files e...

Page 99: ...ary MSM to the backup MSM For example if you rename a file on the primary MSM the same file on the backup MSM is renamed For the memorycard option this command can move files between the external memo...

Page 100: ...is copied to the backup MSM For the memorycard option the source and or destination is the memorycard You must mount the memory card for this operation to succeed This command copies a file from the...

Page 101: ...ar 31 09 41 test_1 pol rwxr xr x 1 root 0 223599 Mar 31 10 02 v11_1_3 cfg Deleting Files From the Switch To delete a configuration or policy file from your system use the following command rm memoryca...

Page 102: ...ility with ExtremeWare Downloading configuration files ExtremeWare XOS uses the tftp command to download configuration files to the switch from the network TFTP server For more information about downl...

Page 103: ...name of all of the processes or the specified process running on the switch slotid Specifies the slot number of the MSM A specifies the MSM installed in slot A B specifies the MSM installed in slot B...

Page 104: ...n the process is immediately shutdown without any of the normal process cleanup graceful Specifies that the process shutdown gracefully by closing all opened connections notifying peers on the network...

Page 105: ...g Memory Protection ExtremeWare XOS provides memory management capabilities With ExtremeWare XOS each process runs in a protected memory space This infrastructure prevents one process from overwriting...

Page 106: ...k utilization Monitoring the workload of the CPU allows you to troubleshoot and identify suspect processes before they become a problem By default the switch monitors CPU utilization every 20 seconds...

Page 107: ...s secs min mins mins hour User System util util util util util util util util CPU Usage secs MSM A System 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 9 MSM B System 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 MSM A GNSS_cpuif...

Page 108: ...util util util util util CPU Usage secs System n a n a 0 0 0 9 0 1 0 2 0 5 34 6 aaa n a n a 0 0 0 0 0 0 0 0 0 0 1 8 1 72 0 78 acl n a n a 0 0 0 0 0 0 0 0 0 0 0 0 0 40 0 24 bgp n a n a 0 0 0 0 0 0 0 0...

Page 109: ...y NOTE The BlackDiamond 8800 family of switches was formerly known as Aspen This section discusses configuring slots on a modular switch which are the BlackDiamond 10K switch and the BlackDiamond 8800...

Page 110: ...et to default settings To display information about a particular slot use the following command show slot Information displayed includes Module type part number and serial number Current state power d...

Page 111: ...dule consisting solely of data or I O ports The primary MSM must be in slot A in the BlackDiamond 8806 switch which is referred to as slot 3 when working with the data ports If you have a secondary MS...

Page 112: ...x y Specifies a non contiguous series of ports on a stand alone switch x y a d Specifies a contiguous series of ports and a series of noncontagious ports on a stand alone switch Modular Switch Numeric...

Page 113: ...actor SFP gigabit Ethernet interface converter GBIC fiber ports Autonegotiation determines the port speed and duplex setting for each port except 10 Gbps ports You can manually configure the duplex se...

Page 114: ...system sends LinkDown and LinkUp traps when these events occur Additionally the system writes one or more information messages to the syslog as shown in the following example 09 09 2004 14 59 08 03 I...

Page 115: ...other networking equipment and a straight through cable to connect to endstations The autopolarity feature is enabled by default To disable or enable autopolarity detection use the following command c...

Page 116: ...t X450 Switch Only The following information applies to jumbo frames on the BlackDiamond 8800 family of switches and the Summit X450 switch The BlackDiamond 8800 family of switches and the Summit X450...

Page 117: ...nown The host sends all datagrams on that path with the don t fragment DF bit set which restricts fragmentation If any of the datagrams must be fragmented by an Extreme switch along the path the Extre...

Page 118: ...5 Set the MTU size for the VLAN using the following command configure ip mtu mtu vlan vlan_name The ip mtu value ranges between 1500 and 9216 with 1500 the default NOTE To set the MTU size greater tha...

Page 119: ...d port becomes active again traffic is redistributed to include that port NOTE Load sharing must be enabled on both ends of the link or a network loop may result Link aggregation is most useful when T...

Page 120: ...onfigured to load share The switch ports at each end must be specifically configured as part of a load sharing group NOTE The platform related load sharing algorithms apply to LACP as well as static l...

Page 121: ...aring group is used to forward traffic out of the switch Address based Uses addressing information to determine which physical port in the load sharing group to use to forward traffic out of the switc...

Page 122: ...aggregation by first assigning a primary or logical port to the group or LAG and then specifying the other ports you want in the LAG LACP using an automatically generated key determines which links ca...

Page 123: ...the status of the links for changes that may require reconfiguration For example if one of the links in a LAG goes down and there are standby links in that LAG LACP automatically moves the standby por...

Page 124: ...ee Configuring LACP on page 124 for the maximum number of links selected and standby per LACP Configuring Load Sharing on the BlackDiamond 10K Series of Switches The following rules apply to load shar...

Page 125: ...aring port delete ports port_list NOTE Always verify the LACP configuration by issuing the show ports sharing command look for the ports listed as being in the aggregator Configuring LACP on BLackDiam...

Page 126: ...s example when configuring or viewing VLANs VLANs configured to use other ports in the load sharing group will have those ports deleted from the VLAN when load sharing becomes enabled Address based lo...

Page 127: ...column displays which ports in the LACP LAG are added to the aggregator at the hardware level Only those ports that are added to the aggregator actually send and receive traffic The Y means the port...

Page 128: ...ch show lacp lag 1 detail Lag Actor Actor Partner Partner Partner Agg Sys Pri Key MAC Sys Pri Key Count 4 5 100 0x0fa5 00 01 30 f9 9c 30 321 0x1f47 16 Up Yes Enabled Yes Unack count 0 Wait for count 0...

Page 129: ...Wait pending No Ack pending No LAG Id S pri 0 S id 00 04 96 1f a5 2e K 0x03ed P pri 0 P num 1005 T pri 0 T id 00 04 96 1f a5 76 L 0x03ed Q pri 0 Q num 1005 Stats Rx Accepted 13980 Rx Dropped due to er...

Page 130: ...s traffic sent from the port Ingress and egress Mirrors all traffic forwarded by the port If you omit the optional parameters all traffic is forwarded the default for port based mirroring is ingress a...

Page 131: ...tor port This feature allows you to mirror multiple ports or VLANs to a monitor port while preserving the ability of a single protocol analyzer to track and differentiate traffic within a broadcast do...

Page 132: ...ches and the Summit X450 Switch Only The following example selects slot 3 port 4 on a modular switch as the monitor port and sends all traffic received at slot 6 port 5 to the monitor port enable mirr...

Page 133: ...ort configuration Port number 3 12 in all vlans ingress only Port number 5 4 in all vlans egress only Port number 8 30 in all vlans Displaying Switch Port Mirroring Configuration on the Summit X450 Sw...

Page 134: ...unters for EDP protocol data units PDUs sent and received per EDP port Switch PDUs transmitted VLAN PDUs transmitted Transmit PDUs with errors Switch PDUs received VLAN PDUs received Received PDUs wit...

Page 135: ...rnet port primary with a redundant dedicated Ethernet port both ports are on the same switch If the primary port fails the switch will establish a link on the redundant port and the redundant port bec...

Page 136: ...red on that port If you do not want the automatic restoration of the primary link when it becomes active disable Smart Redundancy Guidelines for Software Controlled Redundant Ports and Port Groups Sof...

Page 137: ...redundant port use the following command configure ports primaryPort redundant secondaryPort link on off The first port specified is the primary port The second port specified is the redundant port T...

Page 138: ...ue QP1 MinBw 0 MaxBw 100 Pri 1 QP2 MinBw 0 MaxBw 100 Pri 2 QP3 MinBw 0 MaxBw 100 Pri 3 QP4 MinBw 0 MaxBw 100 Pri 4 QP5 MinBw 0 MaxBw 100 Pri 5 QP6 MinBw 0 MaxBw 100 Pri 6 QP7 MinBw 0 MaxBw 100 Pri 7 Q...

Page 139: ...e preferred media setting issue the following command show ports mgmt port_list information detail Refer to Displaying Port Configuration Information for more information on the show ports information...

Page 140: ...ce The default preferred medium is fiber If you use the force option it disables automatic failover If you force the preferred medium to fiber and the fiber link goes away the copper link is not used...

Page 141: ...ports the Media Primary column displays NONE when no module is installed and SR LR or ER depending on the module installed when there is one present The following sample command displays the port conf...

Page 142: ...led M Multicast Flooding Enabled B Broadcast Flooding Enable Beginning with ExtremeWare XOS software version 11 3 you can display real time port utilization information by issuing the following comman...

Page 143: ...802 1D State FORWARDING Protocol Name Default Protocol ANY Match all protocols Trunking Load sharing is not enabled EDP Enabled DLCS Unsupported lbDetect Unsupported Learning Enabled Unicast Flooding...

Page 144: ...ble Tag none Mode 802 1D State FORWARDING Protocol Name Default Protocol ANY Match all protocols Trunking Load sharing is not enabled EDP Enabled DLCS Unsupported lbDetect Unsupported Learning Enabled...

Page 145: ...limit No limit STP cfg Protocol Name peggy Protocol ANY Match all protocols Trunking Load sharing is not enabled EDP Enabled DLCS Unsupported lbDetect Unsupported Learning Enabled Unicast Flooding Ena...

Page 146: ...Configuring Slots and Ports on a Switch ExtremeWare XOS 11 3 Concepts Guide 146...

Page 147: ...ertisements LLDP provides a standard method of discovering and representing the physical network connections of a given network management domain LLDP works concurrently with Extreme Discovery Protoco...

Page 148: ...2 00 00 0E and the EtherType is defined as 0x88CC Figure 4 LLDP packet format The following characteristics apply to LLDP packets They are IEEE 802 3 Ethernet frames The frames are sent as untagged fr...

Page 149: ...egular intervals Chassis ID mandatory Port ID mandatory Time to live mandatory Port description System name System description sent by default System capabilities Management address 802 1 specific inf...

Page 150: ...action ensures that only valid information is stored in the LLDP agent Once you enable LLDP you can enable the LLDP specific SNMP traps the traps are disabled by default You configure the period betw...

Page 151: ...to advertise Table 18 lists all the defined TLVs if they are included by default once you enable LLDP if they can be configured if they are mandatory or optional and if you can repeat that TLV in one...

Page 152: ...switches and the combination of slot and port number on modular switches TTL TLV The TTL TLV is mandatory sent by default once LLDP is enabled and nonconfigurable This TLV indicates how long the recor...

Page 153: ...gure this TLV to be advertised or not advertised The port description TLV contains the ifDescr object which is the ASCII string you entered using the configure ports display string command If you have...

Page 154: ...ftware allows you to advertise VLAN name information to neighboring devices This TLV associates a VLAN name to the IEEE 802 1Q tag assigned to that VLAN You can enable this TLV for tagged and untagged...

Page 155: ...ying power over Ethernet PoE This TLV allows network management to advertise and discover the power via MDI capabilities of the sending 802 3 LAN station The device type field contains a binary value...

Page 156: ...ll ports by default When you enable LLDP on the ports you select whether the ports will only transmit LLDP messages only receive the messages or both transmit and receive LLDP messages To enable LLDP...

Page 157: ...gered update LLDP messages is referred to as the transmit delay and the default value is 2 seconds You can change the default transmit delay value to a specified number of seconds or to be automatical...

Page 158: ...ommends that you advertise only one or two VLANS on specified ports to avoid dropping TLVs from the LLDPDU You configure LLDP ports to advertise any of the following optional TLVs Port description TLV...

Page 159: ...ol based VLAN per LLDP enabled port To do so add one optional port and protocol VLAN ID TLV for each VLAN you want to advertise To advertise these VLANs issue the following command configure lldp port...

Page 160: ...s unconfigure lldp port all port_list Displaying LLDP Settings The system displays information on the LLDP status and statistical counters of the ports as well as about the LLDP advertisements receive...

Page 161: ...rval 5 seconds LLDP reinitialize delay 2 seconds LLDP Port Configuration Port Rx Tx SNMP Optional enabled transmit TLVs Mode Mode Notification LLDP 802 1 802 3 1 Enabled Enabled Disabled ND N VLAN Def...

Page 162: ...all switch ports use the show lldp neighbors detailed command The following is sample output from the this command show lldp all neighbors detailed LLDP Port 4 1 detected 2 neighbors Neighbor 00 04 96...

Page 163: ...er covers the following topics Summary of PoE Features on page 163 Power Checking for PoE Module on page 164 Power Delivery on page 164 LEDs on page 168 Configuring PoE on page 169 Displaying PoE Sett...

Page 164: ...eviously are powered up If you lose power or the overall available power decreases the system removes power to the I O modules beginning with the highest numbered slots until enough power is available...

Page 165: ...without disabling the slot first you can reconfigure dynamically These settings are preserved across reboots and other power cycling conditions The total of all reserved slot power budgets cannot be...

Page 166: ...default value is low If you configure the disconnect precedence of the switch as lowest priority the switch disconnects those PDs with lower PoE port priorities when the reserved slot power budget is...

Page 167: ...PoE slot you cannot configure it differently for each PoE module You can also configure the system to log an Event Management System EMS message when the usage threshold is crossed refer to Chapter 8...

Page 168: ...by using the following command configure inline power operator limit milliwatts ports all port_list If the measured power for a specified port exceeds the port s operator limit the power is withdrawn...

Page 169: ...s in the case of excessive power demands Configure the threshold for initiating system alarms on power usage Additionally you can configure the switch to use legacy PDs apply specified PoE limits to p...

Page 170: ...et for a PoE module to the default value of 50 W use the following command unconfigure inline power budget slot slot To display the reserved power budget for the PoE modules use the following command...

Page 171: ...inline power budget for the slot for example when delivered power from ports increases or when the configured inline power budget for the slot is reduced Configuring the PoE Port Priority You can conf...

Page 172: ...cifically enable the switch to detect these non standard PDs the default value for this detection method is disabled This configuration applies to the entire switch you cannot configure the detection...

Page 173: ...string ports port_list To rename a port or to return it to a blank label reissue the command To display the PoE port labels use the following command show inline power configuration ports port_list Po...

