background image

  

Book Title

Ridgeline Concepts and Solutions Guide

336

Figure 277: Verify the RADIUS client in IAS

Step 4. Create a Remote Access Policy for Ridgeline 
Users

Create a Microsoft Internet Authentication Remote Access Policy for each type of Ridgeline role that 
you plan to use within Ridgeline. For each different role (predefined roles such as Admin or Manager, 
or user-defined roles) a Remote Access Policy is needed, configured with the role information that must 
be transmitted to Ridgeline along with the user’s authentication status. 

To create a Remote Access Policy:

1

Under the Internet Authentication Service, right click the Remote Access Policies folder, select 

New

 

and then 

Remote Access Policy

.

The 

New Remote Access Policy Wizard

 will start. Click 

New

 to continue. 

2

Type type a name for the Policy Name (see 

Figure 278

, where 

Ridgeline

 is used as an example), then 

click 

Next

.

If you need to create multiple policies, each must have a unique name, such as 

NMS-Admin

 and 

NMS-Monitor

Summary of Contents for Ridgeline 3.0

Page 1: ...Inc 3585 Monroe Street Santa Clara California 95051 888 257 3000 408 579 2800 http www extremenetworks com Ridgeline Concepts and Solutions Guide Software Version 3 0 Published February 2011 Part Number 100396 00 Rev 01 ...

Page 2: ...ck the Extreme Networks logo the Alpine logo the BlackDiamond logo the Extreme Turbodrive logo the Summit logos and the Powered by ExtremeXOS logo are trademarks or registered trademarks of Extreme Networks Inc or its subsidiaries in the United States and or other countries Active Directory is a registered tradement of Microsoft sFlow is a registered trademark of InMon Corporation XenServer is a t...

Page 3: ...ware Architecture 20 Extreme Networks Switch Management 21 SNMP and MIBs 21 The Remote Monitoring RMON MIB 22 Traps and Smart Traps 22 Device Status Polling 22 Telnet Polling 22 Edge Port Polling Using the MAC Address Poller 23 Updating Device Status with the Ridgeline Database 23 Extreme Networks Device Support 23 Third Party Device Support 23 Chapter 2 Getting Started with Ridgeline 25 Starting ...

Page 4: ...ging Device Groups and Port Groups 53 Creating a Group 53 Adding a Device to a Device Group 54 Adding Ports to a Port Group 55 Adding Ports from a Single Device to a Port Group 55 Adding Ports from Multiple Devices to a Port Group 57 Copying or Moving Groups 58 Removing Devices or Ports from Groups 59 Modifying the Properties of a Group 59 Displaying Group Details 60 Exporting Group Information 61...

Page 5: ...ng E Line and E L AN Services 103 Chapter 8 Managing PBB Networks 113 SVLANs BVLANs CVLANs and ISIDs 114 Configuring BVLANs 114 Creating a BVLAN 115 Modifying a BVLAN 116 Viewing PBB Information 118 Displaying PBB Details 120 BVLAN CVLAN and SVLAN Details 121 ISID Details 122 Chapter 9 Managing and Monitoring VPLS Domains 123 Hierarchical VPLS H VPLS 124 VPLS Support in Ridgeline 125 Viewing VPLS ...

Page 6: ...nager 152 Enabling VM Tracking On a Switch 152 Editing List of Devices and Ports 156 Policy Match Condition Combinations 159 Creating a Virtual Port Profile 159 Attaching Policies VPPs and VMs 161 Attaching a VPP to a VM 162 Attaching a Policy to a VPP 165 Detaching VPPs 167 Detaching a VPP from a VM 167 Detaching a VPP from a Policy 168 Viewing Information on the VMs Tab 169 All Table and All Map...

Page 7: ...licies 201 Overview 201 Viewing Policies for Devices 202 Creating a New Policy 203 Copying a Policy to Create a New Policy 209 Editing a Policy 210 Deleting a Policy 211 Detaching a Policy 212 Attaching a Policy 212 Categorizing Policies 213 Categorizing Policy Rules 214 Creating and Managing Roles 214 Viewing Active Policies for Devices 214 Chapter 15 Tuning and Debugging Ridgeline 215 Monitoring...

Page 8: ...r a Script 247 Rerunning a Script 248 About ExtremeXOS Scripts 248 Chapter 17 Using Identity Management 249 Identity Management Software License 249 Overview 249 Role Based Access Control 250 Roles Policies and Rules 250 Roles 250 Policies 251 Role Hierarchy 251 Role Inheritance 253 LDAP Attributes and Server Selection 254 Enabling Monitoring on Switches and Ports 254 Editing Monitored Device Port...

Page 9: ...eline Window 299 Enabling the Java Console 300 Ridgeline Client Issues 300 Ridgeline Database 301 Ridgeline Server Issues 302 VLAN Management 305 Alarm System 305 Ridgeline Inventory 307 Printing 307 Reports 308 Configuration Manager 308 Appendix B Configuring Devices for Use With Ridgeline 309 Configuring Ridgeline as a Syslog Receiver 309 Setting Ridgeline as a Trap Receiver 310 The Ridgeline Th...

Page 10: ...e DevCLI Commands 352 DevCLI Examples 353 Inventory Export Scripts 354 Using the Inventory Export Scripts 354 Inventory Export Examples 356 The SNMPCLI Utility 356 Using the SNMPCLI Utility 357 SNMPCLI Examples 358 The AlarmMgr Utility 358 Using the AlarmMgr Command 358 AlarmMgr Output 360 AlarmMgr Examples 360 The FindAddr Utility 361 Using the FindAddr Command 361 FindAddr Output 363 FindAddr Ex...

Page 11: ...idging concepts Routing concepts The Simple Network Management Protocol SNMP NOTE If the information in the Release Notes shipped with your software differs from the information in this guide follow the Release Note Terminology When features functionality or operation is specific to the Summit Alpine or BlackDiamond switch family the family name is used Explanations about features and operations t...

Page 12: ...d type a particular command The words enter and type When you see the word enter in this guide you must type something and then press the Return or Enter key Do not press the Return or Enter key when an instruction simply says type Key names Key names appear in text in one of two ways They may be referred to by their labels such as the Return key or the Escape key written with brackets such as Ret...

Page 13: ...elp available from the Help menu in each Ridgeline window Other manuals that you will find useful are ExtremeWare Software User Guide ExtremeWare Command Reference Guide ExtremeXOS Concepts Guide ExtremeXOS Command Reference Guide For documentation on Extreme Networks products and for general information about Extreme Networks see the Extreme Networks home page http www extremenetworks com Custome...

Page 14: ...Related Publications Ridgeline Concepts and Solutions Guide 12 ...

Page 15: ...ge the network and its elements Ridgeline delivers on both the basic requirements of network management while adding valuable and intuitive features that help save time by streamlining common tasks Ridgeline offers a comprehensive set of network management applications that are easy to use from a workstation configured with a web browser and the Java plug in The Ridgeline application and database ...

Page 16: ...ize your network into a hierarchy of groups with subgroups for campuses buildings and individual rooms Integrated network topology maps Ridgeline s network topology map feature is integrated with the device group functionality so that when you create a device group you have the option of selecting the Map view of the group which causes Ridgeline to generate a network topology map populated with th...

Page 17: ... basic level These devices can appear on a topology map with basic status and alarm handling based on MIB 2 functionality Based on Ridgeline s Third Party Integration Framework selected appliances from Extreme Networks partners can be integrated into Ridgeline in a robust fashion that allows reporting alarm management and monitoring with graphical front and back panel views ...

Page 18: ... sensitive online Help available from the Help menu at the top of Ridgeline windows The Ridgeline Reference Guide also provides a detailed description of the functionality of each Ridgeline feature Inventory Management Ridgeline keeps a database of all devices managed by the software Any Ridgeline user with read only access to this feature can view status information about the switches currently k...

Page 19: ...roup Ridgeline also adds any links that exist between the device nodes You can customize the resulting maps by moving elements adding new elements such as links decorative non managed nodes and text and customizing the device nodes themselves Information about the links and devices in maps is displayed graphically with colored icons indicating device alarm level and state of the links between devi...

Page 20: ...from Extreme if desired The IP MAC Address Finder The IP MAC Address Finder lets you search for specific network addresses MAC or IP addresses and identify the Extreme Networks switch and port on which the address resides You can also use the IP MAC Finder to find all addresses on a specific port or set of ports If you have enabled Ridgeline s periodic MAC Address polling which does polls for edge...

Page 21: ... create additional roles can modify the capabilities available under each role and can add and delete Ridgeline users as well as enable or disable access for individual users By default Ridgeline provides its own authentication and authorization for Ridgeline users However through Ridgeline Administration Ridgeline can be configured to act as a Remote Authentication Dial In User Service RADIUS cli...

Page 22: ...on errors detected among your EAPS nodes or domains Ridgeline Software Architecture The Ridgeline software is made up of three major functional components The Ridgeline Server The server is responsible for managing security and communicating with the managed objects database and client systems The Ridgeline Database The database is a Relational Database Management System RDBMS which is used as bot...

Page 23: ...ger intervals This interval for this less frequent detailed polling can be adjusted on each individual device The Ridgeline software also gives you the ability to gather device status at any time using the Update devices option under the View menu To avoid the overhead of frequent device polling the Ridgeline software also uses a mechanism called SmartTraps to identify changes in Extreme device co...

Page 24: ...h as fan failure or overheating or configuration changes made on the switch through the ExtremeWare CLI or ExtremeWare Vista For non Extreme devices Ridgeline does not automatically register itself as a trap receiver you must manually configure those devices to send traps to Ridgeline See Configuring Devices for Use With Ridgeline on page 309 for information on configuring devices to send traps to...

Page 25: ...us with the Ridgeline Database A user with an appropriate role a role with read write access can use the Update devices option under the View menu to update the device status in the Ridgeline database when the user believes that the device configuration or status is not correctly reported by Ridgeline The Update Devices action causes Ridgeline to poll the switch and update all configuration and st...

Page 26: ...Ridgeline Overview Ridgeline Concepts and Solutions Guide 24 ...

Page 27: ...s Solaris or Red Hat Enterprise Linux server and a client component which can be launched from a Web browser Once the Ridgeline server is running multiple clients can connect to it The Ridgeline software supports multiple administrator users with different roles that determine the Ridgeline functions each user can perform This chapter assumes you have successfully installed or upgraded to the curr...

Page 28: ...rt allows you to obtain files necessary to run the Ridgeline Client directly from the Ridgeline Server by pointing a browser to the Ridgeline Server and clicking on a hyperlink The download and installation of the Ridgeline software on the client system takes place automatically Each time you launch the Client Ridgeline checks whether you have the most current version If you do not Ridgeline autom...

Page 29: ... 2 Enter the URL for your Ridgeline Server in the form http host port Replace host with the name or IP address of the system where the Ridgeline Server is running Do not use localhost as the host Replace port with the TCP port number that you assigned to the Ridgeline web server during installation NOTE If you configured your Ridgeline Server to use the default web server port 80 you do not need t...

Page 30: ...r the software is downloaded you are prompted whether you want to run the application Click Run to continue 7 The Ridgeline Log On screen appears and you are prompted for a username and password Figure 3 Ridgeline Log On Screen 8 If this is the first time you are logging in to Ridgeline enter admin in both the Username field and the Password field Click Log on to connect to the Ridgeline server 9 ...

Page 31: ...ine Help selection displays the table of contents for the complete Help system Ridgeline also provides the Ridgeline Reference Guide which also describes how to use the Ridgeline features This guide can be accessed from the doc subdirectory under the Ridgeline installation directory In the Windows environment this is Program Files Extreme Networks Ridgeline 3 0 extreme war helptext docs In a Linux...

Page 32: ...he subfolders below it The subfolders contain links to device groups and Ridgeline applications Tabbed Windows When you click one of the main folders or a device group folder it opens a tabbed window for that folder above the Navigation Table Tabbed windows are dockable meaning that they can be moved around in the main Ridgeline window See Moving Tabbed Windows in Ridgeline on page 32 for more inf...

Page 33: ...ether the sort is ascending or descending Resizing Table Columns You can resize the widths of each column To do this follow these steps 1 Place the cursor over the line separating the column you want to resize from the column to its right 2 Click and hold the left mouse button to grab the column separator 3 Drag the separator until the column is are the desired width Moving Table Columns To move a...

Page 34: ...ut cannot do any configuration tasks The Disabled role provides no access to any features of the product Every user created in Ridgeline is assigned a role which determines the access that user has to the features of the product In Ridgeline the administrator can also create additional roles with any combination of read only read write or disabled access to different Ridgeline product features In ...

Page 35: ...mat Enable the discovery to use SNMPv3 in its search Figure 7 shows an example of a discovery specification You can add multiple address range specifications to be executed in a single discovery operation Figure 7 Discovering devices to add to the Ridgeline inventory database Note that you must provide the SNMP read community string to enable Ridgeline to get information from the devices it finds ...

Page 36: ...this information It pre fills the fields with a default set of communication information that you can change as appropriate to the specific devices you are adding The information you provide in the pop up dialog is used for all the devices in the set you have selected to add Therefore if you have devices that use different passwords protocols or community strings you must add them to the database ...

Page 37: ...o those used in your own network To change the default communication values select Default communications settings from the Tools menu Ridgeline uses the Extreme default values for its switches as the defaults in Ridgeline Login as admin with no password SSH2 disabled For Cisco devices only the default Cisco enable password none Default SNMP v1 community strings public for read and private for wri...

Page 38: ...e of a Ridgeline Network Views display Click the tabs to show separate tables of information about devices links VLANs and EAPS domains Figure 10 Displaying Information in Network Views The table in a Network View window lists information about the device port or group selected in the navigation frame You can select one or more objects within the table to display additional information about the s...

Page 39: ...and user defined links Clicking on a link highlights the link in the Map View VLANs Displays information about the VLANs configured on the devices in the device group Clicking on a VLAN in the table displays additional information about the selected VLAN in the details window and also displays in the Map View an overlay highlighting all of the devices and links where the selected VLAN is configure...

Page 40: ...ups You can create a port group consisting of the voice over IP VoIP ports on all switches in your network and monitor status of the ports in the group In Network Views device groups and port groups are represented with folder icons If a group has subgroups below it you can click on the plus sign next to the group in the navigation frame to show the group hierarchy as shown in Figure 12 Figure 12 ...

Page 41: ...s adding new elements such as links decorative non managed nodes and text and customizing the device nodes themselves You can customize the layouts of your maps into hierarchical views using copy and paste or by deleting devices from one map and then adding them to a different map You can also add and remove user defined links between devices as well as decorative nodes nodes that aren t discovere...