Page 174: ...output indicates the following inline power status information for each slot Inline power status The status of inline power The status conditions are Enabled Disabled Firmware status The operational...

Page 175: ...P Operational 111 00 110 00 1 00 Inline Power budgeted 2 loss 51 00 51 00 0 00 Slot 4 G48P Empty Slot 5 G8X Operational 0 00 0 00 0 00 Slot 6 G48T Operational 0 00 0 00 0 00 Slot 7 G48P Operational 11...

Page 176: ...available to the slot Measured power The amount of power in watts that is currently being used by the slot Following is sample output from this command Budgeted Measured Slot Inline Power Firmware Sta...

Page 177: ...his command provides the following information Config Indicates whether the port is enabled to provide inline power Enabled The port can provide inline power Disabled The port cannot provide inline po...

Page 178: ...ass 0 device class1 class 1 device class2 class 2 device class3 class 3 device class4 class 4 device Volts Displays the measured voltage A value from 0 to 2 is valid for ports that are in a searching...

Page 179: ...tate Class Volts Curr Power Fault mA Watts 3 1 delivering class3 48 3 192 9 300 None 3 2 delivering class3 48 3 192 9 300 None 3 3 searching 0 0 0 0 0 None Following is sample output from the show inl...

Page 180: ...r of times the port had an invalid signature Denied Displays the number of times the port was denied Over current Displays the number of times the port entered an overcurrent state Short Displays the...

Page 181: ...des information about the switch This information may be useful for your technical support representative if you have a problem ExtremeWare XOS includes many command line interface CLI show commands t...

Page 182: ...uence FCS but excludes bytes in the preamble Received Broadcast RX Bcast The total number of frames received by the port that are addressed to a broadcast address Received Multicast RX Mcast The total...

Page 183: ...link is present at this port Ready R The port is ready to accept a link Not Present NP The port is configured but the module is not installed in the slot modular switches only Receive Bad CRC Frames...

Page 184: ...e written to and read from correctly Memory addresses are accessed correctly Application Specific Integrated Circuit ASICs and Central Processing Unit CPUs operate as required Data and control fabric...

Page 185: ...he slot number of an I O module When the diagnostics test is complete the system attempts to bring the I O module back online NOTE On the BlackDiamond 8810 switch formerly known as Aspen if you run di...

Page 186: ...avior during a diagnostic test After the MSM completes the diagnostic test or the diagnostic test is terminated the SYS LED is reset During normal operation the status LED blinks green I O Module LED...

Page 187: ...nostic test is in progress on the primary MSM Mstr Diag Green Off Diagnostic failure has occurred Off Green Depending the situation this state indicates Diagnostic test in progress on the primary MSM...

Page 188: ...ackup MSM Diagnostic test has passed Mstr Diag Off Green Depending on the situation this state indicates Diagnostic test in progress on the backup MSM Diagnostic test has passed Sys Stat Off Green Dia...

Page 189: ...utomatically corrects correctable memory errors and kills packets that encounter checksum and parity errors during processing Errored packets are not propagated through the system The primary responsi...

Page 190: ...5 seconds by default The polling value is not a user configured parameter The system health check polls the control plane health between MSMs and I O modules monitors memory levels on the I O module m...

Page 191: ...r on the BlackDiamond 10K switch and the BlackDiamond 8800 family of switches For more detailed information about the system health check commands see the chapter Commands for Status Monitoring and St...

Page 192: ...s Enabling and Configuring Backplane Diagnostics The following example Enables backplane diagnostic packets on slot 3 Configures backplane diagnostic packets to be sent every 7 seconds 1 Enable backpl...

Page 193: ...command configure sys recovery level all none Where the following is true all Configures ExtremeWare XOS to log an error into the syslog and automatically reboot the system after any task exception n...

Page 194: ...overy is reset For more information about system recovery see Configuring System Recovery on page 193 By using the default settings the switch resets the offending MSM or I O module if fault detection...

Page 195: ...he run diagnostics normal slot command to run operational diagnostics on the offending I O module to ensure that you are not experiencing a hardware issue If the module continues to enter the failed s...

Page 196: ...n a Summit X450 switch the output includes the current temperature and operating status of the switch and the XGM 2xn card The following sample output displays the current temperature and operating st...

Page 197: ...messages where the messages are sent and how they are displayed Using EMS you can Send event messages to a number of logging targets for example syslog host and NVRAM Filter events per target by Compo...

Page 198: ...s once the buffer is full Use the following command to stop sending messages to the target disable log target console memory buffer nvram primary msm backup msm session syslog all ipaddress ipPort vr...

Page 199: ...e targets are also associated with a default match expression that matches any messages the expression that matches any message is displayed as Match none from the command line And finally each target...

Page 200: ...o pass Only the messages that pass the filter and then pass the specified severity level reach the target Finally you can specify the severity levels of messages that reach the target by associating a...

Page 201: ...bcomponent and condition names For example you can refer to the InBPDU subcomponent of the STP component as STP InBPDU On the CLI you can abbreviate or TAB complete any of these A component or subcomp...

Page 202: ...component or event To do this you construct a filter that passes only the items of interest and you associate that filter with a target The first step is to create the filter using the create log fil...

Page 203: ...erity E Comp Sub comp Condition CEWNISVD I STP InBPDU E STP CreatPortMsgFail E I STP Include Exclude I Include E Exclude Component Unreg Component Subcomponent is not currently registered Severity Val...

Page 204: ...ee Formatting Event Messages on page 206 Simple Regular Expressions A simple regular expression is a string of single characters including the dot character which are optionally combined with quantifi...

Page 205: ...sk number number port portlist process process name slot slotid string match expression vlan vlan name vlan tag vlan tag Beginning with ExtremeWare XOS 11 2 you can specify the ipaddress type as IPv4...

Page 206: ...nfigure log filter events match command This is best explained with an example Suppose an event in the XYZ component named XYZ event5 contains a physical port number a source MAC address but no destin...

Page 207: ...ay be saved to the FLASH configuration and is restored on boot up to the console display session To turn on log display for the current session enable log target session This setting only affects the...

Page 208: ...ces EMS adds the ability to count the number of occurrences of events Even when an event is filtered from all log targets the event is counted To display the event counters use the following command s...

Page 209: ...s where it is needed To place the switch in debug mode use the following command enable log debug mode Once the switch is in debug mode any filters configured for your targets still affect which messa...

Page 210: ...Non extended data Only those packets that do not match an ACL rule are considered for sampling Only port based sampling No MIB support Configuring sFlow ExtremeWare XOS allows you to collect sFlow sta...

Page 211: ...gure sflow collector ipaddress ip address port udp port number vr vrname To unconfigure the remote collector and remove it from the database use the following command unconfigure sflow collector ipadd...

Page 212: ...Do not configure the sample rate to a number lower than the default unless you are sure that the traffic rate on the source is low Per Port Sampling Rate You can set the sampling rate on individual po...

Page 213: ...e switch NOTE You can only use the RMON features of the system if you have an RMON management application and have enabled RMON on the switch About RMON RMON is the common abbreviation for the Remote...

Page 214: ...tics The switch supports the following four of these groups as defined in RFC 1757 Statistics History Alarms Events The switch also supports the following parameters for configuring the RMON agent and...

Page 215: ...ich provides a mechanism for an automated response to certain occurrences RMON Probe Configuration Parameters The RMON probe configuration parameters supported in ExtremeWare XOS are a subset of the p...

Page 216: ...gement The switch accurately maintains RMON statistics at the maximum line rate of all of its ports To enable or disable the collection of RMON statistics on the switch use one of the following comman...

Page 217: ...ing on the switch the enable disable state for RMON polling use the following command show management To view the RMON memory usage statistics for a specific RMON feature for example statistics events...

Page 218: ...Status Monitoring and Statistics ExtremeWare XOS 11 3 Concepts Guide 218...

Page 219: ...me physical LAN Any set of ports including all ports on the switch is considered a VLAN LAN segments are not restricted by the hardware that physically connects them The segments are defined by flexib...

Page 220: ...t virtual router VR Default The management VLAN is always in the management virtual router VR Mgmt Once you create virtual routers ExtremeWare XOS software allows you to designate one of these virtual...

Page 221: ...TE On the BlackDiamond 10K switch the 10 Gbps module must have the serial number 804405 00 09 or higher to support untagged frames If your configuration has untagged frames but the wrong 10 Gbps modul...

Page 222: ...want to have span across the switches At least one port on each switch must be a member of the corresponding VLANs as well Figure 7 illustrates two VLANs spanning two switches On system 2 ports 25 th...

Page 223: ...ed a tag into the Ethernet frame The tag contains the identification number of a specific VLAN called the VLANid valid numbers are 1 to 4094 NOTE The use of 802 1Q tagged packets may lead to the appea...

Page 224: ...fault mode of the switch is to have all ports assigned to the VLAN named default with an 802 1Q VLAN tag VLANid of 1 assigned Not all ports in the VLAN must be tagged As traffic from a port is forward...

Page 225: ...iple VLANs with the stipulation that only one of its VLANs uses untagged traffic In other words a port can simultaneously be a member of one port based VLAN and multiple tag based VLANs NOTE For the p...

Page 226: ...IPv6 IPX NetBIOS DECNet IPX_8022 IPX_SNAP AppleTalk Defining Protocol Filters If necessary you can define a customized protocol filter based on EtherType Logical Link Control LLC and or Subnetwork Acc...

Page 227: ...scribed previously For example configure protocol fred add llc feff configure protocol fred add snap 9999 A maximum of 15 protocol filters each containing a maximum of 6 protocols can be defined No mo...

Page 228: ...s recommends that you specify the identifying keyword as well as the actual name If you do not use the keyword the system may return an error message VLAN names can be specified using the tab key for...

Page 229: ...an IP address to the VLAN NOTE Beginning with ExtremeWare XOS 11 2 the software supports using IPv6 addresses in addition to IPv4 addresses You can configure the VLAN with an IPv4 address IPv6 address...

Page 230: ...nt configure development ipaddress 2001 0DB8 8 800 200C 417A 64 configure default delete port 1 3 configure development add port 1 3 The following modular switch example creates a protocol based VLAN...

Page 231: ...f VLANs configured on the switch EAPs information ESRP information IP forwarding information Multicasting information Routing protocol information Use the detail option to display the detailed format...

Page 232: ...n tunnel is completely isolated from other tunnels or VLANs For the metropolitan area network MAN provider the tagging numbers and methods used by the customer are transparent to the provider You esta...

Page 233: ...egress or trunk port as untagged so that the VMAN header is stripped from the frame Each tunnel port that accesses the user can support or belong to only one VMAN tunnel the remaining ports throughout...

Page 234: ...gress Queue on the BlackDiamond 10K Switch Only On VMAN packets the BlackDiamond 10K switch examines the packet s inner 802 1p tag and then directs the packet to the appropriate egress queue on the eg...

Page 235: ...00 family of switches and the Summit X450 switch Configuring VMANs BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only NOTE On the BlackDiamond 8800 family of switches you cannot conf...

Page 236: ...Assign a tag value to the VMAN 3 Add the ports in the tunnel to the VMAN 4 Configure VMAN member ports as tagged on switch to switch ports and untagged on the ingress and egress ports of the tunnel NO...

Page 237: ...0 120 120 1 24 enable ipforwarding vman_tunnel_1 enable ipmcforwarding vman_tunnel_1 VMAN Example BlackDiamond 8810 Switch The follow example shows the steps to configure VMAN 1 on the BlackDiamond 88...

Page 238: ...t Flags C EAPS Control vlan E ESRP Enabled f IP Forwarding Enabled i ISIS Enabled I IP Forwarding lpm routing Enabled L Loopback Enabled m IPmc Forwarding Enabled n IP Multinetting Enabled N Network L...

Page 239: ...ail command shows all the information shown in the show vman vlan_name command but displays information for all configured VMANs To display the EtherType used the following command show vman etherType...

Page 240: ...Virtual LANs ExtremeWare XOS 11 3 Concepts Guide 240...

Page 241: ...s on same switch are connected through a Layer 2 domain the intermediate Layer 2 switches will learn same MAC address of the switch on different ports and may send traffic into the wrong virtual route...

Page 242: ...VLAN can be created in this virtual router and the Mgmt VLAN cannot be deleted from it No routing protocol is running or can be added to this virtual router This virtual router is called VR 0 in Extre...

Page 243: ...uter configuration domain any virtual router commands are applied only to that virtual router The virtual router commands consist of all the BGP OSPF PIM and RIP commands and the commands listed in Ta...

Page 244: ...issue the following command delete virtual router vr name Before you delete a virtual router you must delete all VLANs created in that virtual router All of the ports assigned to this virtual router...

Page 245: ...ted the tagged VLAN bldg_200 in VR green and the tagged VLAN bldg_300 in VR blue configure vlan default delete ports 3 5 configure vr vr default delete ports 3 5 configure vlan bldg_200 add ports 3 5...

Page 246: ...isplays the virtual router configuration domain Use the virtual router command with no virtual router name or use the name VR Default to return to the default configuration domain Now you can create V...

Page 247: ...n is displayed At the end of the example the virtual router is ready to be configured for OSPF using ExtremeWare XOS commands BD10K 1 create virtual router helix BD10K 2 configure vlan default delete...

Page 248: ...Virtual Routers ExtremeWare XOS 11 3 Concepts Guide 248...

Page 249: ...erence Guide for details of the commands related to the FDB The switch maintains a database of all MAC addresses received on all of its ports It uses the information in this database to decide whether...

Page 250: ...abase are dynamic except for certain entries created by the switch at boot up Entries in the database are removed aged out if after a period of time aging time the device has not transmitted This prev...

Page 251: ...cted on another virtual port that is not defined in the static FDB entry for the MAC address that address is handled as a blackhole entry Permanent entries Permanent entries are retained in the databa...

Page 252: ...ied VLANs all blackhole entries Use the following command to clear dynamic entries from the FDB clear fdb mac_addr ports port_list vlan_name blackhole You clear permanent FDB entries by targeting all...

Page 253: ...s allowed per virtual port You can also lock the FDB entries for a virtual port so that the current entries will not change and no additional addresses can be learned on the port You can also prioriti...