Page 42: ...hered from the switch agent Figure 14 Device Inventory Window You can click on the slots and ports in the Panel View to display additional information about the selected item Viewing Device Properties You can view the properties of a device in Ridgeline The Device Properties window shows several tabs of information about the selected device see Figure 15 To display this window select a device then...

Page 43: ... can open a Telnet session on an individual device and execute commands just as you would from a standard Telnet interface You can optionally record the commands and output from a Telnet session and save the results to a file For Extreme Networks devices Ridgeline will automatically log into the switch based on the device login name and contact password configured for the device in the Add Device ...

Page 44: ...right click and select Paste from the pop up menu To record the commands and output from a Telnet session select Start Recording from the Tools menu in the Ridgeline Telnet window You can also start recording by clicking the icon or by right clicking and selecting Start Record from the pop up menu To stop the recording select Stop Recording from the Tools menu in the Ridgeline Telnet window You ca...

Page 45: ...essages BD 12804 1 show tech all logto file show tech command output is logging into internal memory show tech command output file show_tech log gz is saved into internal memory BD 12804 2 4 Enter the command upload debug IP_address where IP_address is the address of the server When prompted to run the show tech logto file command enter N The following example shows the command and command message...

Page 46: ...s you manage the versions of firmware installed on your devices Ridgeline will check the Extreme web site to find the most current versions of the device slot and bootROM software and will download it to the Ridgeline server if you so choose It can tell you if the software on your devices is the most current versions and can also manage the process of the upgrading the images on your devices Since...

Page 47: ...ing a page or sounding an audible alert You can also forward the trap to another trap receiver To view alarms in Ridgeline expand the list of folders under Network Administration and click Alarm Manager Predefined Alarms For convenience the Ridgeline Alarm Manager provides a number of predefined alarms These alarms are enabled by default and are active as soon as the Ridgeline server starts up The...

Page 48: ...alarm log entries the first time you display the Alarm Browser even if you have not defined any alarms of your own Figure 18 The Alarm Log Browser window For more information on using the Ridgeline Alarm Manager see the Ridgeline Reference Guide or the online Help Using Basic Ridgeline Reports Ridgeline provides a large number of reports based on the data in the Ridgeline database The Network Stat...

Page 49: ...ws a few of the reports you can view through the Reports feature Figure 19 Examples of Ridgeline reports Most reports can be sorted in a number of ways and many reports can be filtered to display only the data of interest based on the types of information shown in the report In addition from some reports the displayed data can be exported to files in formats csv or xml that can be imported into ot...

Page 50: ...es by device group From here you can access status of individual devices alarms not responding for example and can drill down to Alarm Details Slots Stacks and Ports Slot Inventory by Card Type Card Summary by Card or All Cards Device Details Slot Details Empty Slots Report Inventory of cards by type installed in devices in the Ridgeline database The Card Summary Report shows details about cards o...

Page 51: ...he device or interface reporting the client Unconnected Clients List of wireless clients not in the data forwarding state MIB Poller Tools MIB Poller Summary Displays data in a MIB collection Users with an Administrator role can start or stop a collection MIB Query Provides an interface to query for the value of specific MIB variables This is available only to users with an Administrator role See ...

Page 52: ...Getting Started with Ridgeline Ridgeline Concepts and Solutions Guide 50 ...

Page 53: ...IP VoIP ports on all switches in your network and monitor status of the ports in the group Establish the scope for performing operations in Ridgeline Device and port groups are used in conjunction with other Ridgeline features such as the Firmware Manager and Profile Manager to limit the display to just those devices in a specific group For example if you want to use the Firmware Manager to upgrad...

Page 54: ...up is indicated on the folder icon next to the group name Clicking a group in the Network Views folder shows information about the devices in the table view In the table view are tabs for displaying information about links between the devices VLANs and EAPS configuration Information in the table view can be exported to a Microsoft Excel spreadsheet The map view allows you to view a graphical repre...

Page 55: ...ica or Bay Area groups However if you create a second top level group called EXOS Switches which is not a subgroup of the North America group you can place the switch in the EXOS Switches group even though the switch also resides in the Santa Clara Campus subgroup of the North America group Managing Device Groups and Port Groups This section describes how to perform the following tasks Create a gr...

Page 56: ...roup a subgroup of an existing subgroup expand the list of groups and select a subgroup from the list 5 Click OK to create the new group Adding a Device to a Device Group To add a device to a device group do the following 1 Display the device in a table of devices One way to do this is to select the All view then click the All devices button to show all devices 2 Click the device to select it in t...

Page 57: ...ding Ports to a Port Group The ports that make up a port group can be either from a single device or from multiple devices Adding Ports from a Single Device to a Port Group If the port group will contain ports from a single device do the following 1 Display the device in a table of devices One way to do this is to select the All view then click the All devices button to show all devices 2 Right cl...

Page 58: ... group from the pop up menu The Copy to group window is displayed as shown in Figure 24 This window lists the port groups that have been created in Ridgeline By default just the top level groups are displayed To display the subgroups within a top level group click the plus sign next to the group name Figure 24 Copy to Port Group Window 5 Select the group in which you want to place the port s Note ...

Page 59: ...isplay all of the devices in inventory or click the Device group button and specify one or more device groups from the drop down list 3 Devices in the selected group either all devices or one or more device groups are displayed in the left column of the window From the left column select the devices that contain the ports that you want to add to the port group then double click the device or click...

Page 60: ...ndow lists the port groups that have been created in Ridgeline By default just the top level groups are displayed To display the subgroups within a top level group click the plus sign next to the group name 7 Select the group in which you want to place the port s Note that a port can be placed in a top level group hierarchy only once See Group Membership Guidelines on page 53 for more information ...

Page 61: ...geline displays an error message and the operation is cancelled Removing Devices or Ports from Groups To remove a device or port from a group do the following 1 In the Network Views folder select the group that contains the device or port you want to remove 2 Select the device or port in the table 3 From the Edit menu select Delete Ridgeline prompts you for confirmation to delete the selected devi...

Page 62: ...formation in the Name or Description fields and click OK to save the changes Displaying Group Details To display details about a group click on the group s row in the Table View Information about the selected group appears in the details frame If you double click on the row the device details are displayed in a separate window as shown in Figure 28 ...

Page 63: ...ion the display lists information the contents of the group either ports or devices You can use the Filter and Quick Filter boxes to limit the contents of the table Exporting Group Information You can export a Microsoft Excel spreadsheet containing information about the contents of a device group or port group 1 In the Network Views folder select the group you want to export If necessary use the F...

Page 64: ...ndow 3 Select whether to save the only the viewable data that is just the filtered data currently shown in the table or all data for all devices ports in the group 4 Click Browse and specify the location and name for the exported file 5 Click Save to export the group information to the specified location ...

Page 65: ...ves NOTE Links can only be discovered and auto populated between Extreme Networks devices that have the Extreme Discovery Protocol EDP or the Link Layer Discovery Protocol LLDP enabled or on third party devices with LLDP enabled Links cannot be discovered on non Extreme Networks devices that do not run LLDP or on Extreme Networks devices with EDP and LLDP disabled In addition from a managed device...

Page 66: ... level group as well as for any subgroups Map View The graphical representation of the devices and links in the currently selected device group or subgroup Selecting a device in the Map View causes the corresponding row in the Navigation Table to be selected Navigation Table Table of information about the objects displayed in the Map View Selecting a device in the Navigation Table causes the corre...

Page 67: ...ap in which this node is located The device status indicated by the icon A red slash through the icon indicates that the device is down A gray icon indicates that the device is offline An icon without a red slash or gray color indicates that the device is up Alarm Status The highest level alarm currently unacknowledged among the devices in the current map or any of its submaps Devices and submaps ...

Page 68: ...er node icon shows the following information The name of the device group that this hyper node represents An optional user supplied annotation for the hyper node The alarm status indicated by the presence of an alarm icon small bell The alarm status shows the highest level alarm currently unacknowledged for the devices in the group The color of the bell indicates the severity of the alarm If no ic...

Page 69: ... line indicates a 10 100 link A medium line indicates a gigabit link A thick line indicates a 10 gigabit link A very thick line indicates a composite link The color of the link line indicates the link status A green line indicates that the link is up both device ports are up A red line indicates that the link is down both device ports are down A yellow line may be displayed for composite or load s...

Page 70: ...g so that the section appears in the display Zooming In and Out on a Map To zoom in the current map do one of the following Select Zoom in from the Map menu Click the icon at the top of the zoom bar Move the slider on the zoom bar upward To zoom out the current map do one of the following Select Zoom out from the Map menu Click the icon at the bottom of the zoom bar Move the slider on the zoom bar...

Page 71: ...rm the following tasks Creating a topology map for a device group Specifying properties for the topology map Laying out the topology map Creating user defined links between devices Removing inactive links Adding graphic elements such as decorative nodes network clouds and text boxes Adding an annotation to a device icon in a map Exporting a map to an SVG file Deleting the maps for a device group a...

Page 72: ...ce group it may take a few minutes for Ridgeline to generate the map When generating the map Ridgeline creates an icon for each device and automatically detects links between Extreme Networks devices when EDP or LLDP is enabled on either device Links can also be detected on third party devices that support LLDP Specifying Map Properties Map properties include the alarm status that is displayed on ...

Page 73: ...he background color of the map After specifying properties for the map click Save changes to apply the new properties and close the window Click Restore global map settings to reset the map properties to the globally set values Laying Out the Map You can drag map nodes around on the map yourself or you can have Ridgeline lay out the map nodes for you To have Ridgeline do the map layout select Auto...

Page 74: ...played c As an alternative to selecting a port you can specify a text annotation to describe this side of the link on the map To do this click the Annotation button and enter the text in the box 4 When you have finished specifying both ends of the link click OK to create the link on the map Removing Inactive Links from the Map On a topology map the color of the link line indicates the link status ...

Page 75: ...ional description and annotation for the node and click Create node Text Boxes Text boxes can be used to create a title for the map additional annotations for other map elements comments and so on To add a text box to your map select New Text box from the File or the Map menu A new text box with the words Type here is placed on the map Double click the text box and replace the Type here text with ...

Page 76: ...nu The Device annotation window is displayed as shown in Figure 33 Figure 36 Device Annotation Window 3 In the text box enter the annotation for the device 4 Click Save changes to apply the annotation to the device and close the window Exporting Maps You can export a Map view to a Scalable Vector Graphics SVG file that can be opened in a browser or other application that supports the SVG format No...

Page 77: ...in Figure 37 Figure 37 Selecting Maps to Delete from the Optimization Folder The table displays the name of each top level group the description if one is configured and the number of maps in the group and subgroups 2 Select a top level group from the list and select Delete from the Edit menu Ridgeline prompts you for confirmation to delete the map 3 Click Yes to delete the map When you do this al...

Page 78: ...Using Map Views Ridgeline Concepts and Solutions Guide 76 ...

Page 79: ...kbone Bridge PBB networks Ridgeline s provisioning interface helps you configure a PBB network by facilitating the creation of BVLANs on selected devices ports or links E Line and E LAN services Using the service provisioning wizard you can create and modify E Line point to point and E LAN multipoint to multipoint services You can select the devices and ports that make up the service specify traff...

Page 80: ...Under Network Views select the folder containing the devices you want to configure 2 In the Navigation Table or the Map View if displayed click on the devices to select them For a VLAN you can select one or more switches links or ports Figure 38 Selecting Devices to Provision ...

Page 81: ...he switch software running on a device does not support the feature you are configuring it is greyed out in the Available devices table 4 Click one of the devices to view the Available ports table for the device 5 For each port you want to add to the VLAN select the port and click the Add tagged or Add untagged button 6 Edit the values in the Tag and Name fields for the new VLAN 7 When you have fi...

Page 82: ...n commands then saves the configuration file on each switch Finally Ridgeline updates its own database with information about the configuration changes on the switches Modifying a VLAN For existing VLANs you can edit settings and deploy the changes to the devices where the VLAN is configured To modify a VLAN do the following 1 Under Network Views select the folder containing the devices you want t...

Page 83: ...AN you can edit the list of ports or links in the VLAN as well as the name and network name of the VLAN You can also delete the VLAN from the devices where it is configured Figure 41 Selecting a VLAN to Modify 4 If you select Properties from the pop up menu the Properties window for the VLAN is displayed which provides a list of settings you can modify ...

Page 84: ...bring up the provisioning window for that setting For example Figure 43 shows the provisioning window for a VLAN port list Figure 43 Provisioning Window for a VLAN Port List 6 Make any necessary changes to the VLAN configuration 7 When you have finished modifying the VLAN click the Save changes button to validate and deploy the changes to the VLAN ...

Page 85: ...ring the provisioning process in the following ways If Ridgeline is not able to establish connectivity to one of the target switches then it does not proceed with the provisioning tasks on any of them If commands that were validated by Ridgeline turn out not to be valid when actually deployed on the switch such as if the switch responds to a command with an error message then Ridgeline rolls back ...

Page 86: ... You can view this information in the Ridgeline Audit Log To display the Audit Log click on Audit Log under the Network Administration folder The Audit Log view is displayed as shown in Figure 45 Click the Provisioning tab to view a table of the provisioning tasks that have been run on the Ridgeline server In the Filters box you can limit the display to the provisioning tasks that were run over a ...

Page 87: ...can double click a row in the table to display the progress and results details in a separate window Figure 46 Audit Log Details Window for a Provisioning Task See the Ridgeline Reference Guide for more information about the features of the Audit Log ...

Page 88: ...Provisioning Network Resources Ridgeline Concepts and Solutions Guide 86 ...

Page 89: ...AN transport methods Ridgeline adds the UNI ports to the transport VLAN VMAN on the devices where it is configured For Ethernet services using a PBB BVLAN as the transport method Ridgeline creates the SVLANs or CVLANs maps an ISID to an SVLAN adds the UNI ports to the SVLAN then adds the ISID to the BVLAN Bandwidth profiles if specified in the Ethernet service configuration are applied to the UNI ...

Page 90: ... An E LAN service can have two or more UNI ports connected to CE devices E LAN services can be created to support Ethernet Private LAN EP LAN and Ethernet Virtual Private LAN EVP LAN services Figure 48 E LAN Service E Line Service Transport Method Can be VLAN VMAN BVLAN UNI Port UNI Port Service Provider Network Customer Equipment Customer Equipment Point to Point E LAN Service Transport Method Ca...