Page 254: ...here you want to disable Layer 2 egress flooding on specified ports to enhance security and network performance Figure 13 Upstream forwarding or disabling egress flooding example In this example the t...

Page 255: ...as for all packets on the ports of the BlackDiamond 8800 family of switches formerly known as Aspen or the Summit X450 switch Disabling multicasting egress flooding does not affect those packets withi...

Page 256: ...ound QOS Monitoring Enabled R Software redundant port Redunda nt s diffserv Replacement Enabled v Vman Enabled f Unicast Flooding Enabled M Multicast Flooding Enabled B Broadcast Flooding Enabled NOTE...

Page 257: ...ket filtering and forwarding decisions on packets The ACL application will program these policies into the packet filtering hardware on the switch Packets can be dropped forwarded moved to a different...

Page 258: ...nd mode The following are the most commonly used dd To delete the current line yy To copy the current line p To paste the line copied w To write save the file q To quit the file if no changes were mad...

Page 259: ...sh use the following commands enable access list refresh blackhole disable access list refresh blackhole Applying Policies ACL policies and routing policies are applied using different commands Applyi...

Page 260: ...none Commands that use the keyword route policy control the routes advertised or received by the protocol For BGP and RIP here are some examples configure bgp neighbor remoteaddr all address family ip...

Page 261: ...has no impact on switch performance with the minor exception of the mirror cpu action modifier ACLs are typically applied to traffic that crosses Layer 3 router boundaries but it is possible to use ac...

Page 262: ...ntries are evaluated in order from the beginning of the file to the end as follows If the packet matches all the match conditions the action in the then statement is taken and the evaluation process t...

Page 263: ...Evaluation BlackDiamond 8800 Family and Summit X450 Only On the BlackDiamond 8800 family and Summit X450 all matching rule actions in a policy are applied to a given packet Conflicting actions deny vs...

Page 264: ...ingress egress To log packets Packets are logged only when they go to the CPU so packets in the fastpath are not automatically logged You must use both the mirror cpu action modifier and the log or lo...

Page 265: ...THER P 8021Q 0x8100 ETHER P IPV6 0x86DD Ethernet Ingress only ethernet source address mac address Ethernet source MAC address Ethernet Ingress only ethernet destination address mac address Ethernet de...

Page 266: ...d 525 who 513 xdmcp 177 zephyr clt 2103 or zephyr hm 2104 TCP UDP Ingress and Egress TCP flags bitfield TCP flags Normally you specify this match in conjunction with the protocol match statement In pl...

Page 267: ...stination network prohibited 9 destination network unknown 6 fragmentation needed 4 host precedence violation 14 host unreachable 1 host unreachable for TOS 12 network unreachable 0 network unreachabl...

Page 268: ...e change will not take effect until you reboot the switch Use the following command to configure the IPv6 ACL masks configure ipv6acl address mask destination ipv6_address source ipv6_address Dynamic...

Page 269: ...ons are concatenated into a single string The actions parameter corresponds to the then portion of the ACL policy file entry From the command line you can get a list of match conditions and actions by...

Page 270: ...ted before any L2 rules The precedence among L3 L4 rules is determined by their relative position in the ACL file Rules are evaluated sequentially from top to bottom The precedence among L2 rules is d...

Page 271: ...ragmented packets An L4 rule with the fragments keyword is not valid see above With the first fragments keyword specified An L3 only rule with the first fragments keyword matches non fragmented or ini...

Page 272: ...the following entry meter_bw if then meter maximum_bandwidth This example will take the actions specified for the meter maximum_bandwidth for all the traffic that this ACL is applied to Applying ACL...

Page 273: ...r the host 140 158 18 16 with source port 190 and a destination port in the range of 1200 to 1250 entry udpacl if source address 10 203 134 0 24 destination address 140 158 18 16 32 protocol udp sourc...

Page 274: ...ommand entry permit established if source address 10 10 20 0 24 protocol TCP tcp flags syn then deny The following entry denies every packet and increments the counter default entry default if then de...

Page 275: ...match criteria together unless relative precedence with other policy rules is required Using VLAN based or wildcards ACLs requires that the ACL masks are allocated on every port in the system For exam...

Page 276: ...reful to avoid wasting masks For example consider the following policy policy3 pol entry one if source address 1 1 1 1 32 then count debug entry two if protocol tcp destination port 23 then deny entry...

Page 277: ...ACL rules in order to function Here are is a list by feature dot1p examination 1 mask 8 rules always enabled DiffServ examination 1 mask 64 rules disabled by default IGMP snooping 2 masks 2 rules enab...

Page 278: ...Access Lists ACLs ExtremeWare XOS 11 3 Concepts Guide 278...

Page 279: ...the type of routing protocol involved but these policies are sometimes more efficient and easier to implement than access lists Routing policies can also modify and filter routing information receive...

Page 280: ...ction The next sections list detailed information about policy match conditions about matching BGP AS paths and about action statements For information on those subjects see the following sections Pol...

Page 281: ...mask length origin igp egp incomplete Where igp egp and incomplete are the Border Gateway Protocol BGP route origin values tag number Where number is a 4 byte unsigned number route origin direct stat...

Page 282: ...th any AS number from 2 8 as path 111 2 8 The following AS Path statement matches AS paths beginning with AS number 111 and ending with any additional AS number or beginning and ending with AS number...

Page 283: ...ities must be enclosed in double quotes cost cost 0 4261412864 Sets the cost metric for a route cost type ase type 1 ase type 2 external internal Sets the cost type for a route dampening half life min...

Page 284: ...out none policy configure rip vlan vlan name all route policy in out policy name none Other examples of commands that use route policies include configure ospf area area identifier external filter po...

Page 285: ...then permit entry entry 15 if nlri any 8 then deny entry entry 20 if nlri 10 10 0 0 18 then permit entry entry 25 if nlri 22 44 66 0 23 exact then deny The policy above can be optimized by combining...

Page 286: ...Action permit match origin incomplete Entry 20 Action deny match community 6553800 Entry 30 Action permit match med 30 set next hop 10 201 23 10 set as path 20 set as path 30 set as path 40 set as pa...

Page 287: ...1 23 10 as path 20 as path 30 as path 40 as path 40 permit entry entry 40 if then local preference 120 weight 2 permit entry entry 50 match any if origin incomplete community 19661200 then dampening h...

Page 288: ...Routing Policies ExtremeWare XOS 11 3 Concepts Guide 288 entry deny_rest if then deny...

Page 289: ...ve control mechanism for networks that have heterogeneous traffic patterns Using Policy based QoS you can specify the service level that a particular traffic type receives Policy based QoS allows you...

Page 290: ...f packet loss Voice Applications Voice applications or voice over IP VoIP typically demand small amounts of bandwidth However the bandwidth must be constant and predictable because voice applications...

Page 291: ...latency jitter and some packet loss however small packet loss may have a large impact on perceived performance because of the nature of TCP The relevant parameter for protecting browser applications i...

Page 292: ...roupings Traffic grouping A classification or traffic type that has one or more attributes in common These can range from a physical port to IP Layer 4 port information You assign traffic groupings to...

Page 293: ...make up a QoS profile on the BlackDiamond 8800 family of switches and the Summit X450 switch include Buffer This parameter is the maximum amount of packet buffer memory available to all packets associ...

Page 294: ...th that is reserved for use by a hardware queue on a physical port each physical port has eight hardware queues corresponding to a QoS profile The minimum bandwidth value is configured either as a per...

Page 295: ...to the profile A traffic grouping is a classification of traffic that has one or more attributes in common Traffic is typically grouped based on the needs of the applications discussed starting on pag...

Page 296: ...ed on any combination of the following items IP source or destination address IP protocol TCP flag TCP UDP or other Layer 4 protocol TCP UDP port information IP fragmentation MAC source or destination...

Page 297: ...2 1p priority Configuring DiffServ Configuring 802 1p Priority Extreme Networks switches support the standard IEEE 802 1p priority bits that are part of a tagged Ethernet packet The 802 1p bits can be...

Page 298: ...pport 2 queues based on flows you can define up to 6 additional queues The transmitting queue determines the characteristics used when transmitting packets NOTE See for Chapter 9 information regarding...

Page 299: ...cement configuration is based on the ingress port To replace 802 1p priority information use the following command enable dot1p replacement ports port_list all NOTE The port in this command is the ing...

Page 300: ...ions DiffServ information on the BlackDiamond 10K only Observing DiffServ information Changing DiffServ code point DSCP mapping Replacing DSCP information DiffServ information on the BlackDiamond 10K...

Page 301: ...of the 64 code points using the following command configure diffserv examination code point code point qosprofile qosprofile Once assigned the rest of the switches in the network prioritize the packe...

Page 302: ...e replaced in the IP packet To view currently configured DiffServ information use the following command show diffserv examination replacement DiffServ example for the BlackDiamond 8800 family of switc...

Page 303: ...traffic coming from network 10 1 2 x with a specific DiffServ code point This allows all other network switches to send and observe the Diffserv code point instead of repeating the same QoS configura...

Page 304: ...traffic grouping indicates that all intra VLAN switched traffic and all routed traffic sourced from the named VLAN uses the indicated QoS profile To configure a VLAN traffic grouping use the following...

Page 305: ...l ANY Match all protocols Trunking Load sharing is not enabled EDP Enabled DLCS Unsupported lbDetect Unsupported Learning Enabled Flooding Enabled Jumbo Disabled BG QoS monitor Unsupported Egress Port...

Page 306: ...MinBw 0 MaxBw 100 Pri 5 Qp6 MinBw 0 MaxBw 100 Pri 6 Qp7 MinBw 0 MaxBw 100 Pri 7 Qp8 MinBw 0 MaxBw 100 Pri 8 Ingress Rate Shaping support IQP1 8 IQP1 MinBw 0 MaxBw 100 Pri 1 IQP2 MinBw 0 MaxBw 100 Pri...

Page 307: ...Qp5 MinBw 0 MaxBw 100 Pri 5 Qp6 MinBw 0 MaxBw 100 Pri 6 Qp7 MinBw 0 MaxBw 100 Pri 7 Qp8 MinBw 0 MaxBw 100 Pri 8 Ingress Rate Shaping support IQP1 2 IQP1 MinBw 0 MaxBw 100 Pri 1 IQP2 MinBw 0 MaxBw 100...

Page 308: ...Information You can also verify the QoS configuration in place Refer to Verifying Physical and Logical Groupings on page 304 for additional information on displaying QoS information for each port Disp...

Page 309: ...is higher than the limit allowed to egress the specified port s for a burst or short duration The default behavior is to have no limit on the egress traffic per port To view the configured egress port...

Page 310: ...nteed minimum rates The number of queues from the ingress port to the backplane differs between I O modules The 1 Gbps I O module has 2 queues from the ingress port to the backplane and the 10 Gbps I...

Page 311: ...maximum committed rates vary with the number of active ports on each I O module The rates shown in Table 48 are what you can expect when you all running all ports at traffic level If you are using fe...

Page 312: ...gement system You can enter any integer from 0 in the CLI however functionally the switch operates only in multiples of 62 5 Kbps Also note that the CLI system does not accept decimals Rate shaping is...

Page 313: ...cts incorporate a number of features designed to enhance the security of your network while resolving issues with minimal network disruption No one feature can ensure security but by using a number of...

Page 314: ...used by routing protocol applications to control the advertisement reception and use of routing information by the switch By using policies a set of routes can be selectively permitted or denied base...

Page 315: ...hapter 11 Forwarding Database The following section Limiting Dynamic MAC Addresses describes how MAC address security allows you to limit the number of dynamically learned MAC addresses allowed per vi...

Page 316: ...om learning and responding to ICMP and ARP packets Dynamically learned entries still get aged and can be cleared If entries are cleared or aged out after the learning limit has been reached new entrie...

Page 317: ...r Layer 2 switch Configuring a MAC address limit on all S1 ports might prevent ESRP communication between S2 and S3 To resolve this you should add a back to back link between S2 and S3 This link is no...

Page 318: ...ber lock learning unlimited learning unlock learning When you remove the lock down using the unlock learning option the learning limit is reset to unlimited and all associated entries in the FDB are f...

Page 319: ...rver addresses and WINS server information for a particular VLAN use the following command unconfigure vlan vlan_name dhcp options To remove all the DHCP information for a particular VLAN use the foll...

Page 320: ...ttempting to characterize the problem and filter out the offending traffic so that other functions can continue When a flood of CPU bound packets reach the switch DoS Protection will count these packe...

Page 321: ...interval at which the switch checks for DoS attacks use the following command configure dos protect interval seconds To configure the alert threshold use the following command configure dos protect ty...

Page 322: ...witch NOTE You cannot enable RADIUS and TACACS at the same time You define a primary and secondary RADIUS server for the switch to contact When a user attempts to log in using Telnet HTTP or the conso...

Page 323: ...cify the mgmt access or netlogin keywords the timeout interval applies to both switch management and netlogin RADIUS servers Configuring the Shared Secret Password for RADIUS Servers In addition to sp...

Page 324: ...network login use the same primary and secondary RADIUS servers for accounting To specify one pair of RADIUS accounting servers for switch management and another pair for network login make sure to s...

Page 325: ...not specify a keyword RADIUS accounting is disabled on the switch for both management and network login Per Command Authentication Using RADIUS You can use the RADIUS implementation to perform per co...

Page 326: ...privilege if a Service Type value of 6 is transmitted as part of the Access Accept message from the RADIUS server Other Service Type values or no value result in the switch granting read only access t...

Page 327: ...ADIUS server problems Cistron RADIUS Cistron RADIUS is a popular server distributed under GPL Cistron RADIUS can be found at http www miquels cistron nl radius When you configure the Cistron server fo...

Page 328: ...onnections and fill in the desired number of maximum sessions RADIUS Server Configuration Example Merit Many implementations of RADIUS server use the publicly available Merit AAA server application To...

Page 329: ...exact or partial strings of CLI commands A named profile is linked with a user through the users file A profile with the permit on keywords allows use of only the listed commands A profile with the de...