Page 91: ...s You can apply bandwidth profiles to all UNI ports in the service or to selected UNI ports Configuring Ethernet Services Using Ridgeline you can perform the following Ethernet service configuration tasks Create an Ethernet service Modify settings for Ethernet services Create and assign customer names to services Create and apply bandwidth profiles For more information on Ridgeline s network resou...

Page 92: ...ing a customer to this list 5 Select the transport type to be used with this service 802 1Q VLAN 802 1ad PB VMAN or 802 1ah PBB 6 Select the UNI ports for this service An E Line service must consist of 2 UNI ports An E LAN service can have 2 or more UNI ports Devices that do not support Ethernet services are greyed out in the service provisioning window You can expand the list of items in the Avai...

Page 93: ...6 Ridgeline Concepts and Solutions Guide 91 Figure 50 Traffic Mapping Options for an Ethernet service VLAN or VMAN Transport Type ...

Page 94: ... Creating a Bandwidth Profile on page 96 for information on setting up bandwidth profiles If the transport method is a BVLAN bandwidth profile selection is on the following screen 10 Indicate whether to enable the service after it has been provisioned on the target devices 11 By default Ridgeline validates the settings you selected for the Ethernet service then gives you the option to deploy the s...

Page 95: ...93 Figure 52 Validation Window for an Ethernet Service 13 If the validation is successful click Create Ethernet Service to deploy the service to the target devices Otherwise click Back to go back to the previous screen and modify the settings ...

Page 96: ...Provisioning window is logged in the Ridgeline Audit Log See Viewing Logged Information about Provisioning Tasks on page 84 for more information Modifying an Ethernet Service For existing E Line and E LAN services you can edit settings and deploy the changes to the devices where the service is configured To modify an Ethernet service do the following 1 Under Network Views select the Services view ...

Page 97: ...nd deploy the changes Creating a Customer Profile When configuring an Ethernet service in Ridgeline you can associate the service with a specific customer profile The name of the customer associated with an Ethernet service appears in Network Views tables and in the Services view To create a customer profile and associate it with an Ethernet service do the following 1 Open the Customer Profile con...

Page 98: ...pecifies how the traffic should be forwarded based on those thresholds A bandwidth profile can specify per port thresholds for Committed Information Rate CIR Committed Burst Size CBS Excess Information Rate EIR and Excess Burst Size EBS as well as single dual rate profile settings You can apply bandwidth profiles to all UNI ports in an Ethernet service or to selected UNI ports To create a bandwidt...

Page 99: ... delivers the service traffic and is committed to meeting the performance objectives defined by the CoS Service Attribute You can specify the CIR in Kbps Mbps or Gbps Committed Burst Size CBS The maximum allowed size for a burst of service traffic sent at the UNI speed to remain CIR conformant You can specify the CBS in Kb Mb or Gb Excess Information Rate EIR The average rate of service traffic up...

Page 100: ... Services view under Network Views Using the All Table and All Map View To view information about the E Line and E LAN services known to Ridgeline click a device group or the All map or All table group under the Network Views folder then click the Services tab A table listing the E Line and E LAN services in the group is displayed as shown in Figure 60 Figure 60 Services Table in Network Views If ...

Page 101: ...w See Displaying Ethernet Service Details on page 100 for information on what this panel contains Using the Services View The Services view displays information about the E Line and E LAN services known to Ridgeline From the Services view you can show information about a selected service and its transport method view an overlay map highlighting the devices where the selected item is configured and...

Page 102: ...ails To display details about an E Line or E LAN service click on a row in the Services table Information about the selected Ethernet service appears in the details window If you double click on the row the Ethernet service details are displayed in a separate window as shown in Figure 63 Services Table Map Panel Details Panel ...

Page 103: ...6 Ridgeline Concepts and Solutions Guide 101 Figure 63 E Line Service Details Window ...

Page 104: ...Managing Ethernet Services Ridgeline Concepts and Solutions Guide 102 ...

Page 105: ...On the menu bar go to Services Import E Line The E Line wizard opens and asks What is the name and transport type of your service See Figure 64 Or select a VLAN VMAN or BVLAN on the list and right click on your choice A menu opens Select Import E line When the E line Wizard Information Input Screen launches the transport type is shown according to your choice for example if you choose a VLAN it is...

Page 106: ...ormation Input Screen 2 Enter a name for the new E Line or E LAN service See Figure 64 3 Enter a description for the service This is optional 4 Select the customer who is using the service Refer to Creating a Customer Profile on page 118 for information about adding a customer to this list ...

Page 107: ...ed in the service See Figure 66 A list of VLANs available in Ridgeline show in the 802 1Q VLAN drop down list in the Traffic mapping section of the dialog box 7 Choose the appropriate VLAN 8 Choose the UNI ports for this service select a device from the Available devices list and select ports from the Available ports list Then move them to the Selected list on the right An E Line service must cons...

Page 108: ...ffic mapping section of the dialog box When you choose the BVLAN Ridgeline lists all the ISIDs associated with the BVLAN When you choose ISID all the CVLANs or SVLANs associated with the ISIDs show in the Available VLANs list in the Traffic mapping section of the dialog box See Figure 68 11 Choose the CVLAN SVLAN from the available VLANs list 12 Choose the UNI ports for this service from the Avail...

Page 109: ...ot selected Ridgeline validates the settings you select for the Ethernet service then gives you the option to import the service to the database The check box is selected for If validation has no errors continue automatically to creating the new service If you want to import the service immediately after successful validation without a separate import step NOTE Bandwidth profiles associated with U...

Page 110: ... 69 15 After Ridgeline successfully validates the selected options it imports the service into its database To view the newly created services Refer to Viewing Ethernet Services Information on page 98 Figure 69 Successful Validation Results Dialog Box 16 Click Import E Line Service or ELAN Service if no validation errors occurred The validation process repeats The final results dialog opens See Fi...

Page 111: ...ts and Solutions Guide 109 Figure 70 Successful Results Dialog After Clicking Import E Line or ELAN Service 17 Click Close The Services list shows the new entry and the map shows the newly imported service See Figure 71 ...

Page 112: ...utomatically to creating the new E Line service If the validation is successful you save a step in this procedure The dialog box opens showing the results 19 With a successful validation click Close Ridgeline shows the Services list with the newly imported service and the map showing the service See Figure 71 20 If the validation fails the errors are listed See Figure 72 Based on the validation er...

Page 113: ...7 Ridgeline Concepts and Solutions Guide 111 Figure 72 Importing E Line Service Dialog with Validation Errors ...

Page 114: ...Importing Services Ridgeline Concepts and Solutions Guide 112 ...

Page 115: ...viders ISPs to use Ethernet to create a separate backbone over which the subscriber s frames are transported In a PBB network data from multiple subscriber networks travels over a common ISP backbone with traffic from the individual subscriber networks completely separate from each other Figure 73 shows a PBB network which spans a set of ISP switches that serve as Provider Backbone Bridges PBBs Fi...

Page 116: ...n SVLAN then associate the SVLAN with the ISID then bind the ISID to the BVLAN A given BVLAN can have one or more ISIDs bound to it an ISID can be bound to only one BVLAN A given SVLAN can be associated with multiple ISID BVLAN combinations On a given device an SVLAN or CVLAN can be associated with one ISID Typically each SVLAN supports VMANs for a different service provider or service instance wi...

Page 117: ...ices table by selecting a group from the Show devices in box If you have selected one or more links to add to the BVLAN the links appear in the Selected links table A link represents the two ports on the devices on either side of the link Note that user defined links to nodes or clouds are not displayed in the table of available links 2 Click one of the devices to view the Available ports table fo...

Page 118: ...dgeline updates its own database with information about the configuration changes on the switches The information in the Progress and Results window is logged in the Ridgeline Audit Log See Viewing Logged Information about Provisioning Tasks on page 84 for more information Modifying a BVLAN For existing BVLANs you can edit settings and deploy the changes to the devices where the BVLAN is configure...

Page 119: ... BVLAN you can edit the list of ports or links in the BVLAN as well as the name and network name of the BVLAN although not the tag value You can also delete the BVLAN from the devices where it is configured Figure 76 BVLAN Properties Window 4 Click the setting you want to modify to bring up the provisioning window for that setting For example Figure 77 shows the provisioning window for a BVLAN por...

Page 120: ...ished modifying the BVLAN click the Save changes button to validate and deploy the changes to the BVLAN Viewing PBB Information To view information about PBB networks known to Ridgeline click a device group or the All map or All table group under the Network Views folder then click the PBB tab A table listing the ISIDs BVLANs CVLANs and SVLANs in the group is displayed as shown in Figure 78 ...

Page 121: ...e in Network Views If you also have enabled the map view of a device group you can select a row in the table and display an overlay view highlighting all of the devices and links in the map where the selected BVLAN CVLAN or SVLAN is configured as shown in Figure 78 ...

Page 122: ...w PBB information from an Extreme Networks switch enable HTTP on the switch Displaying PBB Details To display details about a BVLAN CVLAN SVLAN or ISID click on a row in the PBB table Information about the selected item appears in the details window If you double click on the row the details are displayed in a separate window ...

Page 123: ...8 Ridgeline Concepts and Solutions Guide 121 BVLAN CVLAN and SVLAN Details For BVLANs CVLANs and SVLANs the following window is displayed Figure 80 PBB VLAN Details Window ...

Page 124: ...Managing PBB Networks Ridgeline Concepts and Solutions Guide 122 ISID Details For ISIDs the following window is displayed Figure 81 ISID Details Window ...

Page 125: ... PW tunnels are logical connections between two LERs over an LSP Layer 2 VPN domains are created by adding PWs to each peer LSR to build a fully meshed interconnected VPLS domain as shown in Figure 82 Figure 82 Fully meshed VPLS domain In a fully meshed VPLS domain pseudo wires must be established between all VPLS peers across the core For each peer added to a VPLS domain a PW is signaled that is ...

Page 126: ...he type core In an H VPLS domain PWs at the fully meshed core of the network are of the type core and PWs that connect peers at the edge of the network are of the type spoke The forwarding rules for spoke and core pseudo wires are different Flood traffic received on a core pseudo wire from another full mesh core PE must not be transmitted over other core pseudo wires to other PEs However flood tra...

Page 127: ...vice in the network In Ridgeline maps you can display overlay views of LSPs pseudo wires and VPLS domains Using Ridgeline scripts you can configure VPLS domains and add peer devices to them Ridgeline provides detailed information about the status of the VPLS domain its component services peer devices and pseudo wires You can show the outer transport path of a pseudo wire in a VPLS domain as well a...

Page 128: ...twork Views From the All map view or if you also have enabled the map view of the device group you can select a VPLS domain and display an overlay view highlighting all of the devices and links in the map where the selected VPLS domain is configured as shown in Figure 84 Figure 85 VPLS domain in a Map View ...

Page 129: ...geline highlights the LSP in use The links and the end nodes of the LSP are highlighted in the map view Displaying VPLS Details To display details about a VPLS domain click on the VPLS domain s row in the VPLS table Information about the VPLS domain appears in the details window If you double click on the row the VPLS details are displayed in a separate window as shown in Figure 86 Figure 86 VPLS ...

Page 130: ...e performed using Ridgeline s scripting feature Running VPLS Configuration Scripts Using Ridgeline scripts you can perform the following tasks Create a VPLS domain Associate peers with a VPLS domain To run an Ridgeline script click Scripts under the Network Administration folder to view the list of available scripts then select the script you want to run from the list Figure 88 shows the parameter...

Page 131: ...Ridgeline Concepts and Solutions Guide 129 Figure 88 Configuration Screen for the Create VPLS Script For information on how to use Ridgeline scripts see Creating and Running Ridgeline Scripts on page 229 ...

Page 132: ...Managing and Monitoring VPLS Domains Ridgeline Concepts and Solutions Guide 130 ...

Page 133: ...AN being configured and support scalable multi device VLAN configuration which speeds the process of implementing VLAN changes across multiple devices Note that Ridgeline creates and manages VLANs for Extreme Networks devices only It does not handle other third party devices even though third party devices can be managed through Ridgeline Extreme Networks devices can support a maximum of 4095 VLAN...

Page 134: ...ul if you have a large number of VLANs to manage Provisioning VLANs Ridgeline s network resource provisioning feature allows you to create new VLANs simply by selecting the devices ports links and tagging options you want then validate and deploy the VLAN configuration by clicking a button You can modify existing VLANs by selecting the VLAN in Network Views windows changing parameters and deployin...

Page 135: ...ns Guide 133 Figure 89 Selecting Devices to Provision 3 From the Services menu select New VLAN or right click in the Navigation Table and select VLAN from the pop up menu The VLAN Provisioning window is displayed as shown in Figure 90 ...

Page 136: ...onfiguring it is greyed out in the Available devices table You can expand the list of items in the Available devices table by selecting a group from the Show devices in box If you have selected one or more links to add to the VLAN the links appear in the Selected links table A link represents the two ports on the devices on either side of the link Note that user defined links to nodes or clouds ar...

Page 137: ...nd ensures that the target switches are running a version of software that supports the features you are provisioning If Ridgeline successfully validates the selected options it verifies network connectivity to the target switches If a connection can be established to all of the target switches Ridgeline deploys the configuration commands then saves the configuration file on each switch Finally Ri...

Page 138: ... VLAN tab and select the VLAN you want to modify 3 Right click in the Navigation Table and select the setting you want to modify from the pop up menu For a VLAN you can edit the list of ports or links in the VLAN as well as the name and network name of the VLAN although not the tag value You can also delete the VLAN from the devices where it is configured Figure 93 Selecting a VLAN to Modify 4 If ...

Page 139: ...igure 95 shows the provisioning window for a VLAN port list Figure 95 Provisioning Window for a VLAN Port List 6 Make any necessary changes to the VLAN configuration 7 When you have finished modifying the VLAN click the Save changes button to validate and deploy the changes to the VLAN When a port is added to a VLAN the port is removed from the default VLAN and added to the new VLAN ...

Page 140: ...igure protocol settings for a VLAN Delete a VLAN and related configuration settings Assign a VLAN to an EAPS domain To run an Ridgeline script go to the Services menu and select a script from the VLAN menu Figure 96 shows the parameter configuration screen for the Create VLAN script Figure 96 Configuration Screen for the Create VLAN Script For information on how to use Ridgeline scripts see Creati...

Page 141: ... and links in the map where the selected VLAN is configured as shown in Figure 97 Figure 97 VLANs in a Map View You can filter the contents of the table by expanding the Filter box and entering text and search criteria or by expanding the Quick Filter box and selecting an available quick filter The status of the VLAN is indicated with an icon in the table You can enable the Show Full Path checkbox...

Page 142: ...ure 98 VLAN Details Window Viewing VLAN Services Information Ridgeline shows additional details based on the type of services configured on a VLAN If the VLAN service type column in the VLAN details window indicates that a service is configured for the VLAN additional information is displayed in the window next to the Ports tab Ridgeline provides information about the following kinds of VLANs Tran...

Page 143: ...n you do this information about the VMAN appears in the details window If you double click on the row the VMAN details are displayed in a separate window Categorizing VLANs With Network Names A network name is a means for categorizing VLANs into logical groups which can aid in filtering the information displayed in the VLAN table This can be useful if you have a large number of VLANs to manage For...

Page 144: ...ce 3 In the table select the VLANs that you want to assign to the network name Use Ctrl click or Shift click if you want to select multiple entries in the table 4 From the Tools menu select VLAN network name The Modify Network Name window is displayed as shown in Figure 99 5 Click the radio button next to the network name to which you want to assign the VLANs and click Save Filtering the VLANs Tab...

Page 145: ...10 Ridgeline Concepts and Solutions Guide 143 Figure 100 Filtering the VLAN Table Using the Network Name Quick Filter Network Name Quick Filter ...

Page 146: ...Managing VLANs Ridgeline Concepts and Solutions Guide 144 ...

Page 147: ...d When a VM is moved from one switch to another the port configuration from the switch is copied to the other switch The port configuration remains the same The configured VM continues to function as it had on the initial switch without interrupting any switch or network functions The network does not detect the move VM Port Configuration An important part of the XNV feature is the ability to conf...

Page 148: ...cept packet is received with one or two specified NVPP files the policies are applied on VM enabled port When an Access Accept packet is received and no NVPP file is specified the port is authenticated and no policy is applied to the port When an Access Reject packet is received the port is unauthenticated and no policy is applied When an Access Reject packet indicates that the Ridgeline server ti...

Page 149: ...ver the VM inventory and make configuration changes Ridgeline manages VM network connectivity and provides an interface to VMMs that perform most VM network configuration tasks Example XNV Configuration Figure is a diagram shows an XNV topology It illustrates the following A VM moves from the server connected to address 11 1 1 1 21 to the server connected to 11 1 1 2 21 The switches automatically ...

Page 150: ...uthentication on the same port When VM tracking is configured on a port all existing learned MAC addresses are flushed MAC addresses will be relearned by the switch and the appropriate VPP if any for each VM will be applied If a VM changes MAC addresses while moving between ports on a switch the VM remains authenticated on the original port until the original MAC address ages out of the FDB EX_dct...

Page 151: ...ly updates and supports the following operations Importing virtual machines from a selected VM Deleting selected VMMs Editing selected VMMs Updating VMMs Use this to manually update Ridgeline with the current status of the discovered VMMs These options are available under the File and Edit menus The contents in All table view automatically refreshes when you leave it open NOTE When using VM Ware o...

Page 152: ...Ridgeline automatically tracks its movement and configuration information Before you use the Import Wizard you need the following information IP address of the VM Manager Type of VM manager User name Password In addition depending on the switch vendor you will need the following For VMWare You need to specify the parameters for the VMM For Citrix You need to specify the parameters for each resourc...

Page 153: ... or resource pools and shows the information in the next dialog box See Figure 104 Figure 104 Discovered VMs 3 Click Import VMs 4 If Ridgeline cannot discover any VMMs the dialog box indicates it was unable to find any VMs You can click Back to return to the initial page where you entered the parameters or you click Cancel to exit the wizard Editing VM Manager Settings You can change the following...

Page 154: ...es with VM manager Imports a new VM that has been discovered Updates existing VM information for updated VMM settings Updates the Ridgeline database with the latest VM information Deleting a VM Manager To delete a VM manager 1 Go to Virtualization tab VM Mangers tab VMM Table and right click on the selected VMM 2 When the menu opens click Delete You are asked Do you want to delete the virtual mach...

Page 155: ...evices See Figure 107 It shows the switch names and their IP addresses If you select Device groups a window opens showing ports device names and IP addresses See Figure 108 The following conditions show disabled devices when You deselect a previously selected device VM Tracking is disabled The device is grayed out it does not support VM Monitoring The device has Identity Management enabled All the...

Page 156: ...ng Virtual Machines Ridgeline Concepts and Solutions Guide 154 Figure 107 Select Devices to Monitor Figure 108 Select Device Group to Monitor 3 Click Next The Select the ports window shown in Figure 109 opens ...

Page 157: ... the Available Ports column in the dialog box A port is grayed out if it is an up link port or if it has Netlogin enabled Figure 109 Select Ports 5 Click Next The Configuring devices for virtual machines monitoring dialog box shown in Figure 110 opens to show the progress of the operation ...

Page 158: ...alization tab Device Ports tab See Figure 111 Figure 111 Tracking On a Device Editing List of Devices and Ports A wizard lets you edit the list of devices and ports on the VM Monitoring Table To use the wizard do the following 1 On the menu bar open Edit and choose Edit List of VM Devices The Edit List of Devices dialog box opens See Figure 112 ...

Page 159: ...ayed out it means that the device does not support VM monitoring or the device has Identity Management enabled If all the devices in a group apply one of these categories the group is disabled Figure 113 Choose Devices 4 Click the switches or ports you want to change 5 To disable a device clear the check box 6 To enable a device select the check box 7 Click Next The Select the ports window opens S...

Page 160: ...umber assigned to the device by Ridgeline The window on the right shows the port number Port descriptions and numbers are grayed out if an up link port will be disabled or if a Netlogin port is enabled 9 The progress of the configuration is shown in the Configuring Devices for virtual machine monitoring window See Figure 115 Figure 115 Configuring Devices for Virtual Machine Monitoring ...

Page 161: ...allow you to add a source MAC in the ingress policy EXOS dynamically inserts the Destination MAC in the egress policy It does not allow you to add a Destination MAC in an egress policy Creating a Virtual Port Profile To associate a VM with a policy you first need to create a VPP To create a VPP do the following Table 4 XNV Policy with Wide key Mode Default XNV Policy Ingress Source IP Source MAC D...

Page 162: ...t then go to File New Virtual port profile The New Virtual Port Profile dialog box opens See Figure 117 Figure 116 Create a New VPP Menu 2 Enter the name of the new VPP 3 Choose ingress or egress policy both ingress and egress or none 4 Choose a policy from the Policies list Figure 117 New Virtual Port Profile Dialog Box ...

Page 163: ...PPs and VMs You can achieve attachment results by creating and performing Figure 119 any of the following Create a policy and attach it to a VPP Create a VPP and attach it to a Policy Create a VPP and attach it to a VM Create a VM and attach it to a VPP Figure 119 Attaching Policies VPPs and VMs EX 0004 Policy VPP VM Create a VPP and attach it to a VM Create a VM and attach it to a VPP Create a VP...

Page 164: ... to File Edit Attach or right click on the VPP in the list to which you want to attach a policy The menu opens See Figure 120 Figure 120 Menus to Attach a VPP to a VM 2 Choose Attach Virtual port profiles to VMs from the menu bar or Attach to VMs when you right click on the Virtual port profile list The Attach Virtual Port Profile to VMs dialog box opens ...

Page 165: ... Box 3 Choose a VM from the Available Virtual machines list then add it to the Selected virtual machines list 4 Click Attach If the VPP is already attached to another VM the results show in the dialog box See Figure 122 Click Close to close the dialog box and return to the Virtual port profile list ...

Page 166: ...ual Machines Ridgeline Concepts and Solutions Guide 164 Figure 122 Attach Virtual Port Profile to VMs Results 5 The Virtual port profile list that shows the VPP attached See Figure 123 Figure 123 Attached VPP to VM ...

Page 167: ...o a VPP do the following 1 On the menu bar go to File Attach Policies to virtual port profiles You can also access the menu by right clicking on the profile The virtual port profile dialog box opens It shows the policy name See Figure 125 Figure 124 Attach Policies to Virtual Port Profiles Menu ...

Page 168: ... 125 Attach a Policy to a VPP 2 Choose a policy from the list and click Attach If the policy is already attached to a VPP click Save changes The dialog box opens and shows the results of the operation See Figure 126 Figure 126 Results for Attaching an Existing Policy to a VPP ...

Page 169: ...rom a VPP The menu opens Figure 127 Detach a VPP Detaching a VPP from a VM To detach a VPP from a VM do the following 1 Select a VPP on the list 2 On the menu bar go to File Edit Detach or right click on the VPP in the list from which you want to detach a VM The menu opens See Figure 127 3 Select Detach Virtual port profiles from VMs The Detach Virtual Port Profiles from Virtual Machines dialog bo...

Page 170: ...Detach The dialog box opens and shows the successful results of the operation 7 Click Close to return to the list of VPPs Detaching a VPP from a Policy To detach a VPP from a Policy do the following 1 Select a VPP on the list 2 On the menu bar go to File Edit Detach or right click on the VPP in the list from which you want to detach a Policy The menu opens See Figure 129 3 Select Detach Policies f...

Page 171: ...e devices they access All associated policies are listed This section describes the various views you can use to see a VM and the associated policies and devices All Table and All Map Views In All table and All map views the VMs Tab lists all VMs that are part of the discovered VMMs and Resource Pools These do not need to be accessing a device This is the only view in which you can see all the VMs...

Page 172: ... VM One of the following values poweredOn poweredOff Unknown Host IP Address IP Address of the Physical Host to which the VM belongs Host Name Physical Host Name Host DNS Physical host DNS name Device IP Address IP Address of the device that the VM is connecting to Port Port number of the device Policy Current policy attached to the VM ...

Page 173: ... See Figure 131 Figure 131 All Map View Device Group Subgroup Views On the VM tab Device Group Sub Group Table and Map View only the VMs that access the device and are part of the selected group are shown See Figure 132 Figure 133 shows the selected device group circled and its access dotted lines to subgroups Figure 132 Device Group Sub Group Table View Switch Server ...

Page 174: ... right side of the Ridgeline window See Figure 133 It includes VM properties view NIC tab History tab VM Properties view VM name Power status Ingress or Egress policy name Policy results VMM details Vendor VMM name Host IP address VMM IP address Data center Current host Host IP address Host name Host connection status Host vendor name ...

Page 175: ...name History Tab VM Movement History The History tab Figure 134 shows VM movement history of all discover VMs across devices and hosts The information includes Device IP Address Device IP where the VM was present Port Port on the device Host IP Address IP Address of the current physical host Host Name Name of the current physical host machine Date Appeared Time when the VM first appeared on the de...

Page 176: ...e Details window on the right shows the VM tab and contains the same information as the VM details view See VM Details View on page 172 The VM table shows the following information Egress Policy result State Port Port on device Host IP address IP address of the current physical host Host name Name of the current physical host machine Host DNS name Physical host DNS name Policy Current policy attac...

Page 177: ...port profile has been modified for example an update of an ingress or egress policy 2 A policy has been attached to a VPP 3 A policy has been detached from a VPP 4 To enable VM Tracking 5 To disable VM Tracking ports 6 To update VM Tracking ports The VM Monitoring Audit Log table view lists the following attributes Action Time Time when the VM policy was attached or detached Action Name of the act...

Page 178: ...d in the Table view Audit Log and includes the following For more information about the Audit Log refer to Chapter 20 Using the Ridgeline Audit Log Figure 136 VM Monitoring Audit Log Virtual Machine Name of the virtual machine Virtual Port Profile Name of the virtual port profile Ingress Policy Name of the ingress policy Egress Policy Name of the egress policy Overall Status Successful or unsucces...

Page 179: ... the status of your EAPS configurations EAPS domains and to verify the configuration of your EAPS enabled devices With its multiple status displays and the ability to focus on individual EAPS domains it can also help you debug EAPS problems on your network NOTE Your devices must be running ExtremeWare 7 7 or later or ExtremeXOS 11 3 or later in order to be recognized by Ridgeline as EAPS nodes Ext...

Page 180: ...lues for the EAPS Hello timer and Fail timer if you want to use values other than the default 8 When you have finished configuring the EAPS domain click the Create EAPS domain button to start the validation and deployment process The Progress and Results window is displayed 9 Ridgeline validates the options you selected against a set of predefined configuration rules and ensures that the target sw...

Page 181: ...EAPS domain you can edit the device used as the master node and the ports used as primary and secondary ports as well as the settings for the Hello and Fail timers 4 If you select Properties from the pop up menu the Properties window for the EAPS domain is displayed which provides a list of settings you can modify Figure 138 EAPS Domain Properties Window 5 Click the setting you want to modify to b...

Page 182: ...in the Controller Node box is based on the selected link The other device in the link is automatically selected as the Partner Node 4 In the Primary port box select a port The available ports is based on the device selected to be the master node The other port in the link is automatically selected as the secondary port 5 Enter values for the EAPS timeout values and Expiry action if you want to use...

Page 183: ...he Network Views folder then click the EAPS tab A table listing the EAPS domains in the group is displayed From the All map or if you also have enabled the map view of a device group you can select an EAPS domain and display an overlay view highlighting all of the devices and links in the map where the selected EAPS domain is configured as shown in Figure 141 Figure 141 EAPS Domain in a Map View T...

Page 184: ...bled devices that share the same Control VLAN as identified by the VLAN tag are determined to be members of the same domain Thus if two independent EAPS domains in your network use the same Control VLAN tag Ridgeline will consider them to be a single EAPS domain EAPS Node Icons EAPS status is shown on the map through icons displayed for each device node Figure 142 shows the kinds of icons that can...

Page 185: ...ed ring indicates that the domain is not operational if the device has a master in a Failed state or a Transit node in a links down state Figure 143 shows two examples of nodes that are members of EAPS domains Node 1 status shows that the device is reachable that it functions as a Master node whose status is Complete in the domain of which it is a member and the domain of which it is a member is o...

Page 186: ...ck on the domain s row in the EAPS table Information about the EAPS domain appears in the details window If you double click on the row the EAPS domain details are displayed in a separate window as shown in Figure 144 Figure 144 EAPS Domain Details Window Displaying EAPS Details for a Selected Device To display details about the EAPS domains on a specific device click on the device s row in the De...

Page 187: ...ted any reported errors you should run the verification again to ensure that the configuration is correct Click the Refresh button to re run the verification process Click Save results to save the verification results to a file The following table lists the error types that may be reported by the EAPS verification process Table 5 EAPS Verification Error Types No Master Node Inconsistent EAPS Node ...