Page 330: ...nable disable ipforwarding show switch PROFILE2 enable clear counters show management PROFILE3 deny create vlan configure iproute disable show fdb delete configure rip add TACACS Terminal Access Contr...

Page 331: ...a TACACS server failure when the timeout has expired the switch makes one authentication attempt before trying the next designated TACACS server or reverting to the local database for authentication I...

Page 332: ...ry TACACS server Configures the secondary TACACS server Configures the shared secret for the secondary TACACS server Enables TACACS on the switch All other settings use the default settings as describ...

Page 333: ...er or reverting to the local database for authentication In the event that the switch still has IP connectivity to the TACACS accounting server but a TCP session cannot be established such as a failed...

Page 334: ...ver Configures the shared secret for the secondary TACACS accounting server Enables TACACS accounting on the switch All other settings use the default settings as described earlier in this section or...

Page 335: ...system via an SSH2 session The ExtremeWare XOS SSH2 switch application also works with SSH2 client version 2 x or later from SSH Communication Security and with version 2 5 or later from OpenSSH The S...

Page 336: ...switch To get such key you can use the command show configuration exsshd to display the key on the console Copy the key to a text editor and remove the carriage return line feeds from the key Finally...

Page 337: ...y directly on the switch Use the tftp command to transfer a policy that you created using a text editor on another system to the switch For more information about creating and implementing ACLs and po...

Page 338: ...e or IP address ExtremeWare XOS only allows SCP2 to transfer to the switch files named as follows cfg ExtremeWare XOS configuration files pol ExtremeWare XOS policy files In the following examples you...

Page 339: ...P2 use the following command scp2 cipher 3des blowfish port portnum debug debug_level user hostname ipaddress remote_file local_file vr vr_name For example to copy the configuration file test cfg on h...

Page 340: ...data encryption RC4 DES and 3DES Message Authentication Code MAC algorithms MD5 and SHA The Converged Network Analyzer CNA Agent requires SSL to encrypt communication between the CNA Agent and the CN...

Page 341: ...th is approximately 2 kb and the private key length is approximately 3 kb Downloading a Certificate Key from a TFTP Server You can download a certificate key from files stored in a TFTP server If the...

Page 342: ...s and Keys on page 342 for more information Downloaded certificates and keys are not saved across switch reboots unless you save your current switch configuration Once you issue the save command the d...

Page 343: ...et Layer ExtremeWare XOS 11 3 Concepts Guide 343 Displaying SSL Information Use the following command to display whether the switch has a valid private and public key pair and the state of HTTPS acces...

Page 344: ...Security ExtremeWare XOS 11 3 Concepts Guide 344...

Page 345: ...tion types and modes of operation can be used in any combination When web based network login is enabled on a switch port that port is placed into a non forwarding state until authentication takes pla...

Page 346: ...r the only connection that exists is to the authenticator As a result the authenticator must be furnished with a temporary DHCP server to distribute the IP address The switch responds to DHCP requests...

Page 347: ...rt is available only on newer operating systems such as Windows XP 802 1x requires an EAP capable RADIUS Server Most current RADIUS servers support EAP so this is not a major disadvantage Transport La...

Page 348: ...VLAN remain constant Before the supplicant is authenticated the port is in an unauthenticated state After authentication the port forwards packets You do not explicitly configure the mode of operatio...

Page 349: ...ved images and configurations from the primary to the backup using the synchronize command 3 Initiate failover using the run msm failover command For more detailed information about verifying the stat...

Page 350: ...tch to authenticate the client in the original VLAN or deny authentication even if the user name and password are correct For example this may occur if a destination VLAN does not exist To configure t...

Page 351: ...based MAC based and 802 1x netlogin support RADIUS authentication Only web based and MAC based netlogin support local database authentication This section describes the following topics in greater det...

Page 352: ...ccessful authentication must already exist on switch Extreme Netlogin VLAN ID 209 Integer Access Accept ID of destination VLAN after successful authentication must already exist on switch Extreme Netl...

Page 353: ...VLAN The following describes the guidelines for VSA 211 For tagged VLAN movement with 802 1x netlogin you must use VSA 211 For untagged VLAN movement with 802 1x netlogin you can use all current Extre...

Page 354: ...eme Netlogin VLAN Name The following describes the guidelines for VSA 203 For untagged VLAN movement with 802 1x netlogin you can use all current Extreme Networks VLAN VSAs VSA 203 VSA 209 and VSA 211...

Page 355: ...a value of 1 enabled To specify that a user can authenticate via other methods use a value of 0 disabled VSA 206 Example See the examples described in the section Creating User Accounts on the RADIUS...

Page 356: ...s If you use RADIUS for authentication Extreme Networks recommends that you use the same user name and password for both local authentication and RADIUS authentication If you attempt to create a user...

Page 357: ...user name Creates a password associated with the local netlogin user name Adds the VLAN test1 as the destination VLAN The following is a sample display from this command create netlogin local user meg...

Page 358: ...pt enter the new password and press Enter The switch then prompts you to reenter the password Passwords are case sensitive Passwords must have a minimum of 0 characters and a maximum of 32 characters...

Page 359: ...e of the currently available protocols although TTLS is advertised to be as strong as TLS Both TLS and TTLS are certificate based and require a Public Key Infrastructure PKI that can issue renew and r...

Page 360: ...IUS server Types of authentication methods supported on RADIUS as mentioned previously Need to support VSAs Parameters such as Extreme Netlogin Vlan Name destination vlan for port movement after authe...

Page 361: ...dius netlogin primary server 10 0 1 2 1812 client ip 10 10 20 30 vr VR Mgmt configure radius netlogin primary shared secret purple enable radius The following example is for the FreeRADIUS server the...

Page 362: ...1x enabled clients However when the visitors attempt to log into the network they are granted limited network access because they do not have 802 1x enabled clients The visitors might be able to reac...

Page 363: ...ot running the current approved anti virus software or the client has not installed the appropriate software updates If this occurs the client is authenticated but has limited network access until the...

Page 364: ...owing command configure netlogin base url url Where url is the DNS name of the switch For example configure netlogin base url network access net makes the switch send DNS responses back to the netlogi...

Page 365: ...thenticated network login clients Unauthenticated ports belong to the VLAN temp This kind of configuration provides better security as unauthenticated clients do not connect to the corporate subnet an...

Page 366: ...hcp options wins server 10 0 1 85 configure netlogin vlan temp enable netlogin web based enable netlogin ports 1 10 1 14 4 1 4 4 web based configure netlogin base url network access net Default config...

Page 367: ...every logout and before login again as the port moves back and forth between the temporary and permanent VLANs At this point the client will have its temporary IP address In this example the client s...

Page 368: ...its configured parameters timeout retries and so on or the local database The credentials used for this are the supplicants MAC address in ASCII representation and a locally configured password on the...

Page 369: ...and authenticate a client with a specific MAC address Only MAC addresses that have a match for the specific ports are sent for authentication For example if you associate a MAC address with one or mor...

Page 370: ...s this is the supplicants MAC address with the configured mask applied Note that the commands are VR aware and therefore one MAC list table exists per VR Secure MAC Configuration Example The following...

Page 371: ...netlogin ports 4 1 4 4 mac configure netlogin add mac list default password RADIUS Configuration configure radius netlogin primary server 10 0 1 2 1812 client ip 10 10 20 30 vr VR Mgmt configure radi...

Page 372: ...login MAC Based VLANs Rules and Restrictions This section summarizes the rules and restrictions for configuring netlogin MAC based VLANs You must configure and enable netlogin on the switch and before...

Page 373: ...ased virtual port VLAN combination n Indicates the FDB entry was added by network login VLAN and Port Information To view the VLANs that netlogin adds temporarily in MAC based mode use the following c...

Page 374: ...SecretPassword Expanding upon the previous example you can also utilize the local database for authentication rather than the RADIUS server create netlogin local user 000000000012 vlan vsa untagged de...

Page 375: ...l the ratio of two counters or even the ratio of the changes of two counters over an interval For example you can monitor the ratio between TCP SYN and TCP packets An abnormally large ratio may indica...

Page 376: ...of CLEAR Flow rules use the following command show clear flow To display the CLEAR Flow rules and configuration use the following command show clear flow port port vlan vlanname any rule rulename det...

Page 377: ...riggered and when the match conditions later become false NOTE When you create an ACL policy file that contains CLEAR Flow rules the CLEAR Flow rules do not have any precedence unlike the ACL entries...

Page 378: ...were only evaluated for that particular interface that the CLEAR Flow rule was applied to Beginning with the ExtremeWare XOS 11 2 release you can specify the global rule statement so that counters are...

Page 379: ...counter referred to by an ACL rule entry and the countThreshold is the value compared with the counter The REL_OPER is selected from the relational operators for greater than great than or equal to l...

Page 380: ...delta counter1 100 hysteresis 10 will only be true after the delta of the counter reaches at least 100 At the time it becomes true the hysteresis value is subtracted from the threshold setting the thr...

Page 381: ...ubtracted from the threshold for or the hysteresis value is added to the threshold For example the following ratio expression ratio counter1 counter2 5 min value 100 hysteresis 1 will only be true aft...

Page 382: ...counter is less than the minimum value the expression evaluates to false If not specified the minimum value is 1 The hysteresis hysteresis statement is optional and sets a hysteresis value for the th...

Page 383: ...n rule true count ruleName REL_OPER countThreshold The rule true count statement specifies how to compare how many times a CLEAR Flow rule is true with the expression threshold The ruleName is the nam...

Page 384: ...the different rule actions Permit Deny This action modifies an existing ACL rule to permit or block traffic that matches that rule To change an ACL to permit use the following syntax permit ACLRuleNam...

Page 385: ...and CRIT The message is sent periodically with interval period seconds If period is zero or if this optional parameter is not present the message is sent only once when the rule is triggered The inter...

Page 386: ...CLEAR Flow rule name counterName Replace with counter value for the indicated counter name ruleValue Replace with the current expression value ruleThreshold Replace with the expression threshold valu...

Page 387: ...cted by the IP re assembly algorithm for whatever reason timed out errors etc Note that this is not necessarily a count of discarded IP fragments since some algorithms notably the algorithm in RFC 815...

Page 388: ...toUnreachs The number of incoming ICMP packets addressed to a not in use unreachable invalid protocol This message is in the general category of ICMP destination unreachable error messages sys_IcmpInB...

Page 389: ...ntry acl_rule1 if destination address 192 168 16 0 24 destination port 2049 protocol tcp then count counter1 entry cflow_count_rule_example if count counter1 1000000 period 10 then snmptrap 123 Traffi...

Page 390: ...rate limit qosprofile acl_rule1 QP1 cli configure qosprofile qp3 maxbw 100 ports all Ratio Expression Example In this example every 2 seconds the CLEAR Flow agent will request the counter1 and counte...

Page 391: ...eWare XOS 11 3 Concepts Guide 391 protocol tcp then count counter2 entry cflow_ratio_rule_example if ratio counter1 counter2 5 period 2 min value 1000 then syslog Rule ruleName threshold ratio ruleVal...

Page 392: ...d deny all SYN traffic on the interface No period value for the syslog message is given so the message will be logged once when the expression first becomes true When the expression transitions from t...

Page 393: ...2 Using Switching and Routing Protocols...

Page 394: ......

Page 395: ...cense To use the complete EAPS functionality including running two or more EAPS rings having a switch belonging to multiple EAPS rings or configuring shared ports that allow multiple EAPS domains to s...

Page 396: ...signated the master node see Figure 18 while all other nodes are designated as transit nodes Figure 17 Gigabit Ethernet fiber EAPS MAN ring One port of the master node is designated the master node s...

Page 397: ...nvergence for the entire switch not by EAPS domain Fault Detection and Recovery EAPS fault detection on a ring is based on a single control VLAN per EAPS domain This EAPS domain provides protection to...

Page 398: ...low through the master s secondary port The master node also flushes its FDB and sends a message on the control VLAN to all of its associated transit nodes to flush their forwarding databases as well...

Page 399: ...ored the master receives its health check packet back on its secondary port and once again declares the ring to be complete Again the master node logically Blocks the protected VLANs on its secondary...

Page 400: ...ld span two rings interconnected by a common switch a figure eight topology In this example there is an EAPS domain with its own control VLAN running on ring 1 and another EAPS domain with its own con...

Page 401: ...node Each EAPS domain will protect its own set of protected VLANS In a spatial reuse configuration do not add the same protected VLAN to both EAPS domains You can also use spatial reuse with EAPS shar...

Page 402: ...common link you may experience a loop situation across both rings To solve this problem you can configure EAPS shared ports NOTE You must have a core or an advanced core license to use the EAPS share...

Page 403: ...ent in this software release you can use the existing solution of configuring EAPS plus STP Configuring EAPS on a Switch To configure and enable an EAPS domain complete the following steps 1 Create EA...

Page 404: ...the identifying keyword as well as the actual name If you do not use the keyword the system may return an error message The following command example creates an EAPS domain named eaps_1 create eaps e...

Page 405: ...failtimer expires The seconds parameter must be greater than the configured value for hellotime The default value is 3 seconds To configure the action taken if there is a break in the ring use the fol...

Page 406: ...messages NOTE A control VLAN cannot belong to more than one EAPS domain If the domain is active you cannot delete the domain or modify the configuration of the control VLAN To configure the EAPS cont...

Page 407: ...As long as the ring is complete the master node blocks the protected VLANs on its secondary port The following command example adds the protected VLAN orchid to the EAPS domain eaps_1 configure eaps...

Page 408: ...eaps_1 primary port Displaying EAPS Status Information To display EAPS status information use the following command show eaps This example displays summary EAPS information EAPS Enabled Yes EAPS Fast...

Page 409: ...ode The display from the show eaps detail command shows all the information shown in the show eaps eapsDomain command but displays information for all configured EAPS domains Table 57 explains the fie...

Page 410: ...n is completed Pre Complete The EAPS domain has started operation for Complete state and has sent a request to lower hardware layers to block the secondary port It is in transient state waiting for ac...

Page 411: ...rt assigned to it but the port is untagged in the control VLAN Undetermined Either a VLAN has not been added as the control VLAN to this EAPS domain or this port has not been added to the control VLAN...

Page 412: ...the master nodes of their respective EAPS domains S3 S4 S6 S7 S9 and S10 are the transit nodes of their respective EAPS domains S1 and S2 are running EAPSv2 S1 is the controller S2 is the partner P1 i...

Page 413: ...ed ports This is particularly useful when planning your EAPS configuration The benefit of sorting ports in ascending order is evident if a common link fails The port with the lowest port number among...

Page 414: ...se the following command delete eaps shared port ports Defining the Mode of the Shared Port The shared port on one end of the common link must be configured to be the controller This is the end respon...

Page 415: ...er is set to 3 seconds Unconfiguring an EAPS Shared Port To unconfigure a link ID on a shared port use the following command unconfigure eaps shared port ports link id To unconfigure the mode on a sha...

Page 416: ...roller or partner The mode is configured by the user Link ID The link ID is the unique common link identifier configured by the user Up Displays one of the following states Yes Indicates that the link...

Page 417: ...he detail keyword None Indicates that there is no Active Open port on the VLAN Port Indicates the port that is Active Open and is in a forwarding state Segment Timer expiry action Segment down Specifi...

Page 418: ...state Link Id The neighbor on this port is a controller in the Blocking state with a link ID of Link Id Segment RB Id available with the detail keyword or by specifying a shared port None The neighbor...

Page 419: ...port configurations Basic Configuration This example shown in Figure 26 is the most basic configuration two EAPS domains with a single common link between them Figure 26 EAPS shared port basic config...

Page 420: ...e 28 EAPS shared port right angle configuration Combined Basic Core and Right Angle Configuration Figure 29 shows a combination Basic Core and Right Angle configuration EW_096 S4 S3 S2 S1 Partner EAPS...

Page 421: ...EW_098 S7 S3 S4 S2 S1 EAPS5 EAPS2 EAPS1 S8 S12 S11 S5 Controller S14 S15 S13 S9 S10 Common link Partner S6 Common link Common link EAPS3 EAPS4 Controller Partner Partner Controller Master node S P li...

Page 422: ...Right Angle configuration Figure 31 Advanced configuration EW_101 S2 S1 S8 S9 S11 S10 Controller S14 S3 S13 S12 S7 S4 S5 Common link Common link Common link Common link S6 EAPS3 EAPS6 EAPS4 EAPS2 EAP...

Page 423: ...STP in terms used by the IEEE 802 1D specification the switch will be referred to as a bridge Overview of the Spanning Tree Protocol STP is a bridge based mechanism for providing fault tolerance on n...

Page 424: ...ports that belong to the STPD and the 802 1Q tag used to transport EMISTP or PVST encapsulated BPDUs see Encapsulation Modes on page 425 for more information about encapsulating STP BPDUs Only one ca...

Page 425: ...ee RSTP When configured in this mode all rapid configuration mechanisms are enabled The benefit of this mode is available on point to point links only and when the peer is likewise configured in 802 1...

Page 426: ...s It is possible for the physical port to run in different modes for different domains to which it belongs To configure the BPDU encapsulation mode for one or more STP ports use the following command...

Page 427: ...to an STPD are manually and automatically By default ports are manually added to an STPD NOTE The default VLAN and STPD S0 are already on the switch Manually Binding Ports To manually bind ports use o...

Page 428: ...PD S0 When you issue this command any port or list of ports that you add to the carrier VLAN are automatically added to the STPD with autobind enabled In addition any port or list of ports that you re...

Page 429: ...kDiamond chassis one MSM assumes the role of primary and the other MSM assumes the role of backup The primary executes the switch s management functions and the backup acts in a standby role Hitless f...

Page 430: ...ultiple STPDs on a single port which uses EMISTP A VLAN that spans multiple STPDs Basic STP Configuration This section describes a basic 802 1D STP configuration Figure 32 illustrates a network that u...

Page 431: ...loops are prevented The protected VLAN Marketing which has been assigned to both STPD1 and STPD2 communicates using all five switches The topology has no loops because STP has already blocked the port...

Page 432: ...ed in an STP topology All VLANs in each switch are members of the same STPD STP can block traffic between switch 1 and switch 3 by disabling the trunk ports for that connection on each switch Switch 2...

Page 433: ...and S2 still correspond to VLANs A and B respectively you can fine tune STP parameters to make the left link active in S1 and blocking in S2 while the right link is active in S2 and blocking in S1 Onc...

Page 434: ...local to other VLANs Figure 35 VLAN spanning multiple STPDs In addition the configuration in Figure 35 has these features Each site can be administered by a different organization or department withi...

Page 435: ...Figure 37 VLAN red the only VLAN in the figure spans STPDs 1 2 and 3 Inside each domain STP produces a loop free topology However VLAN red is still looped because the three domains form a ring among...

Page 436: ...on the physical port Third party PVST devices send VLAN 1 packets in a special manner ExtremeWare XOS does not support PVST for VLAN 1 Therefore when the switch receives a packet for VLAN 1 the packet...

Page 437: ...of a port in an STPD RSTP tries to rapidly move designated point to point links into the forwarding state when a network topology change or failure occurs For rapid convergence to occur the port must...

Page 438: ...than relying on additional timer configurations Table 61 describes the user configurable timers and Table 62 describes the timers that are derived from other timers and not user configurable Table 60...

Page 439: ...fication TCN timer when it detects a change in the network topology The TCN timer stops when the topology change timer expires or upon receipt of a topology change acknowledgement The default value is...

Page 440: ...following is true The port Has been in either a root or designated port role long enough that the spanning tree information supporting this role assignment has reached all of the bridges in the networ...

Page 441: ...ing state RSTP requires that the recent root timer stop on the previous root port before the new root port can enter the forwarding state Designated Port Rapid Behavior When a port becomes a new desig...

Page 442: ...e communicated through the network In an RSTP environment only non edge ports entering the forwarding state cause a topology change A loss of network connectivity is not considered a topology change h...

Page 443: ...er the configuration update bridge F Considers itself the new root bridge Sends a BPDU message on its designated port to bridge E Figure 40 Down link detected 2 Bridge E believes that bridge A is the...

Page 444: ...uration update from bridge E bridge F Decides that the receiving port is the root port Determines that bridge E is the root bridge Figure 42 Communicating new root bridge status to neighbors 4 Bridge...

Page 445: ...opose message to confirm a port role 5 Upon receiving the proposal bridge E as shown in Figure 44 Performs a configuration update Changes its receiving port to a root port The existing designated port...

Page 446: ...legacy STP bridges Each RSTP bridge contains a port protocol migration state machine to ensure that the ports in the STPD operate in the correct configured mode The state machine is a protocol entity...

Page 447: ...ose of the connected devices The 802 1D ports must be untagged and the EMISTP PVST ports must be tagged in the carrier VLAN An STPD with multiple VLANs must contain only VLANs that belong to the same...

Page 448: ...RFC 1493 Bridge MIB RSTP 03 and Extreme Networks STP MIB Parameters of the s0 default STPD support RFC 1493 and RSTP 03 Parameters of any other STPD support the Extreme Networks STP MIB NOTE If an ST...

Page 449: ...apsulation dot1d enable stpd backbone_st auto bind vlan engineering configure stpd backbone_st tag 150 enable stpd backbone_st By default the port encapsulation mode for user defined STPDs is emistp I...

Page 450: ...s1 create stpd s2 configure stpd s2 add yellow ports all configure stpd s2 tag 300 configure stpd s2 add red ports 1 3 1 4 emistp enable stpd s2 RSTP 802 1w Configuration Example Figure 48 is an examp...

Page 451: ...are XOS 11 3 Concepts Guide 451 Figure 48 RSTP example Sales Personnel Marketing STPD 1 STPD 2 Manufacturing Engineering Marketing Sales Personnel Manufacturing Engineering Marketing Switch A Switch Y...

Page 452: ...nfigure vlan marketing add ports 1 1 2 1 tagged configure stpd stpd1 add vlan sales ports all configure stpd stpd1 add vlan personnel ports all configure stpd stpd1 add vlan marketing ports all config...

Page 453: ...on Configured port link type Operational port link type If you have a VLAN that spans multiple STPDs use the show vlan vlan_name stpd command to display the STP configuration of the ports assigned to...

Page 454: ...Spanning Tree Protocol ExtremeWare XOS 11 3 Concepts Guide 454...

Page 455: ...RP cache entries in client workstations do not need to be refreshed or aged out ESRP is available only on Extreme Networks switches In addition to providing Layer 3 routing redundancy for IP and IPX E...

Page 456: ...RP on page 476 For more information about standalone ELRP see Using Standalone ELRP to Perform Loop Tests on page 620 Reasons to Use ESRP You can use ESRP to achieve edge level or aggregation level re...

Page 457: ...vity broadcast storms or other unpredictable behavior may occur If you have an untagged master VLAN you must specify an ESRP domain ID The domain ID must be identical on all switches participating in...

Page 458: ...ESRP aware you must create an ESRP domain on the aware switch add a master VLAN to that ESRP domain and configure a domain ID if necessary To participate as an ESRP aware switch the following must be...

Page 459: ...e requesting switch For example if a slave switch wants to become the master it enters the pre master state notifies the neighbor switch and forces the neighbor to acknowledge the change The neighbor...

Page 460: ...uto toggle feature Depending on the mode of operation configured on the neighbor switch the mode of operation at this end will toggle to the same mode of operation as the neighbor For example if you u...

Page 461: ...links may contain a router to router VLAN along with other VLANs participating in an ESRP domain If multiple VLANs are used on the direct links use 802 1Q tagging The direct links may be aggregated i...

Page 462: ...witch providing Layer 3 routing and or Layer 2 switching services for a VLAN using the following default factors Stickiness The switch with the higher sticky value has higher priority When an ESRP dom...

Page 463: ...is in slave mode it exchanges ESRP packets with other switches on that same VLAN When a switch is in slave mode it does not perform Layer 3 routing or Layer 2 switching services for the VLAN From a La...

Page 464: ...tors ESRP hello timer setting ESRP neighbor timer setting The routing protocol being used for interrouter connectivity if Layer 3 redundancy is used OSPF failover time is faster than RIP failover time...

Page 465: ...ain should consider election factors in the following order Active ports tracking information ESRP priority MAC address NOTE This is the default election algorithm for standard mode priority mac Speci...

Page 466: ...g VLANs see Chapter 5 Virtual LANs For more information about ESRP master and member VLANs see Adding VLANs to an ESRP Domain on page 468 You can also configure other ESRP domain parameters including...

Page 467: ...ed NOTE If you use the same name across categories for example STPD and ESRP names Extreme Networks recommends that you specify the appropriate keyword as well as the actual name If you do not specify...

Page 468: ...ster sales To delete a master VLAN you must first disable the ESRP domain before removing the master VLAN using the disable esrp esrpDomain command To delete a master VLAN from an ESRP domain use the...

Page 469: ...n is used to track various forms of connectivity from the ESRP switch to the outside world This section describes the following ESRP tracking options ESRP Environment Tracking on page 470 ESRP VLAN Tr...

Page 470: ...status and remains in slave mode You can track a maximum of one VLAN To add or delete the tracked VLAN use one of the following commands configure esrp esrpDomain add track vlan vlan_name configure e...

Page 471: ...of tracked devices use the following command show esrp name ESRP Tracking Example Figure 50 is an example of ESRP tracking Figure 50 ESRP tracking To configure VLAN tracking use the following command...

Page 472: ...disconnection of these ports causes downstream devices to remove the ports from their FDB tables This feature allows you to use ESRP in networks that include equipment from other vendors After 2 secon...

Page 473: ...net Automatic Protection Switching EAPS or VRRP A broadcast storm may occur To configure a port to be a host port use the following command configure esrp ports ports mode host normal ESRP Port Weight...

Page 474: ...le ESRP groups is when two or more sets of ESRP switches are providing fast failover protection within a subnet A maximum of seven distinct ESRP groups can be supported on a single ESRP switch and a m...

Page 475: ...gure ESRP refer to the ExtremeWare XOS Command Reference Guide Using ELRP with ESRP Extreme Loop Recovery Protocol ELRP is a feature of ExtremeWare XOS that allows you to prevent detect and recover fr...

Page 476: ...its ESRP domain ports If the master switch receives an ELRP PDU that it sent the master transitions to the slave While in the slave state the switch transitions to the pre master rate and periodically...

Page 477: ...P in the master state use the following command configure esrp esrpDomain elrp master poll disable Configuring Ports You can configure one or more ports of an ESRP domain where ELRP packet transmissio...

Page 478: ...hing for ESRP domain esrp1 and VLAN Sales The edge switches are dual homed to the BlackDiamond 10K switches The BlackDiamond 10K switches perform Layer 2 switching between the edge switches and Layer...

Page 479: ...tches sense when a master slave transition occurs and flush FDB entries associated with the uplinks to the ESRP enabled BlackDiamond 10K switches The following commands are used to configure both Blac...

Page 480: ...mode of operation use the configure esrp mode extended standard command The commands used to configure the BlackDiamond 10K switches are as follows create vlan sales configure vlan sales add ports 1...

Page 481: ...he first BlackDiamond 10K switch uses 802 1Q tagging to carry traffic from both VLANs traffic on one link The BlackDiamond switch counts the link active for each VLAN The second BlackDiamond switch ha...

Page 482: ...d master sales configure esrp esrp1 priority 5 enable esrp esrp1 create esrp esrp2 configure esrp esrp2 domain id 4097 configure esrp esrp2 add master engineering enable esrp esrp2 Configuration comma...

Page 483: ...nd a VLAN but you must do so on separate devices You should be careful to maintain ESRP connectivity between ESRP master and slave switches when you design a network that uses ESRP and STP ESRP and VR...

Page 484: ...Extreme Standby Router Protocol ExtremeWare XOS 11 3 Concepts Guide 484...

Page 485: ...sers VRRP is used to eliminate the single point of failure associated with manually configuring a default gateway address on each host in a network Without using VRRP if the configured default gateway...

Page 486: ...lover If any of the configured routes are not available within the route table the router automatically relinquishes master status and remains in INIT mode To add or delete a tracked route use one of...