Page 188: ...PS Summary Report provides a brief overview of the status of the EAPS domains known to Ridgeline To run the EAPS Summary Report select EAPS summary report from the Protocol menu The report shows The total number of EAPS domains known to Ridgeline The number of Domains currently in an error state The number of domain failures that have occurred in the last 24 hours Figure 146 The EAPS Summary Repor...

Page 189: ...urther based on the following The IP address must be exact wildcards are not supported The type of event trap or syslog entries you can enter any keywords that may appear under the Type column as part of the description of the trap or syslog entry Specific varbinds enter a keyword that matches the varbind you want to find such as extremeEapsLastStatusChange Events that occurred within a certain ti...

Page 190: ...Managing Your EAPS Configuration Ridgeline Concepts and Solutions Guide 188 ...

Page 191: ...ost important aspects of any enterprise class network Security provides authentication and authorization for both access to the network and management access to the network devices Network administrators must protect their networks from unauthorized external access as well as from internal access to sensitive company information Extreme Networks products incorporate multiple security features such...

Page 192: ... a RADIUS client or for demonstration purposes Ridgeline can function as a RADIUS server Enabling Ridgeline as a RADIUS client lets Ridgeline use an external RADIUS server to authenticate users attempting to login to the Ridgeline server At a minimum the RADIUS server s Service type attribute must be configured to specify the type of user to be authenticated A more useful implementation is to conf...

Page 193: ...w to configure a remote access policy so that the RADIUS server will pass role information to Ridgeline If you have created custom roles for Ridgeline users you must use a VSA to handle that role information If you are just using the predefined built in roles in Ridgeline you can use either a Service Type setting or a VSA Examples of both are provided here See Appendix D Configuring RADIUS for Rid...

Page 194: ...henticated using this method To allow the authentication of multiple types of Ridgeline users follow the instructions in the previous section Example Setting up a VSA to Return Ridgeline Role Information or see the detailed example in Appendix D Configuring RADIUS for Ridgeline Authentication Securing Management Traffic Management traffic between a management application like Ridgeline and the man...

Page 195: ...ou can do so with minimal effort Using SSHv2 to Access Network Devices Extreme Networks products support the secure shell 2 SSHv2 protocol to encrypt traffic between the switch management port and the network management application Ridgeline This protects sensitive data from being intercepted or altered by unauthorized access You configure SSHv2 for Ridgeline in Ridgeline Administration using the ...

Page 196: ...lect multiple devices to configure at the same time Figure 149 Configuring devices to Use SSH for communication c Check the SSH box and select SSH Enabled from the drop down menu d Click Modify to have this setting take effect NOTE If the SSH enabler module is not installed you cannot configure SSH on any devices the SSH setting will be disabled Ridgeline will now use SSH instead of regular Telnet...

Page 197: ...figuration Changes Fundamental to securing your network is verifying that no configuration changes have occurred that may have a detrimental effect on network security Something as simple as changing passwords can introduce a weakness in your security design for the network The Ridgeline Configuration Manager provides several features you can use to monitor the integrity of your device configurati...

Page 198: ...base search has the advantage of automatically ignoring trunk ports Ridgeline also provides a full network search to search the forwarding database FDB and IP ARP cache on selected switches A network search has the advantage of searching the most up to date source of data However the network search is slower because it must contact each switch directly It also does not always report the correct IP...

Page 199: ...l DoS attack A SYN flood occurs when a malicious entity sends a flood of TCP SYN packets to a host For each of these SYN requests the host reserves system resources for the potential TCP connection If many of these SYN packets are received the victim host runs out of resources effectively denying service to any legitimate TCP connection Using the Alarm Manager you can detect a potential SYN flood ...

Page 200: ...side on the Finance VLAN This isolates marketing and finance traffic and resources preventing any unauthorized access to financial information from any other group VLANs work by assigning a unique VLAN ID to each VLAN and then assigning hosts to the appropriate VLAN All traffic from that host is tagged with the VLAN ID and directed through the network based on that VLAN ID In the marketing and fin...

Page 201: ...13 Ridgeline Concepts and Solutions Guide 199 Chapter 10 Managing VLANs on page 131 for more information about how Ridgeline can help you manage the VLANs on your network ...

Page 202: ...Managing Network Security Ridgeline Concepts and Solutions Guide 200 ...

Page 203: ...ing domain The routing protocol application can also modify the attributes of the routing information based on the policy statements Policies are also used by the access control list ACL application to perform packet filtering and forwarding decisions on packets The ACL application programs these policies into the packet filtering hardware on the switch Packets can be dropped forwarded moved to a ...

Page 204: ... Devices To view a policy for a device do the following 1 On the Folder List go to Network Views All table then click the VM tab 2 Select a device 3 Scroll to the right You see the Host IP address Host name and Ingress and Egress policies Figure 152 All Table View VMs Tab Showing Policies for Device ...

Page 205: ...es tab opens 2 On the menu bar go to File New Policy See Figure 153 The New Policy dialog opens Figure 153 Create New Policy on Menu 3 Enter the name of the device on which you want to create a policy the policy type the policy direction Ingress or Egress Click New See Figure 154 You can choose one of the following policy types XNV Virtual Port Profile Identity Management Role ...

Page 206: ...ew The New Policy Rule dialog opens and asks What is the name description and match condition for your new rule See Figure 155 It describes the criteria for the entries You can specify multiple single or zero match conditions If no match condition is specified all packets match the new entry ...

Page 207: ...ons list on the right NOTE All the conditions must be matched That is an implicit AND is included between all the match conditions The IP protocol field at the bottom of the dialog describes the choices in the Selected match conditions The following describes the conditions shown in the lists The blue icons before each condition indicate the OSI layer on which these reside Conditions that are not ...

Page 208: ...olicy Rule Dialog Inputs for Match Conditions 9 Enter and then select the match conditions information needed for the conditions you chose on the previous dialog 10 Click Next The dialog opens and asks What is the action and action modifiers for your rule See Figure 157 ...

Page 209: ... select Also include these action modifiers then click Create Rule The next dialog asks What are the inputs for action modifiers for your rule See Figure 158 13 Select from the Available action modifiers list and move them to the Selected action modifiers list 14 Click Create rule The next dialog opens and asks What are the inputs for action modifiers for your rule 15 Enter the information shown i...

Page 210: ...oncepts and Solutions Guide 208 Figure 158 New Policy Rule Inputs for Action Modifiers 17 Click Create Rule The New Policy dialog opens showing the newly created rule on the Rules list See Figure 157 18 Click Create Policy ...

Page 211: ...o Create a New Policy To copy an existing policy to create a new policy do the following 1 Click Network Administration Policies in the Folder List The Policies tab opens 2 Select a policy on the list 3 Go to File on the menu bar and choose Save as The Save Policy As dialog opens See Figure 160 ...

Page 212: ...installation a Select the file type pol The format used by EXOS Ridgeline nms policy The format used by Ridgeline b Enter the directory path where you want to save the policy file 6 Enter the policy name you want 7 Click Save Editing a Policy To edit a policy do the following 1 On the Folder list go to Network Administration Policies The Policies tab opens 2 Double click on the policy information ...

Page 213: ... policy Start at step 5 on on page 204 6 When you finish making changes and the Edit Policy dialog opens click Save changes Deleting a Policy To delete a policy do the following 1 Select the policy you want to delete from the list of policies 2 On the menu bar go to File Delete Or right click on the policy you select and choose Delete The policy is removed from the policy list NOTE If you cannot d...

Page 214: ...ofiles Or right click on the policy you select and choose Attach policy to virtual port profile from the menu The Attach Policy to Virtual Port Profiles dialog box opens To attach a policy to a role on the menu bar go to Edit Attach Policies to roles The Attach Policies to Roles dialog box opens For more information about attaching a policy to a Virtual machine refer toChapter 11Managing Virtual M...

Page 215: ...ze policies do the following 1 Click Network Administration Policies in the Folder List The Policies tab opens 2 On the Policies list right click on the policy you want to categorize See Figure 164 The Categorize Policy dialog opens See Figure 165 Figure 164 Categorize a Policy Figure 165 Categorize Policy Dialog 3 Click New The New Category dialog opens See Figure 166 4 Enter a name for the polic...

Page 216: ...he Policy dialog opens The header shows the name of the policy to which the rule belongs 4 Click Edit A dialog opens and asks What is the name description and match condition for your new rule 5 From the Rule category drop down list choose a category 6 Follow steps 5 through 18 described in Creating a New Policy on page 203 Creating and Managing Roles For information about creating and managing Ro...

Page 217: ...hat can affect the performance of Ridgeline Some of these you can affect with various settings in Ridgeline In other cases you may be able to affect the overall performance of the system by considering how you manage specific devices in your network There are a number of factors that can affect Ridgeline performance The amount of alarm processing the system is attempting to handle This is discusse...

Page 218: ...rtbeat poll that gets basic information about device reachability The poll frequency for this is 5 minutes for all devices regardless of type A device specific Detail poll that polls for more detailed information about the device configuration such as software version BootROM version VLANs configured on the device and so on This poll can take much longer to complete so this type of polling is done...

Page 219: ...previous section You can disable Telnet polling entirely however in the Devices area of Server Properties in the Ridgeline Administration If you disable Telnet Polling MAC address polling is also disabled Performance of the Ridgeline Server Performance of the Ridgeline server itself is affected by the number of devices you are managing as well as the resources of the system on which the Ridgeline ...

Page 220: ...l devices and ports Authentication failure SNMP MIB 2 trap Config Download Failed Ridgeline event indicates failure in an download initiated by Ridgeline Config Upload Failed Ridgeline event indicates failure in an upload initiated by Ridgeline Device reboot Ridgeline event Device Warning from Ridgeline Ridgeline event EAPS State Change Error Ridgeline event EAPS State Change Warning Ridgeline eve...

Page 221: ...m together Using this list you can see both which alarms occur in your network and the volume of alarms generated for each type of event 3 If this list shows large number of alarm instances for an alarm that you don t care about disabling that alarm could potentially have a beneficial impact on Ridgeline system performance Another possibility is that a specific device is generating a large number ...

Page 222: ...he Source Types you can select are Device Device Group Port and Port Group If you select either Device Group or Port Group the area below labeled Devices in the example will display a list of all the Device Groups or Port Groups defined in Ridgeline When you select one or more of these it puts the group s as a whole into the Selection list at the right If you select Device or Port then the Select ...

Page 223: ...old The alarm log archive is made up of two 6 MB rotating files and includes all alarms associated with traps and Syslog messages The alarm log is stored in a file called alarm_log txt and the archive file is called alarm_log old An archiving check is performed once an hour If you need to store additional historical data beyond the two 30 MB file limit for events and the 6 MB file limit for alarms...

Page 224: ...ion You can specify both scalar and tabular OIDs You must also specify the set of devices by IP address that should be polled for this data and provide some additional properties such as the polling interval The collections xml file must have the following format xml version 1 0 encoding utf 8 collections collection name CollectionName pollingIntervalInSecs 60 initialState running saveData yes max...

Page 225: ...roperty specifies running Figure 171 on page 226 shows an example of an actual collections xml file The MIB Poller Summary If a collection xml file has been loaded the MIB Poller Summary shows the names of the collections defined in the xml file along with their status running or stopped Figure 168 shows the summary for a a set of three collections Figure 168 The MIB Poller Collection Summary Tabl...

Page 226: ...xml file is placed in the collections directory then you must click the Reload button to load the collection definitions Once you have loaded the collections xml file the collections defined in that file will continue to be maintained either running or stopped until they are replaced by reloading the collections xml file which has been modified to specify a different set of collections or until th...

Page 227: ...al The polling interval in seconds Save Polled Data Whether the polled data is being saved in the database Yes or No Scope The devices on which polling for this data is being conducted Status The status of the collection running or stopped Startup State Whether the poll should be started automatically when it is loaded running or should be left in the stopped state Poll Saving Limit The lower boun...

Page 228: ...ou can export the data from either the MIB Collection Poller Summary report or from the MIB POller Poling DEtail Report From the MIB Poller Summary report you can export the results for an entire collection click the Export link in the row for the collection whose data you want to export This exports the results for all devices in the collection into a single text file and places the text file int...

Page 229: ...ne item per line Click Submit to execute the query The results are returned in XML format in the reports window Figure 173 The results of a MIB Query Reconfiguring Ridgeline Ports In some circumstances the ports used by default within Ridgeline may conflict with ports already in use on your system by other applications The Port Configuration Utility lets you change the default database server port...

Page 230: ...ou should call your Extreme Networks Technical Support representative for help Using the Ridgeline Debugging Tools The Ridgeline debugging tools are available through the Reports modules for users with an administrator role You should not attempt to use any of these tools except under the direction of Extreme Technical Assistance Center personnel This report provides links to the following tools S...

Page 231: ...idgeline scripts to run on specified devices at specified times either on a one time or recurring basis Scripts can be designated as script tasks that can be executed according to a pre set schedule Ridgeline scripts are similar to ExtremeXOS scripts in that they are collections of ExtremeXOS CLI commands and control structures Ridgeline scripts add some additional commands that are specific to Ri...

Page 232: ...n be processed using Tcl functions Bundled Ridgeline Scripts Ridgeline includes a number of sample scripts that you can use as templates for your own Ridgeline scripts These scripts perform such tasks as downloading firmware uploading downloading configuration files and configuring VLANs The sample scripts included with Ridgeline are available to users with an Administrator role The XML source fil...

Page 233: ...4 Ridgeline Scripts View The Scripts table lists all of the scripts configured in Ridgeline To the right of the Scripts table is a view of the selected script You can double click a script to open it in the Script Editor window which is shown in Figure 175 ...

Page 234: ...set values for parameters specify runtime settings and indicate which Ridgeline users can run the script Managing Ridgeline Scripts This section explains how to do the following tasks Create an Ridgeline script Specify run time settings for a script Specify permissions and menu locations within Ridgeline for a script Run a script on one or more managed devices with device specific parameters ...

Page 235: ...he Ridgeline File menu A Script Editor window appears displaying a script with default content Figure 176 Ridgeline Script Editor Window By default a new script created in Ridgeline contains a metadata section where you can enter a script description and define script sections and metadata that appears on the Overview tab See Metadata ...

Page 236: ...nformation For example Figure 177 Specifying a script description A detailed script description can be placed between the metadata tags DetailDescriptionStart and DetailDescriptionEnd This appears on the Description tab You can place variable definition statements in the metadata section so that variables can be defined by entering values in the Overview tab For example ...

Page 237: ...rview tab as script parameters as shown in Figure 179 Figure 179 Overview tab with a variable definition field You can enter ExtremeXOS 12 1 CLI scripting commands and Tcl commands and constructs after the metadata section of the script See Ridgeline Script Reference in the Ridgeline Reference Guide for information about what can appear in an Ridgeline script ...

Page 238: ... to and specify a directory on your local system The script is saved in XML format Figure 180 Save Script As dialog Specifying Run Time Settings for a Script To specify the run time settings for a script click the Run time Settings tab Figure 181 Run time Settings Tab On this tab you can specify the following settings Whether the configuration on the device is saved after the script is run success...

Page 239: ...he Permissions section of the window you can specify the Ridgeline user roles that are able to see and run the script In the Availability in Network View menus section you can create a menu item to run the script Select an option under Show in Menu Bar to list the script in the Ridgeline menu bar either in the Services menu or in the Tools menu under Run Script When you do this the script is visib...

Page 240: ... the shortcut menu for the selected item then the script is listed in the Run Script window as shown in Figure 183 Figure 183 Run Script Window Select the script in the Script view then select Run from the Action menu A window appears prompting you for the Device or Device group where the script should be run Follow the prompts to select the devices After the devices have been selected a window ap...

Page 241: ...s Guide 239 Figure 184 Selecting the Order for Executing a Script After the sequence for script execution has been selected you can make device specific changes to the parameters in the script Figure 185 Changing Parameters in a Script ...

Page 242: ...ollowing window appears which allows you to specify the script task options for the script Figure 186 Specifying Script Task Options In this window you can optionally configure the script as a script task which can be run on a scheduled basis Indicate whether you want to run the run the script now without saving it as a script task or if you want to run the script now saving it as a script task or...

Page 243: ...dow where you can view the runtime information for the script and run it on the specified devices Figure 187 Script Verification Window Click Run Script to execute the script on the selected devices A window appears indicating the progress and results of the script execution ...

Page 244: ...eature provides a way to view information about scripts that have been run on managed devices If you encounter errors during script execution you can use the Audit Log to correct the errors and rerun the scripts See Using the Audit Log to Troubleshoot Ridgeline Scripts on page 246 for more information Importing Scripts into Ridgeline You can import XML formatted scripts into Ridgeline To import a ...

Page 245: ... scripts to categories such as VLAN Scripts Port Scripts and so on Placing scripts into logical groups in this way can aid in filtering the information displayed in the Scripts table This can be useful if you have a large number of scripts to manage The category you create also becomes a menu option in the Tools Run Script menu in Network Views To assign a script to a category do the following 1 E...

Page 246: ...tegory name For example Figure 191 Filtering the Scripts Table by Category Name Specifying an Ridgeline Script as an Alarm Action You can define an alarm to execute a script when the alarm is triggered See Defining Alarm Actions in the Ridgeline Reference Guide for information about how to do this Configuring Script Tasks You can optionally designate Ridgeline scripts as tasks to be executed accor...

Page 247: ...On the Script tab you can specify global or device specific parameters for the script On the Device and order tab you can specify the sequence of devices on which the script is executed On the Run time settings tab you can specify run time comments audit log settings and a timeout value for the script On the Schedule tab you can configure the script to run at specified times either on a one time o...

Page 248: ...leshooting aid to reveal errors when an Ridgeline script is run unsuccessfully Using the Audit Log you can correct the errors and redeploy the script Audit Log View To display the Audit Log click on Audit Log under the Network Administration folder The Audit Log view is displayed as shown in Figure 194 Figure 194 Audit Log View The Audit Log View has separate tabs to display information about the ...

Page 249: ...g table by entering text in the Log Items filter For example if you enter VLAN in the Log Items filter the log table shows only rows that contain the text VLAN Using the drop down search menu you can specify additional filter criteria including column name case sensitivity and wildcard matching Displaying Audit Log Details for a Script To display details about an Ridgeline script click on a row in...

Page 250: ...e Action menu which starts the Run Script wizard for the script About ExtremeXOS Scripts ExtremeXOS scripts files contain CLI commands and scripting structures that can be executed on Extreme Networks devices Any ExtremeXOS CLI command can be used in an ExtremeXOS script ExtremeXOS scripts are supported on devices running ExtremeXOS 11 4 or later The Ridgeline Configuration Manager provides an int...

Page 251: ...e roles policies and rules in Ridgeline Overview Ridgeline s Identity Management is an authentication system that identifies network users and authorizes them to access devices for specific network services and information Ridgeline provides role based user access control to manage this authentication mechanism The Identity Management feature monitors users that connect to ports on a switch Ridgel...

Page 252: ...thenticated Authenticated identities are those detected through netlogin any of the netlogin methods or through Kerberos snooping When a query is sent to Active Directory it searches user attributes Based on the LDAP attributes the switch receives Ridgeline places these attributes under a configured role If they match those on the server they are classified under the authenticated role Ridgeline c...

Page 253: ...e you can enable tracking on a switch on which Identity Management is enabled Ridgeline supports two policy types Identity Management VM mobility Role Hierarchy You can create roles in a hierarchy to reflect different organizational and functional structures Figure 199 illustrates a role hierarchy EX_idm_0003 Employee Company Extreme Priority 3 Engineer Company Extreme Department Eng Priority 2 Ca...

Page 254: ... policies are inherited not the match criteria from parent roles Figure 200 is a diagram of the role hierarchy Company XYZCORP Company XYZCORP AND Department Sales EX_idm_0002 Company XYZCORP AND Department Sales AND Title contains Manager Company XYZCORP AND Department Sales AND Title contains Engineer Managers Engineers Employees Sales Policy 1 Allow common file shares Policy 2 Allow access to ti...

Page 255: ...types of netlogin users When the software makes the final determination of which default or user configured role applies to the identity the policies and rules configured for that role are applied to the port to which the identity is attached This feature supports up to 8 policies and dynamic ACL rules per role The identity s IP address is used to apply the dynamic ACLs and policies The dynamic AC...

Page 256: ...rther LDAP queries are sent to this LDAP server All LDAP servers should be configured to synchronize the user information available in each of them Enabling Monitoring on Switches and Ports To enable monitoring on devices do the following 1 Go to Ridgeline Administration ID management Network users Click the Network Users devices tab Ridgeline lists the available devices switches and ports See Fig...

Page 257: ...e Devices or a Device group 4 Choose a device or devices on the list Click Select all to include all the available switches or Clear all to deselect all the devices 5 Click Next If you choose Devices the dialog box opens and asks Enable monitoring on which devices See Figure 203 Skip steps 6 and 7 ...

Page 258: ...which device groups The dialog box shows the device groups you can monitor You can expand each device to view the devices in the group See Figure 204 Select the device groups you want to monitor If you want specific devices in a device group expand the device group you want to monitor then select the devices you want to monitor 7 Click Next The dialog opens and asks Enable monitoring on which port...

Page 259: ...205 The Available ports list shows the available ports for the device You must choose a minimum of 1 port on each device 9 Click Add to move the Available ports to the Selected ports list 10 If you have chosen Device groups select a device in Selected devices then choose the ports you want monitored After choosing the ports for the first device choose ports for the additional devices on the list b...

Page 260: ...ns and shows a summary of the ports See Figure 206 You can edit the virtual router VR names in this dialog Figure 206 Enable Monitoring Wizard Results 12 Click Finish This begins the port configuration process When this process completes the dialog box opens and shows the results See Figure 207 ...

Page 261: ...re being monitored on a device do the following 1 Go to Ridgeline Administration ID management Network users 2 On the Network users devices tab select a device 3 Right click on the device the menu opens 4 Choose Edit Ports Or on the menu bar go to Edit Ports of network users devices The Edit Ports of Network Users devices dialog box opens and instructs Add and remove ports on which to monitor netw...

Page 262: ...sful 8 Click Close Disabling Monitoring You can disable monitoring on selected edge switches When you do this all identity related configurations are removed including roles LDAP settings attached roles policies that exist Disabling monitoring on a switch does not remove the settings from the Ridgeline database this allows you to reapply them in the future if needed To disable monitoring on a swit...

Page 263: ...ss Control on New Devices To enable role based access control on new devices do the following 1 On the Folder List go to Ridgeline Administration Network users and click the Role based access control tab Open File on the menu bar and choose Enable role based access control See Figure 212 The Enable access control on new devices wizard launches and opens a dialog box that instructs you to Select th...

Page 264: ...Using Identity Management Ridgeline Concepts and Solutions Guide 262 Figure 212 Enabling Role Based Access Control Choice on the File Menu ...

Page 265: ...lutions Guide 263 Figure 213 Choose Devices to Enable Role based Access Control 2 Choose the devices you want 3 Click Next The dialog box opens with the device highlighted and asks Any specific client configuration See Figure 214 ...

Page 266: ...264 Figure 214 Client Configuration Dialog Box 4 Choose a VLAN from the drop down list in the Directory server client attributes area 5 Click Finish The device shows on the Role based access devices tab See Figure 215 Figure 215 Role based Access Control Devices Tab ...

Page 267: ...x opens which asks Are you sure you want to disable role based access control on the selected devices Figure 217 Disable Role based Access Control on Ports Confirmation Dialog Box 3 Click Yes to disable this feature or No to leave the feature configured as it is When you click Yes all the Role LDAP and Role Policy associations are removed from the switches Creating Roles Ridgeline provides the int...

Page 268: ...erited but not the match criteria from parent roles Ridgeline allows a maximum of 64 roles and each role name can have a maximum of 32 characters Priorities can have values from 1 to 255 One 1 is the highest priority The priority of the role determines the role to which a user is mapped The default priority is 255 The device is placed under the role with lesser priority value in case of a conflict...

Page 269: ...numeral Cannot be assigned an existing name Cannot be authenticated and unauthenticated If you do not use these conventions the Invalid input dialog box opens To review the rules for naming click Details Figure 219 Create a New Role Match Criteria 3 To establish match criteria for a role choose a condition from the drop down list in the dialog box The conditions are Location Company Country Depart...

Page 270: ...reate a New Role Multiple Match Criteria Conditions 6 Click OK Tree view and Table view list the new role Refer to Viewing Roles on page 272 Figure 225 and Figure 226 Creating a Child Role with Conditions Inherited from Its Parent Child roles with conditions inherited from its parent places a new child in the Parent role hierarchy To create a new child role with conditions inherited from a parent ...

Page 271: ...name You can also enter a description and set priority If you do not change the default priority 255 the most recently created role receives the highest priority See Figure 222 4 Select Inherit parent criteria next to the Parent role name The Match criteria area is populated with the match criteria of the Parent ...

Page 272: ...the parent but the switch does not inherit parent criteria The inherited criteria adds to the total maximum conditions of 16 allowed in the parent role See Figure 223 In Figure 223 the roles have been inherited from the parent then the title was edited from Dr to Registered Nurse title match condition A blank location field shows as the first condition when a child inherits conditions from a paren...

Page 273: ... from its parent It can inherit conditions from another parent but the child role can only have one parent Only the conditions are inherited To do this follow these steps 1 Create a child role from a parent as described in Creating a Child Role with Conditions Inherited from Its Parent step 1 through step 3 on page 268 2 After you assign a role name open the Copy conditions drop down menu at the b...

Page 274: ...is inherited criteria is a condition which adds to the total maximum conditions of 16 included in the parent role 4 Click OK The results are shown on the Roles Tree View and the Roles Table view See Figure 225 Viewing Roles To view created roles do the following 1 On the Folder list go to ID management Roles The ID Management Roles tab lists the current authenticated and unauthenticated parent and...

Page 275: ...he Match criteria tab below shows the conditions for the role The Policies tab shows the attached policies in the order in which they apply To view details about the created roles do the following 1 On the ID management Roles tab select the role for which you want to view details Scroll to the right on the window Figure 227 Role Details Definition and Match Criteria Tab 2 To view the created polic...

Page 276: ...e do the following 1 Select a role in Tree View or Table View and double click The Edit role dialog opens If you are editing a child role double click the child on the Roles list 2 Select a Parent role from the drop down list if you are editing a parent role If you are editing a child role select a child role from the drop down list of Children roles See Figure 229 On this dialog you can change th...

Page 277: ...ttached on all switches enabled with Identity Management To delete a role do the following 1 Select a role on Tree View or Table View 2 On the menu bar go to Edit Delete A confirmation dialog asks if you are sure want to delete the role and indicates child roles if they exist See Figure 230 Figure 230 Information and Confirmation Dialog Box 3 Click Yes ...

Page 278: ... Roles You must attach policies to roles before you can attach roles to switches Use the procedure to edit attached roles with policies To attach roles with policies do the following 1 On the menu bar go to Edit Attach Roles and Policies See Figure 232 The Attach Role and Policies dialog opens Figure 231 Attach Roles and Policies Menu Table 8 Identity Management Ingress Policy Match Conditions Sou...

Page 279: ...oles Dialog Box 2 Choose a role from the Roles list See Figure 232 3 Choose a policy from the Available Policies column and move it to the Selected Policies column by clicking the arrow buttons 4 Click Save Changes The Association Modifications Page Summary opens See Figure 233 ...

Page 280: ...o delete a policy from the existing role s attachment to that policy you must detach the policy from the role before deleting the policy Ridgeline does not allow you to delete a policy if it is attached to a role or VM To detach a policy from a role refer to Detaching VPPs on page 196 The procedure is the same for roles and VMs Deleting a policy attached with a role causes the following unbinds th...

Page 281: ...h user action or through automatic device restoration is available in the Audit log repository Figure 235 Current Composite Status for Enabled Role based Access Control Devices Configuring Directory Servers You can specify LDAP server setting for up to 8 servers Ridgeline maintains network wide LDAP configurations that insure all Identity Management enabled edge switches have the same configuratio...

Page 282: ...etwork Users Directory servers tab 2 Choose the Servers tab which lists the servers Managing Global Directory Servers To set the Global server credentials do the following 1 Go to ID Management Network users Directory Servers tab Servers Select a server on the Directory Servers list Or you can select a server on the Directory Servers list and open the Global Settings tab The LDAP server credential...

Page 283: ...nu Figure 238 LDAP Server Configuration and Edit Dialog Box 3 Click New at the bottom of the dialog box The New directory server wizard opens 4 Enter the server name IP address DNS Name The port number and default security Mechanism are shown in the dialog box See Figure 239 ...

Page 284: ...igure 239 New Directory Server Dialog Box 5 Click Next The dialog box that opens asks The Any Specific client configuration See Figure 240 6 Select an Identity Management enabled device from the list NOTE To change the client IP address and VR Name you must select a VLAN ...