Page 487: ...the IP routing table When the route is no longer available the switch implements a VRRP failover to the backup To configure ping tracking as shown in Figure 55 use the following command configure vrrp...

Page 488: ...all backup routers This signals the backup routers that they do not need to wait for the master down interval to expire and the master election process for a new master can begin immediately The maste...

Page 489: ...ckup router The master router is responsible for forwarding packets sent to the virtual router When the VRRP network becomes active the master router broadcasts an ARP request that contains the virtua...

Page 490: ...Fully redundant VRRP configuration In Figure 57 switch A is configured as follows IP address 192 168 1 3 Master router for VRID 1 Backup router for VRID 2 MAC address 00 00 5E 00 01 01 Switch B is con...

Page 491: ...p_address This is the IP address associated with this virtual router You can associate one or more IP addresses to a virtual router This parameter has no default value advertisement_interval This is t...

Page 492: ...ch A are as follows configure vlan vlan1 ipaddress 192 168 1 3 24 create vrrp vlan vlan1 vrid 1 configure vrrp vlan vlan1 vrid 1 prioirty 255 configure vrrp vlan vlan1 vrid 1 add 192 168 1 3 enable vr...

Page 493: ...vlan vlan1 vrid 1 add 192 168 1 3 create vrrp vlan vlan1 vrid 2 configure vrrp vlan vlan1 vrid 2 add 192 168 1 5 enable vrrp The configuration commands for switch B are as follows configure vlan vlan...

Page 494: ...onfigured with IP addresses 1 1 1 1 24 and 2 2 2 2 24 the following configurations are allowed VRRP VR on VLAN v1 with VRID 99 with virtual IP addresses 1 1 1 2 and 1 1 1 3 VRRP VR on VLAN v1 with VRI...

Page 495: ...rview of IPv4 Unicast Routing The switch provides full Layer 3 IPv4 unicast routing It exchanges routing information with other routers on the network using either the Routing Information Protocol RIP...

Page 496: ...signed to Finance all ports on slots 2 and 4 are assigned to Personnel Finance belongs to the IP network 192 207 35 0 the router interface for Finance is assigned the IP address 192 207 35 1 Personnel...

Page 497: ...for security reasons to control which routes you want advertised by the router You configure if you want all static routes to be advertised using one of the following commands enable rip export bgp d...

Page 498: ...lative route priorities Relative Route Priorities Table 65 lists the relative priorities assigned to routes depending on the learned source of the route NOTE Although these priorities can be changed d...

Page 499: ...d to achieve router redundancy and to simplify IP client configuration The switch supports proxy ARP for this type of network configuration The section describes some example of using proxy ARP with t...

Page 500: ...address 100 101 45 67 using its own MAC address All subsequent data packets from 100 101 102 103 are sent to the switch and the switch routes the packets to 100 101 45 67 Configuring IPv4 Unicast Rout...

Page 501: ...ned Additional verification commands include show iparp Displays the IP ARP table of the system show ipconfig Displays configuration information for one or more VLANs Routing Configuration Example Fig...

Page 502: ...Personnel All other traffic NetBIOS is part of the VLAN MyCompany The example in Figure 61 is configured as follows create vlan Finance create vlan Personnel create vlan MyCompany configure Finance pr...

Page 503: ...tation that required separate VLANs for each IP network The implementation introduced in ExtremeWare XOS 11 0 is simpler to configure does not require that you create a dummy multinetting protocol and...

Page 504: ...e Transfer Protocol TFTP Secure Shell 2 SSH2 and others to the switch from a host residing in either the primary or the secondary subnet of the VLAN Other host functions such as traceroute are also su...

Page 505: ...gured on per VLAN basis There is no way to configure a routing protocol on an individual primary or secondary interface Configuring a protocol parameter on a VLAN automatically configures the paramete...

Page 506: ...n be exported into the BGP domain by enabling export of direct routes IGMP Snooping and IGMP Internet Group Management Protocol IGMP snooping and IGMP treat the VLAN as an interface Only control packe...

Page 507: ...ging to the primary subnet To add a host on secondary subnet you must manually configure the IP address information on that host DHCP Relay When the switch is configured as a DHCP relay agent it will...

Page 508: ...2 2 3 and 2 2 2 4 VRRP VR on v1 with VRID of 99 with virtual IP addresses of 1 1 1 98 and 1 1 1 99 VRRP VR on v1 with VRID of 100 with virtual IP addresses of 2 2 2 98 and 2 2 2 99 Given the same VLAN...

Page 509: ...ess 192 168 35 1 configure multinet add secondary ipaddress 192 168 37 1 configure multinet add port 5 5 configure default delete port 1 8 2 9 3 10 create vlan multinet_2 configure multinet_2 ipaddres...

Page 510: ...HCP relay agent option use the following command after configuring the DHCP BOOTP relay function configure bootprelay dhcp agent information option To disable the DHCP relay agent option use the follo...

Page 511: ...owever if the previous bootprelay functions are adequate you may continue to use them NOTE UDP forwarding only works across a layer 3 boundary and currently UDP forwarding can be applied to IPv4 packe...

Page 512: ...ight entries in a UDP forwarding profile The UDP forwarding module will process those entries even if the entries do not contain any attributes for UDP forwarding Having more than eight entries will d...

Page 513: ...ho packets to measure the transit time for data between the transmitting and receiving end To enable UDP echo server support use the following command enable udp echo server vr vrid udp port port To d...

Page 514: ...IPv4 Unicast Routing ExtremeWare XOS 11 3 Concepts Guide 514...

Page 515: ...n with other routers on the network using either the IPv6 version of Routing Information Protocol RIPng or the IPv6 version of Open Shortest Path First OSPFv3 protocol The switch dynamically builds an...

Page 516: ...in IPv4 tunnels known as configured tunnels or 6in4 tunnels and IPv6 to IPv4 tunnels known as 6to4 tunnels To create or delete a tunnel use the following commands create tunnel tunnel_name 6to4 source...

Page 517: ...is a duplicate it cannot use the address Until the Duplicate Address Detection DAD process completes the new address is considered tentative and will be shown as such in any display output If the add...

Page 518: ...rst hop MAC Address Resolution In IPv4 MAC address resolution is done by ARP For IPv6 this functionality is handled by the Neighbor Discovery Protocol The router maintains a cache of IPv6 addresses an...

Page 519: ...e of the Prefix Autonomous Flag To enable router discovery on a VLAN use the following command enable router discovery ipv6 vlan vlan_name To configure the prefixes advertised by router discovery use...

Page 520: ...f the following commands enable ripng export direct ospfv3 ospfv3 extern1 ospfv3 extern2 ospfv3 inter ospfv3 intra static cost number tag number policy policy name or disable ripng export direct ospfv...

Page 521: ...ative Route Priorities Table 66 lists the relative priorities assigned to routes depending on the learned source of the route NOTE Although these priorities can be changed do not attempt any manipulat...

Page 522: ...e vr vr_name 5 Configure the routing protocol if required For a simple network using RIPng the default configuration may be acceptable 6 Turn on RIPng or OSPFv3 using one of the following commands ena...

Page 523: ...tions connected to slots 1 and 3 have access to the router by way of the VLAN Finance Ports on slots 2 and 4 reach the router by way of the VLAN Personnel All other traffic NetBIOS is part of the VLAN...

Page 524: ...IPv4 region is one hop even if multiple IPv4 routers are traversed during transport A 6in4 tunnel connects one IPv6 region to one other IPv6 region Multiple 6in4 tunnels can be configured on a single...

Page 525: ...B Hosts A and B are configured to use IPv6 addresses 2001 db8 1 101 and 2001 db8 2 101 respectively In order for traffic to move from one region to the other there must be a route In this example a st...

Page 526: ...vlan private ipv6 ipaddress 2001 db8 1 1 64 enable ipforwarding ipv6 private ipv6 configure iproute add 2001 db8 2 64 2001 db8 a 2 Router B configure vlan default delete port all create vlan public i...

Page 527: ...4 source address of the endpoint in hexadecimal colon separated form For example for a tunnel endpoint located at IPv4 address 10 20 30 40 the tunnel address would be 2002 0a14 1e28 16 In hex 10 is 0a...

Page 528: ...2 48 enable ipforwarding ipv6 private ipv6 Router 2 configure vlan default delete port all create vlan public ipv4 configure vlan public ipv4 add port 1 untagged configure vlan public ipv4 ipaddress...

Page 529: ...00 04 96 1F A4 32 IP address 2002 0a00 0001 0001 0204 96ff fe1f a432 64 Static route destination 2002 16 gateway 2002 0a00 0001 0001 1 Host 3 MAC address 00 01 30 00 C2 00 IP address 2002 0a00 0001 00...

Page 530: ...IPv6 Unicast Routing ExtremeWare XOS 11 3 Concepts Guide 530...

Page 531: ...r many years and is widely deployed and understood OSPF is a link state protocol based on the Dijkstra link state algorithm OSPF is a newer IGP and solves a number of problems associated with using RI...

Page 532: ...ained later in this chapter Overview of RIP RIP is an IGP first used in computer routing in the Advanced Research Projects Agency Network ARPAnet as early as 1969 It is primarily intended for use in h...

Page 533: ...ertisement of VLANs Virtual LANs VLANs that are configured with an IP address but are configured to not route IP or are not configured to run RIP do not have their subnets advertised by RIP RIP advert...

Page 534: ...he routes to export from RIP to OSPF Likewise for any other combinations of protocols you must separately configure each to export routes to the other Redistributing Routes into RIP Enable or disable...

Page 535: ...d switch that has three VLANs defined as follows Finance Protocol sensitive VLAN using the IP protocol All ports on slots 1 and 3 have been assigned IP address 192 207 35 1 Personnel Protocol sensitiv...

Page 536: ...ce and Personnel VLANs but this example shows how to exclude that traffic To allow the NetBIOS traffic or other type of traffic along with the IP traffic remove the configure finance protocol ip and c...

Page 537: ...RIP Configuration Example ExtremeWare XOS 11 3 Concepts Guide 537 enable ipforwarding configure rip add vlan all enable rip...

Page 538: ...RIP ExtremeWare XOS 11 3 Concepts Guide 538...

Page 539: ...n the Bellman Ford or distance vector algorithm The distance vector algorithm has been in use for many years and is widely deployed and understood The other common IGP for IPv6 is OSPFv3 a link state...

Page 540: ...ng is primarily intended for use in homogeneous networks of moderate size To determine the best path to a distant network a router using RIPng always selects the path that has the least number of hops...

Page 541: ...o run RIP do not have their subnets advertised by RIP RIP advertises only those VLANs that are configured with an IP address are configured to route IP and run RIP Route Redistribution More than one r...

Page 542: ...48 Personnel All ports on slots 2 and 4 have been assigned IP address 2001 db8 36 1 48 MyCompany Port based VLAN All ports on slots 1 through 4 have been assigned The stations connected to the system...

Page 543: ...also known as an autonomous system AS In a link state routing protocol each router maintains a database describing the topology of the AS Each participating router has an identical database maintaine...

Page 544: ...the exact same LSDB Table 67 describes LSA type numbers Database Overflow The OSPF database overflow feature allows you to limit the size of the LSDB and to maintain a consistent LSDB across all the r...

Page 545: ...ic correctly The first condition is that forwarding can continue while the control function is restarted Most modern router system designs separate the forwarding function from the control function so...

Page 546: ...a area identifier virtual link router identifier area identifier restart helper none planned unplanned both The graceful restart period sent out to helper routers can be configured with the following...

Page 547: ...area is connected to only one other area The area that connects to a stub area can be the backbone area External route information is not distributed into stub areas Stub areas are used to reduce mem...

Page 548: ...h between the ABR of the disconnected area and the ABR of the normal area that connects to the backbone A virtual link must be established between two ABRs that have a common area with one ABR connect...

Page 549: ...ype This is the default setting Broadcast Any Routers must elect a designated router DR and a backup designated router BDR during synchronization Ethernet is an example of a broadcast link Point to po...

Page 550: ...from that protocol to the first one are discreet configuration functions For example to run OSPF and RIP simultaneously you must first configure both protocols and then verify the independent operatio...

Page 551: ...exported routes can also be filtered using policies Verify the configuration using the command show ospf OSPF Timers and Authentication Configuring OSPF timers and authentication on a per area basis...

Page 552: ...n LSA packet over the interface The transit delay must be greater than 0 Hello interval The interval at which routers send hello packets Shorter times allow routers to discover each other more quickly...

Page 553: ...and ABR2 Network number 10 0 x x Two identified VLANs HQ_10_0_2 and HQ_10_0_3 Area 5 is connected to the backbone area by way of ABR1 and ABR2 It is located in Chicago and has the following characteri...

Page 554: ...1 255 255 255 0 configure vlan HQ_10_0_3 ipaddress 10 0 3 1 255 255 255 0 configure vlan LA_161_48_2 ipaddress 161 48 2 2 255 255 255 0 configure vlan Chi_160_26_26 ipaddress 160 26 26 1 255 255 255 0...

Page 555: ...can specify multiple search criteria and only those results matching all of the criteria are displayed This allows you to control the displayed entries in large routing tables To display the current l...

Page 556: ...OSPF ExtremeWare XOS 11 3 Concepts Guide 556...

Page 557: ...at used to support IPv4 OSPFv3 has retained the use of the four byte dotted decimal numbers for router IDs LSA IDs and area IDs OSPFv3 is an interior gateway protocol IGP as is the other common IGP fo...

Page 558: ...areas in an AS must be connected to the backbone When designing networks you should start with area 0 0 0 0 and then expand into other areas NOTE Area 0 0 0 0 exists by default and cannot be deleted o...

Page 559: ...s Not so stubby areas NSSAs are not supported currently in the ExtremeWare XOS implementation of OSPFv3 Normal Area A normal area is an area that is not Area 0 Stub area NSSA Virtual links can be conf...

Page 560: ...n continue to communicate with the backbone using the virtual link Figure 73 Virtual link providing redundancy Link Type Support You can manually configure the OSPFv3 link type for a VLAN Table 70 des...

Page 561: ...otocol can be enabled simultaneously on the switch Route redistribution allows the switch to exchange routes including static routes between the routing protocols Figure 74 is an example of route redi...

Page 562: ...for any other combinations of protocols you must separately configure each to export routes to the other Redistributing Routes into OSPFv3 Enable or disable the exporting of RIPng static and direct in...

Page 563: ...command the policy is applied on every exported route The exported routes can also be filtered using policies Verify the configuration using the command show ospfv3 domain domainName OSPFv3 Timers Co...

Page 564: ...g all the configurations Router 1 will establish OSPFv3 adjacency with Router 2 and Router 3 They will also exchange the various link state databases Configuration for Router 1 The router labeled Rout...

Page 565: ...re vlan to r1 ipaddress 2001 db8 4444 6666 2 64 configure vlan to r1 add port 1 1 enable ipforwarding ipv6 configure ospfv3 routerid 0 0 0 2 configure ospfv3 add vlan to r1 area 0 0 0 0 enable ospfv3...

Page 566: ...OSPFv3 ExtremeWare XOS 11 3 Concepts Guide 566...

Page 567: ...rotection of BGP Sessions via the TCP MD5 Signature Option RFC 2439 BGP Route Flap Damping RFC 2796 BGP Route Reflection An Alternative to Full Mesh IBGP RFC 2842 Capabilities Advertisement with BGP 4...

Page 568: ...IGP Exterior Gateway Protocol EGP and incomplete AS_Path The list of ASs that are traversed for this route Next_hop The IP address of the next hop BGP router to reach the destination listed in the NLR...

Page 569: ...ter is formed by the route reflector and its client routers Peer routers that are not part of the cluster must be fully meshed according to the rules of BGP A BGP cluster including the route reflector...

Page 570: ...onfigure vlan to_c1 add port 1 2 configure vlan to_c1 ipaddress 20 0 0 2 24 enable ipforwarding vlan to_c1 create vlan to_c2 configure vlan to_c2 add port 1 2 configure vlan to_c2 ipaddress 30 0 0 2 2...

Page 571: ...h sub AS must be fully meshed The confederation is advertised to other networks as a single AS Route Confederation Example Figure 77 shows an example of a confederation Figure 77 Routing confederation...

Page 572: ...To configure router B use the following commands create vlan ba configure vlan ba add port 1 configure vlan ba ipaddress 192 1 1 5 30 enable ipforwarding vlan ba configure ospf add vlan ba area 0 0 0...

Page 573: ...ure router D use the following commands create vlan db configure vlan db add port 1 configure vlan db ipaddress 192 1 1 10 30 enable ipforwarding vlan db configure ospf add vlan db area 0 0 0 0 create...

Page 574: ...command configure bgp add aggregate address address family ipv4 unicast ipv4 multicast ipaddress as match as set summary only advertise policy policy attribute policy policy Using the Loopback Interfa...

Page 575: ...o remove a neighbor from a peer group use the peer group none option When you remove a neighbor from a peer group the neighbor retains the parameter settings of the group The parameter values are not...

Page 576: ...sion for a BGP peer group or for a set of routes To enable route flap dampening over BGP peer sessions use the following command configure bgp neighbor all remoteaddr address family ipv4 unicast ipv4...

Page 577: ...S numbers in the range 64512 through 65534 You can remove private AS numbers from the AS path attribute in updates that are sent to external BGP EBGP neighbors Possible reasons for using private AS nu...

Page 578: ...pf inter ospf intra rip static address family ipv4 unicast ipv4 multicast export policy policy name disable bgp export direct ospf ospf extern1 ospf extern2 ospf inter ospf intra rip static address fa...

Page 579: ...s a function that allows a single IP host to send a packet to a group of IP hosts This group of hosts can include devices that reside on or outside the local network and within or across a routing dom...

Page 580: ...col which allows you to prune and graft multicast routes PIM DM routers perform reverse path multicasting RPM However instead of exchanging its own unicast route tables for the RPM algorithm PIM DM us...

Page 581: ...e switch and beginning with release 11 2 ExtremeWare XOS supports IGMPv3 However the switch can be configured to disable the generation of periodic IGMP query packets IGMP should be enabled when the s...

Page 582: ...ic IGMP is only available with IGMPv2 Use the following command to emulate a host on a port configure igmp snooping vlan vlanname ports portlist add static group ip address To emulate a multicast rout...

Page 583: ...ticast routing on the interface using the following command enable ipmcforwarding vlan name 3 Enable PIM on all IP multicast routing interfaces using the following command configure pim add vlan vlan_...

Page 584: ...M Figure 78 IP multicast routing using PIM DM configuration example Area 0 10 0 1 1 10 0 3 2 10 0 3 1 160 26 25 1 161 48 2 2 161 48 2 1 10 0 2 1 H Q _ 1 0 _ 0 _ 2 C h i _ 1 6 0 _ 2 6 _ 2 6 H Q _ 1 0 _...

Page 585: ...ABR1 is configured for IP multicast routing using PIM SM Figure 79 IP multicast routing using PIM SM configuration example The router labeled ABR1 has the following configuration configure vlan HQ_10...

Page 586: ...pim crp HQ_10_0_3 rp_list 30 configure pim cbsr HQ_10_0_3 30 The policy file rp_list pol contains the list of multicast group addresses serviced by this RP This set of group addresses are advertised...

Page 587: ...he current release of ExtremeWare XOS 11 3 IPv6 multicast packets are flooded to VLANs that receive the traffic MLD Overview MLD is a protocol used by an IPv6 host to register its IP multicast group m...

Page 588: ...MLD report then the traffic is forwarded to that host In some situations you would like multicast traffic to be forwarded to a port where a multicast enabled host is not available for example when yo...

Page 589: ...3 Appendixes...

Page 590: ......

Page 591: ...oftware running on your system Modular software packages enhance the functionality of the ExtremeWare XOS core image currently running on your switch Modular software packages are not preinstalled at...

Page 592: ...tput is structured as follows show version ExtremeWare XOS Version major minor patch build For example ExtremeWare XOS version 10 1 2 16 show switch major minor patch build For example 10 1 2 16 Table...

Page 593: ...you are using TFTP Loading the new image onto an external compact flash memory card if you are using the external compact flash slot This method is available only on modular switches Use a PC with app...

Page 594: ...as follows bd10K 11 2 0 18 ssh xmod can run only with the core image named bd10K 11 2 0 18 xos You can install a modular software package on the active partition or on the inactive partition You woul...

Page 595: ...xtreme Networks introduces a new core software image a new modular software package is also available If you have a software module installed and upgrade to a new core image you need to upgrade to the...

Page 596: ...age to an external compact flash memory card see Downloading a New Image on page 591 for more information The first example uses the terminate process and start process commands to terminate and resta...

Page 597: ...e show switch command to see the scheduled time Understanding Hitless Upgrade BlackDiamond 10K Switch Only ExtremeWare XOS 11 1 introduced the concept of hitless upgrade Hitless upgrade is a mechanism...

Page 598: ...system complete the following tasks 1 Determine your selected and booted image partitions 2 Select the partition to download the image to and the partition to boot from after installing the image 3 Do...

Page 599: ...install the image at a later time use the following command to install the software install image fname partition msm slotid reboot 3 Initiate failover from the primary MSM to the backup MSM using the...

Page 600: ...rforming a Hitless Upgrade Hitless Upgrade Examples Using the assumptions described below the following examples perform a hitless upgrade for a core software image on the BlackDiamond 10K switch You...

Page 601: ...reboot the switch you must save the configuration to nonvolatile storage The switch can store multiple user defined configuration files each with its own filename By default the switch has two prename...

Page 602: ...he switch boots to factory default settings if the previously saved configuration file is overwritten The configuration that is not in the process of being saved is unaffected Viewing a Configuration...

Page 603: ...name of the TFTP server ip_address Is the IP address of the TFTP server p Puts the specified file from the local host and copies it to the TFTP server l local_file Specifies the name of the configurat...

Page 604: ...itch used when it originally booted an asterisk appears before the command line prompt when using the CLI Synchronizing MSMs Modular Switches Only On a dual MSM system you can take the primary MSM con...

Page 605: ...eraction with the Bootloader is required only under special circumstances and should be done only under the direction of Extreme Networks Customer Support The necessity of using these functions implie...

Page 606: ...OM from a TFTP server on the network or an external compact flash memory card installed in the compact flash slot of the MSM after the switch has booted Upgrade the BootROM only when asked to do so by...

Page 607: ...You can configure the switch to automatically upgrade the firmware when a different image is detected or you can have the switch prompt you to confirm the upgrade process To configure the switch s be...

Page 608: ...ions ExtremeWare XOS 11 3 Concepts Guide 608 Power over Ethernet PoE firmware is always automatically upgraded or downgraded to match the operational ExtremeWare XOS code image This configuration is n...

Page 609: ...n page 633 Untagged Frames on the 10 Gbps Module BlackDiamond 10K Switch Only on page 633 Running MSM Diagnostics from the Bootloader BlackDiamond 10K Switch Only on page 633 Contacting Extreme Networ...

Page 610: ...uding the VLAN tag ports in the VLAN and whether or not the ports are tagged Use the show vlan detail command to display detailed information for each VLAN configured on the switch For additional VLAN...

Page 611: ...w neighbor discovery cache ipv6 command to display the contents of the ND cache IP routing protocol statistics for the CPU of the switch Only statistics of the packets handled by the CPU are displayed...

Page 612: ...se the show rip interface detail command to display RIP specific statistics for all VLANs Your RIP next generation RIPng configuration including RIPng poison reverse split horizon triggered updates tr...

Page 613: ...play the expected input voltage Also refer to the section Power Management Guidelines on page 80 for more detailed information about power management ERR LED on the Management Switch Fabric Module MSM...

Page 614: ...hes Only on page 616 Command Prompt on page 616 Port Configuration on page 617 VLANs on page 618 STP on page 618 ESRP on page 619 VRRP on page 620 General Tips and Recommendations The initial welcome...

Page 615: ...led check the connections and network cabling at the port The port through which you are trying to access the device is in a correctly configured Virtual LAN VLAN The community strings configured for...

Page 616: ...only user privileges are available This is true regardless of the privileges configured on the primary MSM If you enter an administrator level command on the backup MSM the switch displays a message s...

Page 617: ...between devices This is NOT a problem with the Extreme Networks switch Always verify that the Extreme Networks switch and the network device match in configuration for speed and duplex No link light...

Page 618: ...st cost metric STP You have connected an endstation directly to the switch and the endstation fails to boot correctly The switch has the Spanning Tree Protocol STP enabled and the endstation is bootin...

Page 619: ...cannot enable an ESRP domain Before you enable a specific ESRP domain it must have a domain ID A domain ID is either a user configured number or the 802 1Q tag VLANid of the tagged master VLAN The do...

Page 620: ...tomatic Protection Switching EAPS requires that a network have a ring topology to operate In this case you can use ELRP to ensure that the network has a ring topology ELRP is used to detect network lo...

Page 621: ...cutive transmissions A message is printed to the console and logged into the system log file indicating detection of network loop when ELRP packets are received back or no packets are received within...

Page 622: ...log file and or sending a trap to the SNMP manager To disable a pending one shot or periodic ELRP request for a specified VLAN use the following command unconfigure elrp client vlan_name Displaying S...

Page 623: ...7 minutes to complete To install additional modular software packages BootROM images BlackDiamond 10K switch only and configuration files see Appendix A Software Upgrade and Boot Options for more info...

Page 624: ...Technical Support Obtaining the Rescue Image from an External Compact Flash Memory Card BlackDiamond 8800 Family of Switches Only In addition to recovering the switch using the internal compact flash...

Page 625: ...sage press enter to reboot Press Enter to reboot the switch The switch reboots and displays the login prompt You have successfully completed the setup from the external compact flash memory card 4 Rem...

Page 626: ...el to troubleshoot the switch This section describes the following topics Enabling the Switch to Send Debug Information on page 627 Copying Debug Information on page 627 Managing Files on the External...

Page 627: ...e hardware such as a compact flash reader writer and follow the manufacturer s instructions to access the compact flash card and read the data Managing Files on the External Memory Card Modular Switch...

Page 628: ...y making a copy you can easily go back to the original file if needed To copy an existing configuration or policy file on your card use the following command cp memorycard old name memorycard new name...

Page 629: ...ng and Statistics Overview of the System Health Checker There are two modes of health checking available on the switch polling and backplane diagnostic packets These methods are briefly described for...

Page 630: ...system health checker tests the data link every 5 seconds for the specified slot NOTE Enabling backplane diagnostic packets increases CPU utilization and competes with network traffic for resources To...

Page 631: ...itch you have additional or different odometer information may be displayed The following is sample output from a BlackDiamond 10K switch Service First Recorded Field Replaceable Units Days Start Date...

Page 632: ...t X450 switch if the switch runs outside the expected range the switch logs an error message generates a trap and continues running No components are shutdown To verify the state of the switch use eit...

Page 633: ...ne power budget for the slot is reduced Untagged Frames on the 10 Gbps Module BlackDiamond 10K Switch Only On the BlackDiamond 10K switch the 10 Gbps module must have the serial number 804405 00 09 or...

Page 634: ...tes diagnostics for the primary image 4 Diagnostics for image 2 initiates diagnostics for the secondary image For example to run diagnostics on the primary image use the following command boot 3 When...

Page 635: ...oftware Module on page 636 Running the Tests on page 636 Configuring the CNA Agent on page 637 Overview The CNA Agent accepts requests from the CNA Server to run tests for measuring and verifying netw...

Page 636: ...are module that contains SSL NOTE You must download the SSH module prior to downloading the CNA module If you attempt to download the CNA software module and you have not already downloaded the SSH so...

Page 637: ...cna testplug Once you enable the CNA Agent you register the CNA Agent with the CNA Server and the CNA Agent performs the requested network tests and reports the results To disable the CNA Agent use t...

Page 638: ...This command clears the CNA Agent counters on the Extreme Networks devices and resets those counters to zero You can also issue the clear counters command which clears all the counters on the device...

Page 639: ...101549 0 Tcpconnect 36455 0 Merge 50 0 NOTE Adaptive Networking Software ANS runs on the CNA Server Troubleshooting If the CNA Agent is not able to register with the CNA Server check the following it...

Page 640: ...CNA Agent ExtremeWare XOS 11 3 Concepts Guide 640...

Page 641: ...vision 2 RFC 951 Bootstrap Protocol RFC 1542 Clarifications and Extensions for the Bootstrap Protocol RFC 2131 Dynamic Host Configuration Protocol RFC 1122 Requirements for Internet Hosts Communicatio...

Page 642: ...on Protocol for IPv6 RIPng RFC 2080 RIPng for IPv6 Open Shortest Path First OSPF RFC 2328 OSPF Version 2 RFC 1587 The OSPF NSSA Option RFC 1765 OSPF Database Overflow RFC 2370 The OSPF Opaque LSA Opti...

Page 643: ...nt Framework RFC 2571 An Architecture for Describing Simple Network Management Protocol SNMP Management Frameworks RFC 1757 Remote Network Monitoring Management Information Base RFC 2021 Remote Networ...

Page 644: ...v4 and OSI Security Routing protocol authentication RFC 1492 An Access Control Protocol Sometimes Called TACACS Secure Shell SSHv2 Secure Copy SCPv2 with encryption authentication Secure Socket Layer...

Page 645: ...d network and forward and receive the radio signals that transmit wireless data area In OSPF an area is a logical set of segments connected by routers The topology within an area is hidden from the re...

Page 646: ...each multiaccess network has a BDR The BDR is adjacent to all routers on the network and becomes the DR when the previous DR fails The period of disruption in transit traffic lasts only as long as it...

Page 647: ...roadcast domains VLANs In wireless technology bridging refers to forwarding and receiving data between radio interfaces on APs or between clients on the same radio So bridged traffic can be forwarded...

Page 648: ...ummit X450 switch certain ports can be used as either copper or fiber ports common link In EAPS the common link is the physical link between the controller and partner nodes in a network where multipl...

Page 649: ...iscovery DHCP Dynamic Host Configuration Protocol DHCP allows network administrators to centrally manage and automate the assignment of IP addresses on the corporate network DHCP sends a new IP addres...

Page 650: ...systems in other ASs EBGP works between different ASs ECMP Equal Cost Multi Paths In OSPF this routing algorithm distributes network traffic across multiple high bandwidth links to increase performanc...

Page 651: ...T in compatibility with third party switches running this version of STP EPICenter EPICenter is an Extreme Networks proprietary graphical user interface GUI network management system ESRP Extreme Stan...

Page 652: ...e frame was received and an identifier for the VLAN to which the device belongs Frames destined for devices that are not currently in the FDB are flooded to all members of the VLAN For some types of e...

Page 653: ...l that allows generation of error messages test packets and operating messages For example the ping command allows you to send ICMP echo messages to a remote IP device to test for connectivity ICMP al...

Page 654: ...idea of unique addresses for each computer on the network IP is a connectionless best effort protocol TCP reassembles the data after transmission IP specifies the format and addressing scheme for eac...

Page 655: ...es L LACP Link Aggregation Control Protocol LACP is part of the IEEE 802 3ad and automatically configures multiple aggregated links between switches LAG Link aggregation group A LAG is the logical hig...

Page 656: ...FS Link Fault Signal LFS which conforms to IEEE standard 802 3ae 2002 monitors 10 Gbps ports and indicates either remote faults or local faults loop detection In ELRP loop detection is the process use...

Page 657: ...traffic the metering function interacts with other components to either re mark or drop the traffic for that flow In the Extreme Networks implementation you use ACLs to enforce metering member VLAN In...

Page 658: ...hat specifically join the multicast group the addresses are specified in the destination address field In other words multicast point to multipoint is a communication pattern in which a source host se...

Page 659: ...useful for system redundancy NSSA Not so stubby area In OSPF NSSA is a stub area which is connected to only one other area with additional capabilities External routes originating from an ASBR connec...

Page 660: ...routing and load balancing Although OSPF requires CPU power and memory space it results in smaller less frequent router table updates throughout the network This protocol is more efficient and scalabl...

Page 661: ...d to rewrite and modify routing advertisements port mirroring Port mirroring configures the switch to copy all traffic associated with one or more ports to a designated monitor port A packet bound for...

Page 662: ...te with a central server to authenticate dial in users and authorize their access to the requested system or service RADIUS allows a company to maintain user profiles in a central database that all re...

Page 663: ...etwork that does not have a root port root port In STP the root port provides the shortest path to the root bridge All bridges except the root bridge contain one root port route aggregation In BGP you...

Page 664: ...ou can have many 6in4 tunnels per VR 6to4 tunnels The 6to4 tunnels are one way to send IPv6 packets over IPv4 networks This transition mechanism provides a way to connect IPv6 end site networks by aut...

Page 665: ...llows a network to have a topology that contains physical loops it operates in bridges and switches STP opens certain paths to create a tree topology thereby preventing packets from looping endlessly...

Page 666: ...of the IEEE 802 1Q field of the header Using this 12 bit field you can configure up to 4096 individual VLAN addresses usually some are reserved for system VLANs such as management and default VLANs t...

Page 667: ...VRRP the virtual router is identified by a virtual router VRID and an IP address A router running VRRP can participate in one or more virtual routers The VRRP virtual router spans more than one physi...

Page 668: ...ned the same VRID VR Mgmt This virtual router is part of the embedded system in Extreme Networks BlackDiamond 10K switches The VR Mgmt enables remove management stations to access the switch through T...

Page 669: ...ExtremeWare XOS 11 3 Concepts Guide 669 X XENPAK Pluggable optics that contain a 10 Gigabit Ethernet module The XENPAKs conform to the IEEE 802 3ae standard...

Page 670: ...Glossary ExtremeWare XOS 11 3 Concepts Guide 670...

Page 671: ...re eaps hellotime 405 configure eaps mode 404 configure eaps primary port 406 configure eaps secondary port 406 configure eaps shared port domain 414 configure eaps shared port mode 414 configure eaps...

Page 672: ...ip 323 configure radius shared secret 323 324 configure radius timeout 323 configure radius accounting 324 333 configure radius accounting timeout 324 configure rip import policy 260 284 configure ri...

Page 673: ...8 create protocol 226 create stpd 424 447 create virtual router 244 create vlan 45 246 D delete account 45 49 delete bgp peer group 574 delete eaps 404 delete eaps shared port 414 415 delete esrp 467...

Page 674: ...ng 583 enable jumbo frame ports 117 enable license 46 enable log debug mode 209 626 enable log target 198 enable log target console 207 enable log target session 207 enable netlogin 350 enable netlogi...

Page 675: ...group 582 show inline power 169 171 172 174 show inline power configuration ports 171 173 177 show inline power info ports 167 178 show inline power slot 170 176 show inline power stats ports 179 sho...

Page 676: ...cess 104 tftp 67 69 102 258 337 603 top 629 traceroute 53 54 55 U unconfigure access list 259 272 unconfigure eaps primary port 408 unconfigure eaps secondary port 408 unconfigure eaps shared port lin...

Page 677: ...rs 273 description 261 editing 258 examples 273 274 file syntax 262 metering 271 refreshing 259 rule entry 262 rules 270 transferring to the switch 258 troubleshooting 257 action modifiers ACL 264 act...

Page 678: ...574 using 574 route confederations 571 route flap dampening configuring 576 description 575 viewing 576 route reflectors 569 route selection 577 static networks 578 bi directional rate shaping config...

Page 679: ...ng 99 628 deleting 101 629 description 601 displaying 100 628 downloading 603 managing 98 overview 102 relaying from primary to backup 72 renaming 98 628 saving changes 601 selecting 602 uploading 603...

Page 680: ...99 405 failtimer 399 405 Fast Convergence 397 407 FDB 398 hardware layer 398 health check packet 399 405 hellotime 405 licensing 395 link down message 398 master node 396 404 multiple domains per swit...

Page 681: ...RP 484 489 494 auto toggle 456 460 basic topology 457 description 455 direct link 461 displaying data 476 domain ID 461 domains description 460 don t count 474 election algorithms 465 environment trac...

Page 682: ...d QoS 291 file syntax ACL 262 policy 279 file system administration 97 filename requirements 98 628 filenames troubleshooting 98 628 files copying 99 628 deleting 101 629 displaying 100 628 renaming 9...

Page 683: ...scription 579 example 583 IGMP description 581 snooping 581 587 snooping filters 582 PIM mode interoperation 581 PIM multicast border router PMBR 581 PIM DM 580 PIM SM 580 IP multinetting and ESRP 484...

Page 684: ...SSH2 36 verifying 35 limit sFlow maximum CPU sample limit 212 limiting entries FDB 253 line editing keys 43 link aggregation See also load sharing adding or deleting ports 124 and control protocols 11...

Page 685: ...rning FDB 253 MAC based authentication advantages 347 configuration example 371 configuration secure MAC 370 description 368 disabling 369 disadvantages 347 enabling 369 MAC based security 253 315 MAC...

Page 686: ...multiple supplicants 347 port enabling 350 RADIUS attributes 352 RADIUS authentication 351 redirect page 364 secure MAC 369 session refresh 365 settings displaying 350 user netlogin only disabled 351...

Page 687: ...ng 50 path MTU discovery 117 peer groups 574 Per VLAN Spanning Tree See PVST permanent entries FDB 251 permit established 274 PIM and IP multinetting 506 mode interoperation 581 multicast border route...

Page 688: ...48 port restart ESRP 473 port weight ESRP 459 port based load sharing 120 121 port based VLANs 220 223 port mirroring and protocol analyzers 131 description 130 displaying 133 examples 132 guidelines...

Page 689: ...sification priorities 295 committed rates 294 database applications 291 default QoS profiles 294 295 description 289 DiffServ changing mapping to QoS profile 301 configuring 300 default mapping to QoS...

Page 690: ...LAN 228 rendezvous point 580 rescue image 623 resilience 396 responding to ARP requests 499 restart graceful 545 returning to factory defaults 602 RFCs 641 BGP 567 bridge 448 IPv4 multicast routing 57...

Page 691: ...n propagating 442 rule entry ACL 262 policy 279 rule types 378 S safe defaults mode 46 safe defaults script 46 sampling rate sFlow 212 saving configuration changes 601 scoped IPv6 addresses 517 SCP2 3...

Page 692: ...3 software image See image software licensing 33 software module xmod file 594 activating 594 description 594 downloading 593 overview 29 591 uninstalling 594 software signature 592 software controlle...

Page 693: ...apid root failover 429 rules and restrictions 447 StpdID 426 448 troubleshooting 447 618 StpdID 426 strings community 84 stub area OSPF 547 stub area OSPFv3 559 subcomponents EMS 201 Subnetwork Access...

Page 694: ...playing status 68 re enabling 68 sample ACL policies 67 server 63 session establishing 63 maximum number of 63 opening 63 terminating 68 viewing 69 TCP port number 64 using 62 telnet MSM 53 temperatur...

Page 695: ...0 171 port configuration 617 port mirroring 130 131 power fluctuation on PoE module 633 QoS 292 298 300 303 304 rescue image 623 software 33 software controlled redundant ports 137 SSH2 336 SSL 48 SSL...

Page 696: ...nd tagged 225 names 41 228 port based 220 223 precedence 227 protocol filters customizing 226 deleting 227 predefined 226 protocol based 225 QoS profile 231 renaming 228 tagged 223 troubleshooting 221...

Page 697: ...ple 355 guidelines 354 VSA 205 example 355 guidelines 355 VSA 206 examples 352 guidelines 355 VSA 209 example 354 guidelines 354 VSA 211 examples 353 guidelines 353 W web browsing applications and QoS...

Page 698: ...Index ExtremeWare XOS 11 3 Concepts Guide 698...

Reviews:

No comments

Related manuals for ExtremeWare XOS 11.3

Canon 70 MC - ZR70MC MiniDV Digital Camcorder Instruction Manual preview
70 MC - ZR70MC MiniDV Digital Camcorder
Brand: Canon Pages: 57
PRESONUS UNIVERSAL CONTROL 1.1 SVN 2108 Installation Instructions preview
UNIVERSAL CONTROL 1.1 SVN 2108
Brand: PRESONUS Pages: 1
Barco NioWatch Installation & User Manual preview
NioWatch
Brand: Barco Pages: 22
Barracuda Networks NG Network Access Client SP4 Migration Instructions preview
NG Network Access Client SP4
Brand: Barracuda Networks Pages: 10
AMX I!-FTPSENDER Instruction Manual preview
I!-FTPSENDER
Brand: AMX Pages: 12
Partec ParaStation5 Administrator'S Manual preview
ParaStation5
Brand: Partec Pages: 98
Belkin UPGRADE FIRMWARE MODEM ROUTER Manual preview
UPGRADE FIRMWARE MODEM ROUTER
Brand: Belkin Pages: 1
Samsung SyncMaster S23A750D (Spanish) Manual Del Usuario preview
SyncMaster S23A750D
Brand: Samsung Pages: 90
Samsung UN55C7000WF Quick Setup Manual preview
UN55C7000WF
Brand: Samsung Pages: 2
Samsung UN40C7000WFXZA Troubleshooting Manual preview
UN40C7000WFXZA
Brand: Samsung Pages: 4
Samsung UN46ES8000FXZA Fast Track Troubleshooting preview
UN46ES8000FXZA
Brand: Samsung Pages: 5
Samsung UN40C7000WF (Spanish) Software Manual preview
UN40C7000WF
Brand: Samsung Pages: 7
Samsung UE40C7000WW User Manual preview
UE40C7000WW
Brand: Samsung Pages: 7
Samsung SVM-­S1 Quick Reference Manual preview
SVM-­S1
Brand: Samsung Pages: 8
Samsung SyncMaster T23A750 Service Manual preview
SyncMaster T23A750
Brand: Samsung Pages: 46
Samsung UN40ES6820F Service Manual preview
UN40ES6820F
Brand: Samsung Pages: 85
Samsung SyncMaster C27A750X (Spanish) Manual Del Usuario preview
SyncMaster C27A750X
Brand: Samsung Pages: 102
Samsung SmarThru 2 User Manual preview
SmarThru 2
Brand: Samsung Pages: 113

Brands by name

Popular brands

Load more brands