Page 285: ...k Finish Reset to IP management resets the client attributes to use the VLAN and VR though which Ridgeline manages the device Editing LDAP Client Properties To edit LDAP client properties do the following 1 With the Directory servers tab open go to File Manage Servers The LDAP Server Configuration dialog box opens showing the currently configured LDAP servers See Figure 241 ...

Page 286: ... Configuration 2 Select the server you want then click Edit client configuration at the bottom of the dialog box The dialog box opens that shows the name of the server in the title The server information is grayed out 3 Click Next The dialog opens and asks Any specific client configuration See Figure 240 ...

Page 287: ... a Directory Server To delete a directory Server do the following 1 Open the LDAP Server Configuration dialog box by double clicking the server name on the Servers tab The dialog opens showing the currently configured LDAP servers with server you selected highlighted 2 On the LDAP Server Configuration dialog click Delete or select another server you want to delete A dialog opens to remind you that...

Page 288: ...s table and in Ridgeline reports From the Users table you can display detailed information about a selected user or device Network User Dashboard Reports You can configure Ridgeline to display dashboard reports summarizing user information for the last 24 hours on the Ridgeline home page The following dashboard reports are available Most logons by user name Most logon failures by user name Most lo...

Page 289: ...or more information about working with dashboards Users Table The Users table lists all of the users and devices connected to the switches that have Identity Management enabled and are being monitored by Ridgeline To view the Users table click Users under the Network Users folder The Users table has two tabs one listing the currently active users and one listing the active users the users that hav...

Page 290: ...Role Role to which the user is attached For XOS devices running 12 4 or earlier the Role shows Unknown Log on time Date and time the user logged on to the network If the switch is running ExtremeXOS 12 3 or earlier no information is shown and the switch cannot be added to the monitoring list Port number The port number on the switch where the user connected to the network User s MAC address The MA...

Page 291: ... see in the table Type The user type either Human or Device Port name The name of the port where the user connected to the network Member of The device groups the user belongs to if any Last updated Date and time when information about the user was last received by Ridgeline Last attempt to update The last time Ridgeline polled for information about the user whether successful or not User name The...

Page 292: ... failed Date and time the user attempted to log in and encountered an authentication failure If authentication did not fail for the user this is N A Log off time Date and time the user logged out of the network If the user is currently logged in this is N A If Ridgeline was not monitoring the switch when the user logged out then this is Unknown Type The user type either Human or Device Authenticat...

Page 293: ...g Role Role to which the user is attached For XOS devices running 12 4 or earlier the Role shows Unknown Log on time Date and time the user logged on to the network Authentication failed Date and time the user attempted to log in and encountered an authentication failure If authentication did not fail for the user this is N A Log off time Date and time the user logged out of the network If the use...

Page 294: ...ess The IP address of the switch where the user connected to the network Port number The port number on the switch where the user connected to the network Port name The name of the port where the user connected to the network Last updated Date and time when information about the user was last received by Ridgeline Last attempt to update The last time Ridgeline polled for information about the user...

Page 295: ...dentify the changes to the configurations on your devices and to maintain an audit trail of configuration updates can help you troubleshoot when configuration problems arise Archiving Device Configurations You can use Ridgeline to upload and store the configuration files from all your Extreme devices You can do this on an as needed basis but you can also have Ridgeline perform archival uploads on ...

Page 296: ...he limit is reached the oldest files are deleted first If you don t want to schedule all your devices individually you can set the Global Schedule which will then archive all other devices those not individually scheduled based on the global schedule To upload configuration files from your Extreme devices to Ridgeline on a one time basis select Configuration Tasks Upload from device from the Tools...

Page 297: ...ploaded configuration files or to compare a configuration file with the baseline file for the device using a Difference viewer through Ridgeline s Diff command For example if you suspect malicious changes you could perform a configuration upload for the device and then compare that file with the last archived configuration In order to use this feature you must have a Difference Viewer such as WinM...

Page 298: ...re larger than 1 megabyte cannot be analyzed with the automatic change detection feature Device Configuration Management Log In the Configuration Manager you can view the status of the most recent configuration management activity and its status the date and time and result of the last activity upload or download for each device However there may be times when you want to view a history of the con...

Page 299: ...esired upgrade i e you need to perform an intermediate upgrade before you can upgrade a device to the final version you want to use the Firmware manager will inform you of the steps required and the order in which they must be performed Automated Retrieval of Firmware Updates from Extreme Ridgeline can connect you automatically to the Extreme web site to check for new versions of software images I...

Page 300: ...Managing Network Device Configurations and Updates Ridgeline Concepts and Solutions Guide 298 Figure 251 Firmware Manager Window ...

Page 301: ... server is running or while the server is stopped To run the Package Debug Info command go to Ridgeline_install_dir jboss bin and run PackageDebugInfo exe PackageDebugInfo bin in Linux or Solaris You can also run the Package Debug Info command from the Windows Programs menu on the Ridgeline server Start Programs Extreme Networks Ridgeline 3 0 Package Debug Info In this case a DOS window appears th...

Page 302: ...cking the Clear button at the bottom of the window You can close the Java Console by clicking the Close button at the bottom of the window However once it is closed it can only be restarted by closing and restarting the browser Ridgeline Client Issues Problem Unable to connect to the Ridgeline server Verify that the Ridgeline Server process is running Verify that the server is running on the speci...

Page 303: ...idgeline server is shut down incorrectly the database may be left in an invalid state In this case an Assertion failed error may occur when attempting to restart the server To recover the database in Windows XP or Windows 2003 Server do the following 1 Open a DOS command window The following commands assume you have accepted the default installation location c Program Files Extreme Networks Ridgel...

Page 304: ...covered restart the server If the database cannot be recovered you will need to restore the database from a backup See the Ridgeline Reference Guide for instructions on restoring the database from a backup Ridgeline Server Issues Problem Cannot communicate with a specific switch Verify that the switch is running ExtremeWare software version 6 2 or later Ping the switch s IP address to verify avail...

Page 305: ...ne Reference Guide for more information about setting server properties You can set up event filtering to exclude login logout events or clipaging enable disable events from the log See the following discussion for more details With ExtremeXOS 11 2 and higher you can set up filters to suppress the log entries generated by Ridgeline login and logout of the switch Use of these filters is based on th...

Page 306: ...slog server function By default Solaris runs its own Syslog server This may cause an error Syslog Server unable to start Address already in use when you attempt to enable the Ridgeline syslog server You must first stop the Solaris syslog server in order to have Ridgeline act as a Syslog receiver To stop the Solaris Syslog server use the command etc init d syslog stop Problem Ridgeline is not recei...

Page 307: ...ccur Check the following Make sure that the alarm is defined and enabled Check that the device is in the alarm scope Check that SNMP traps are enabled on the device For a non Extreme device make sure you have set Ridgeline as a trap receiver on the device see Appendix B Configuring Devices for Use With Ridgeline For an RMON alarm make sure you have RMON enabled on the device For Syslog messages ma...

Page 308: ...able variable you will need to append the specific index and apply the variable to each target device one at a time Problem A program specified as an action for an alarm in the Run Program field does not get executed It includes output to the desktop among its functions You must specifically tell it to allow output to the desktop To do this you must stop and restart the Ridgeline server as follows...

Page 309: ...any ifPhysAddress entry the device will not be added to the Ridgeline database Problem Attempted to add a switch to Ridgeline after rebooting the switch and received an SNMP not responding error If a switch has recently been powered on it may take some time a number of minutes before the device is completely initialized This will be especially true of chassis devices with many blades or devices wi...

Page 310: ...e server http host port In the URL replace host with the name of the system where the Ridgeline server is running Replace port with the TCP port number that you assigned to the Ridgeline server during installation Do not use localhost as the host 2 Click the Log on to Reports only link 3 Login to the Reports feature Configuration Manager Problem Failed to connect to device communicator session mes...

Page 311: ... Administration See Server Properties Administration in the Ridgeline Reference Guide for more information On the device side remote logging must be enabled and the switch must be configured to log to the Ridgeline server The default on Extreme switches is for logging to be disabled You must use the CLI to configure logging on your switches To enable remote logging on an Extreme switch enter the c...

Page 312: ...rt each quad of the IP address to its hex equivalent b Convert the hex value a000401 into a decimal value in this case 167773185 c Put the three components together to form the community string ST 167773185 10550 You can find and verify the value of the community string by using Telnet to log into an Extreme Networks device that is being managed by Ridgeline and using the ExtremeWare CLI command s...

Page 313: ...ntact username and password from Ridgeline To accomplish this integration there are three basic steps 1 Create an Abstract Library Type ATL file an XML file and save it in the Install_Dir extreme war ATL Device Types directory 2 Create a folder in the Install_Dir extreme war gifs directory which is named with the OID of the new Device Type 3 Create gif format Compuserve Graphics Interchange Format...

Page 314: ...erties Therefore these properties are specified in the 3com xml file which is referenced as the parent in the 3Com_SuperstackerII_1100 xml file The key attributes in an ATL XML file are the following Table 9 Attributes Used in an ATL File TAG Attribute Value Device Type Name The name of the device type of the device This is the main Tag in the file Version Must be specified as 1 Parent The parent ...

Page 315: ...1 sysObjectID identity attributes TELNET true TELNET attributes deviceType Note that in the 3Com xml file the sysObjectID is the enterprise OID for 3COM in the 3Com_SuperstackerII_1100 xml file it is the OID of the specific 3Com device Many of the attributes in the 3Com xml file are related to integration into Telnet These are discussed in Telnet Integration on page 315 SysobjectID The OID value o...

Page 316: ...D Parent SysOID FallbackOID DeviceType Device Name DeviceType ConfigFile For the 3Com SuperStacker II 1100 OID_43 10 27 4 1 2 1 the DeviceInfo txt file contains these entries xml version 1 0 ConfigFile FallbackOID 43 FallbackOID DeviceType 3Com Super Stack II Switch 1100 24 port DeviceType ConfigFile The DeviceInfo txt file for the parent OID_43 contains the following entries xml version 1 0 Confi...

Page 317: ...attributes vendor 3Com vendor imageIconsFileName 3comicons gif imageIconsFileName CLI LOGIN_PROMPT login CLI LOGIN_PROMPT CLI PASSWORD_PROMPT password CLI PASSWORD_PROMPT CLI SHELL_PROMPT CLI SHELL_PROMPT CLI MORE_PROMPT Press to continue or to quit CLI MORE_PROMPT attributes Table 10 Tags used for Telnet integration TAG Value Comments CLI LOGIN_PROMPT A value string to be displayed as the prompt ...

Page 318: ...c tab of the Alarm Definition Window in the Alarm Manager Alarms can then be defined to take actions upon the occurrence of these events Editing the Events xml file CAUTION Make a backup copy of this file before you start and edit carefully Do not edit the existing entries in this file Errors in this file may prevent the Ridgeline server from starting up The Events xml file is located in the extre...

Page 319: ...tart the Ridgeline server to have these changes take effect Launching Third Party Applications Ridgeline can launch an external application for a third party device under the following conditions Ridgeline and the third party application client and server are installed on the same system Ridgeline and the third party client are installed on the same system Ridgeline is installed on one system and ...

Page 320: ...itle Ridgeline Concepts and Solutions Guide 318 Once this integration has been accomplished you can launch the third party application from Ridgeline by selecting Third party applications from the Tools menu ...

Page 321: ...ient on a Window based Ridgeline client system It also describes the installation and configuration of the OpenSSH server on a Windows based server system where the Ridgeline server is installed Overview of Tunneling Setup In this example it is assumed that an SSH server needs to be installed on the same machine as the Ridgeline server If an SSH server is already installed on the system where the ...

Page 322: ... You must download this application to each Ridgeline client for which you want to secure your client server communication Step 2 Configure the PuTTY Client 1 Configure the Session settings Click on the Session category in the left column tree as shown in Figure 253 Use the following settings Saved Sessions a name for the session such as Network Manager Host Name the Host name or IP address of the...

Page 323: ...elect 2 for Preferred SSH protocol version as shown in Figure 254 Figure 254 The Basic SSH Settings 3 Under SSH click on X11 to display the dialog shown in Figure 255 For X display location type localhost 0 Figure 255 SSH X11 Forwarding 4 Under SSH click on Tunnels as shown in Figure 256 ...

Page 324: ...dgeline is using as its Telnet port do the following a Go to Ridgeline Reports either from the Ridgeline client or from a browser b Select the Ridgeline Server category then select Debug Ridgeline You must have Ridgeline administrator rights to do this c Click the Set Logging Level link The Debug Configuration page appears and the Telnet port is displayed below the two selection fields This is the...

Page 325: ...er on the Ridgeline server If there is an SSH server already running on the Ridgeline server skip this step 1 Create a folder c cygwin 2 Next download the file setup exe from http www cygwin com and store it in the folder c cygwin 3 Double click the setup exe file in the c cygwin directory The first Cygwin Setup dialog choose Installation Type appears as shown in Figure 258 Click Save ...

Page 326: ...n then click Next The Choose Installation Directory dialog appears Figure 259 Choose Installation Directory 5 In the Root Directory field type C cygwin which is where the OpenSSH will be installed Select the All Users radio button so all users will have access the SSH server Click Next The Select Local Package Directory dialog appears ...

Page 327: ...ectory 6 In the Local Package Directory field type C cygwin then click Next 7 When the Select Packages window appears see Figure 261 click the View button for a full view Figure 261 Select Packages 8 Locate the line OpenSSH click on the word skip so that an X appears in Column B ...

Page 328: ...es 12 Select the Advanced tab and click Environment Variables This displays the Environment Variables window as shown in Figure 262 Adding a System Variable for Cygwin 13 In the bottom section of the window under System variables click the New button to add a new entry to the system variables Variable name CYGWIN Variable value ntsec tty Click OK The new entry will appear in the Systems variables ...

Page 329: ...tem Variable for Cygwin Successfully Added 14 From the Environment Variables window scroll the System variables list select the Path variable and click the Edit button Figure 264 Path Variable 15 Append c cygwin bin to the end of the existing variable string ...

Page 330: ...user answer yes When the script asks about install sshd as a service answer yes When the script asks for CYGWIN answer ntsec tty 18 When the script has finished while in the black cygwin window start the sshd service by typing net start sshd Step 4 Configure Microsoft Firewall to Allow SSH Connects By default the Windows firewall will block incoming SSH port 22 connections This section provides st...

Page 331: ...he following 1 Open the Windows Control Panel and double click the Windows Firewall icon The Windows Firewall window opens Figure 267 Configuring the Windows Firewall to Allow Port 22 Connections 2 Click on the Exceptions tab and click on Add Port The Add a Port window opens Figure 268 Add a Port Window ...

Page 332: ...tion putty exe and select the Ridgeline session 2 Enter your SSH username and password This creates an SSH session between the client and server Figure 269 Creating an SSH session for Ridgeline 3 Log on to Ridgeline using the following URL http localhost 8080 4 Click the Log on to Ridgeline link enter your Ridgeline user name and password click Log on PuTTY is now set up to port forward all traffi...

Page 333: ...The following example is a step by step walk through example using Microsoft Active Directory and Internet Authentication Service This example also leads you through the process of setting up a VSA for passing role information Step 1 Create an Active Directory User Group for Ridgeline Users Within Active Directory create one or more User Groups If you have multiple roles within Ridgeline and you w...

Page 334: ...ne role repeat these steps to create a group that corresponds to each Ridgeline role you use For example if you want to authenticate users with an Admin role and users with a Monitor role you would create a group for each role type such as NMS Admin and NMS Monitor Step 2 Associate Users with the Ridgeline Group If necessary create one or more new users To add a new user click Users the New User F...

Page 335: ...he Properties dialog Figure 271 The Properties dialog for a user name 2 Click the Member Of tab then click Add Figure 272 The Member Of tab 3 In the Enter the object names to select field type the name of the Ridgeline related group this user should be associated with see Figure 273 Click OK to continue ...

Page 336: ...ick OK to continue Figure 274 The Dial in tab configuration Step 3 Enable Ridgeline as a RADIUS Client Within the Internet Authentication Service enable Ridgeline as a RADIUS client 1 Under the Internet Authentication Service click RADIUS Clients then New RADIUS Client 2 Type a Friendly Name for the RADIUS client and type the IP address or host name of the Ridgeline server Click Next to continue ...

Page 337: ... down menu and type the shared secret twice You must use this same shared secret when you configure Ridgeline as a RADIUS client Figure 276 Setting the shared secret for a RADIUS client 4 Click Finish The new Ridgeline client should now appear in the list of RADIUS Clients under the Internet Authentication Service as shown in Figure 277 ...

Page 338: ...Access Policy is needed configured with the role information that must be transmitted to Ridgeline along with the user s authentication status To create a Remote Access Policy 1 Under the Internet Authentication Service right click the Remote Access Policies folder select New and then Remote Access Policy The New Remote Access Policy Wizard will start Click New to continue 2 Type type a name for t...

Page 339: ...s Policy using the wizard 3 To configure the Access Method Figure 279 click the Ethernet radio button then click Next to continue Figure 279 Selecting the Access Method for network access 4 The User or Group Access window appears This is where you associate a group with this policy ...

Page 340: ...re 280 The User or Group Access selection 5 Select the Group radio button then click Add The Select Group pop up window appears as shown in Figure 281 Figure 281 The Select Groups window 6 Click on Locations The Locations pop up appears as shown in Figure 282 ...

Page 341: ...ntinue This returns you to the Select Groups window with the selected domain displayed see Figure 283 Figure 283 The Select Groups window after setting the location 8 Type the name of the group you want to associate with this remote access policy Click OK to continue The User or Group Access window re appears with the domain and group you specified shown in the Group name list Click Next to contin...

Page 342: ...electing the domain and group 9 Next select the Authentication Method to be used From the EAPS Type drop down menu select MD5 Challenge then click Next Figure 285 Setting the Authentication Method for the policy 10 Click Finish in the final window to complete your configuration of the remote access policy ...

Page 343: ... can simply set the service type attribute If you have added administrator roles in Ridgeline and want to authorize users with those you want to use create a VSA to pass the role information to Ridgeline This example shows how to create a VSA to pass role information To create a VSA do the following 1 Select the Remote Access Policy you want to edit Right click on the policy name and select Proper...

Page 344: ...erties window for a remote access policy 2 Remove the NAS Port Type matches Ethernet policy select NAS Port Type matches Ethernet and click Remove 3 Next select the Windows Group matches EBCDEMO Ridgeline policy and click Edit Profile The Edit Dial in Profile window appears ...

Page 345: ...tion PAP SPAP Then click the EAPS Methods button The Select EAPS Providers pop up window appears Figure 289 Figure 289 The Select EAPS Providers window 5 Remove the MD 5 Challenge method select MD5 Challenge and click Remove Then click OK This returns you to the Edit Dial in Profile window 6 Select the Advanced Tab and click Add The Add Attribute window appears ...

Page 346: ...ow Advanced Tab 7 Select Vendor Specific and click Add The Multivalued Attribute Information window appears Figure 291 The Multivalued Attribute Information window 8 Click Add again The Vendor Specific Attribute Information window appears This is where you add the Ridgeline VSA settings ...

Page 347: ...The Vendor Specific Attribute Information window 9 Select the Enter Vendor Code radio button and type 1916 as the vendor code Select the Yes It conforms radio button Click Configure Attribute The Configure VSA pop up appears Figure 293 Configuring the VSA ...

Page 348: ...not match a role the user will default to the Monitor role only Ridgeline roles can be found in the Ridgeline Administration under the Roles tab Click OK to continue 11 The new attribute will appear in the Multivalued Attribute Information window as Vendor code 1916 with the value set to the role name you entered Administrator in this example Click OK to continue 12 In the Edit Dial in Profile win...

Page 349: ...e 295 Figure 295 Configuring Ridgeline as a RADIUS client 2 Click the Enable system as a RADIUS client button The Client Configuration section of the page will become available 3 Enter the host name or IP address of your RADIUS server and enter the shared secret you used when you set Ridgeline as a RADIUS client in IAS see Step 3 Enable Ridgeline as a RADIUS Client on page 334 If you have a second...

Page 350: ...Book Title Ridgeline Concepts and Solutions Guide 348 ...

Page 351: ...he contents of device MIBs The AlarmMgr utility on page 358 used to display alarm information from the Ridgeline database Results can be output to a file The FindAddr utility on page 361 used to find IP or MAC addresses within a set of devices or ports specified individually or as device or port groups Results can be output to a file The TransferMgr utility on page 363 used to upload or download d...

Page 352: ...he server keeps about any connected clients This information can help Extreme Networks technical support staff debug problems you may be experiencing with your Ridgeline server Port Configuration Utility The Port Configuration utility is a stand alone utility that runs on the Windows platform The Ridgeline Port Configuration utility provides a way for an Ridgeline administrator to change the TCP I...

Page 353: ...ty leaving the current port settings If you do click Apply before you Cancel the new port settings will have been recorded and will take effect next time you restart the server If you want to revert the change after you have clicked Apply you must re enter the original value and click Apply again 5 To have the new port settings take effect restart the services whose ports you have changed Changes ...

Page 354: ... device 10 205 1 51 to use an empty string enter the command devcli mod u admin a 10 205 1 51 d NOTE If you are running the DevCLI on a Windows platform enter forward slashes to separate empty double quotes to ensure the command executes correctly For example to use the previous command in a Windows environment enter the command devcli mod u admin a 10 205 1 51 d devcli del options to remove a dev...

Page 355: ...dgeline database running on server snoopy on port 81 with Ridgeline login master and password king enter the following command devcli add u master p king a 10 205 0 99 s snoopy n 81 Table 12 DevCLI command options Option Value Default a Device IP address This option can be specified more than once None b SNMP version 3 user name initialmd5 d Device password f Input file name for IP addresses This ...

Page 356: ...own to multiple Ridgeline servers The information will be output in comma separated CSV format suitable for importing into a spreadsheet For a device report the information reported includes the device name and type IP address location serial and board numbers If you use the Distributed server version of this report the name of the Ridgeline server that manages the device will also be included For...

Page 357: ...inux or Solaris enter the command cd opt ExtremeNetworks Ridgeline3 0 user war scripts bin msinv sh d o alldevinfo csv s config servers txt The server file defaults to the file servers txt in the user scripts config directory You can edit this file to include the names or IP addresses of the servers where the Ridgeline server and databases are running You can also provide your own file The format ...

Page 358: ...o the console using the default login and default password under Windows enter the following command inv bat d o output csv Under Linux or Solaris enter the following command inv sh d o output csv This command will login using the default user name admin and the default password and will output the results to the file output csv in the user scripts bin directory To export device information from t...

Page 359: ... on the device at 10 205 0 99 enter the following command snmpcli snmpget a 10 205 0 99 o 1 3 6 1 4 1 1916 1 1 1 10 0 snmpcli snmpnext options returns the value of the next OID subsequent to the OID you specify in the MIB tree For example you can use this command to get the value of the object whose OID is 1 3 6 1 4 1 1916 1 1 1 10 0 on the device at 10 205 0 99 by entering the following command s...

Page 360: ... 6 1 4 1 1916 1 1 1 9 This returns the following IP Address 10 205 0 99 Read community string public Timeout ms 500 OUTPUT OID 1 3 6 1 4 1 1916 1 1 1 9 1 1 1 VALUE 1 OID 1 3 6 1 4 1 1916 1 1 1 9 1 1 2 VALUE 2 OID 1 3 6 1 4 1 1916 1 1 1 9 1 1 3 VALUE 3 OID 1 3 6 1 4 1 1916 1 1 1 9 1 2 1 VALUE 2 OID 1 3 6 1 4 1 1916 1 1 1 9 1 2 2 VALUE 2 OID 1 3 6 1 4 1 1916 1 1 1 9 1 2 3 VALUE 2 The AlarmMgr Utilit...

Page 361: ...s localhost port port Ridgeline server port number 80 h N Display alarms that occurred within the last N hours These options are mutually exclusive and may not be combined Last 300 alarms d N Display alarms that occurred N days ago y Display alarms that occurred yesterday c category Display alarms that occur for a specific category Category specification is case insensitive Must be quoted if categ...

Page 362: ...d and unacknowledged However there are no alarms that meet this criteria since an alarm cannot be both To display both alarms that are acknowledged and alarms that are unacknowledged do not specify either option AlarmMgr Output The output from the AlarmMgr command is displayed as tab delimited ascii text one line per alarm Each line contains the following information AlarmMgr Examples The followin...

Page 363: ... FindAddr utility is located in the Ridgeline bin directory Ridgeline_install_dir client bin By default this is Program Files Extreme Networks Ridgeline 3 0 client bin in Windows or opt ExtremeNetworks Ridgeline3 0 client bin in a UNIX environment This command includes options for specifying Ridgeline server access information the address to be located and a search domain an individual device and ...

Page 364: ...ions all Display all addresses located in the search domain At least one of these options is required The mac and ip options may be combined None mac mac_address Locate the specified MAC address The address must be specified as six two digit hexadecimal values separated by colons xx xx xx xx xx xx You can specify a wildcard address by specifying asterisks instead of the last three values for examp...

Page 365: ... examples illustrate the usage of these commands To display all addresses that can be accessed through devices in the Default device group from the local Ridgeline database with default user password and port enter the following command FindAddr user admin all dg Default To display all addresses that can be accessed through device 10 20 30 40 ports 5 6 7 8 in the Ridgeline database running on serv...

Page 366: ...ce address TransferMgr user Ridgeline username incremental filename dip device address TransferMgr user Ridgeline username software filename dip device address primary secondary The Ridgeline user name one of the four transfer options and a device IP address are required Other options are optional Table 17 specifies the options you can use with this command Table 17 TransferMgr command options Opt...

Page 367: ...ilename path and filename Download configuration from the specified file to the device specified with the dip option The specified file must be located in or below the tftp_root configs directory By default tftp_root is Ridgeline_install_dir user tftp None dip IP address IP address of device to which configuration should be downloaded This option is required It may not be repeated None Download In...

Page 368: ... login master and password king enter the following command TransferMgr host snoopy port 81 user master password king upload a dip 10 20 30 40 Assuming the default location for the TFTP root directory and assuming that this command was executed on July 24 2010 at 10 02 AM this will place the device configuration information in the file Program Files Extreme Networks Ridgeline 3 0 user war tftp con...

Page 369: ...s serving the domain for the system running the Ridgeline server The type of system you are running will determine where the Ridgeline server looks for the information See Importing from an Windows Domain Controller or NIS Server in Chapter 8 of the Ridgeline Reference Guide for details The syntax of the ImportResources command is as follows ImportResources user Ridgeline username s source name f ...

Page 370: ...wing command ImportResources user admin s NewUsers domain This imports user data from the Windows Domain Controller that is serving the domain where the Ridgeline server resides FreeRadius Server Configuration Commands This section describes configFreeRadius a command line tool to help configure the Ridgeline FreeRADIUS server Use FreeRADIUS for Ridgeline s VM Mobility feature If you do not use th...

Page 371: ... the FreeRADIUS server to listen requests from to all the IP addresses that is on the server configFreeRadius p 10559 Set the port that the FreeRADIUS server uses by default the port is set to 10559 At the same time it will set the server to listen requests from to all the IP addresses that is on the server as well configFreeRadius i 10 255 255 1 10 255 255 2 Set the FreeRADIUS server to listen re...

Page 372: ...Book Title Ridgeline Concepts and Solutions Guide 370 ...

Page 373: ...erences 295 Configuration Manager 18 Configuring Directory servers 279 configuring server as trap receiver 310 conventions notice icons About This Guide 10 text About This Guide 10 Creating Roles 265 D Debug Ridgeline 49 decorative node 66 Defining a New Role 266 Deleting Directory server 285 Policy 211 Deleting a policy associated with a role 278 Deleting Roles 275 Detaching a policy 212 DevCLI u...

Page 374: ...254 link topology 66 composite link 67 M MAC polling 216 MAC in MAC and ACLs 114 SVLANs 114 Manager access See user roles map elements Topology 65 composite link 67 decorative node 66 device node 65 hyper node 66 link 66 submap node 66 text node 66 map nodes laying out 71 MIB poller 221 MIB Poller Summary report 49 MIB query 226 MIB Query report 49 Monitor access See user roles N Network Summary R...

Page 375: ... SmartTraps 21 22 SNMP default trap port number 310 MIB query 226 polling 216 SNMPv3 for security 192 traps 21 22 45 46 SNMPCLI utility 357 software architecture 21 components 20 Solaris starting the server 26 SSH 193 starting the server under Solaris 26 status poll 21 submap node 66 Syslog configuring Ridgeline as Syslog receiver 309 Syslog report 48 T terminology About This Guide 9 text node 66 ...

Page 376: ...Q tag 131 198 for security 198 protocol filters 131 198 troubleshooting 305 VM Attaching Policy 159 Details view 172 Manager table 149 monitoring device details 174 VM tracking on a switch 152 VMs tab viewing information 169 VSA 191 configuring 191 Z Zoom In menu selection 68 Zoom Map Out menu selection 68 ...

Reviews: