Extreme Networks ExtremeWare XOS 10.1 Скачать руководство пользователя страница 117 | Manualshive

Страница: 117 / 256

background image

IP Access Lists (ACLs)

ExtremeWare XOS 10.1 Concepts Guide

117

Along with the data types described in Table 22, you can use the operators

<

,

<=

,

>

, and

>=

to specify

match conditions. For example, the match condition,

source-port >190

, will match packets with a

source port greater than 190.

Example ACL Rule Entries

The following entry accepts all the UDP packets from the 10.203.134.0/24 subnet that are destined for
the host 140.158.18.16, with source port 190 and a destination port in the range of 1200 - 1400:

entry udpacl {

if {

ICMP-code <number>

ICMP code field. This value or keyword provides more specific
information than the icmp-type. Since the value’s meaning
depends upon the associated icmp-type, you must specify the
icmp-type along with the icmp-code.In place of the numeric value,
you can specify one of the following text synonyms (the field
values also listed). The keywords are grouped by the ICMP type
with which they are associated:

Parameter-problem:
ip-header-bad(0), required-option-missing(1)

Redirect:
redirect-for-host (1), redirect-for-network (2),
redirect-for-tos-and-host (3), redirect-for-tos-and-net (2)

Time-exceeded:
ttl-eq-zero-during-reassembly(1), ttl-eq-zero-during-transit(0)

Unreachable:
communication-prohibited-by-filtering(13),
destination-host-prohibited(10), destination-host-unknown(7),
destination-network-prohibited(9),
destination-network-unknown(6), fragmentation-needed(4),
host-precedence-violation(14), host-unreachable(1),
host-unreachable-for-TOS(12), network-unreachable(0),
network-unreachable-for-TOS(11), port-unreachable(3),
precedence-cutoff-in-effect(15), protocol-unreachable(2),
source-host-isolated(8), source-route-failed(5)

ICMP

Table 22: ACL Match Condition Data Types

Condition Data Type

Description

prefix

IP source and destination address prefixes. To specify the address prefix, use the
notation

prefix/prefix-length

. For a host address,

prefix-length

should be set

to 32.

number

Numeric value. This can be TCP or UDP source and destination port number, IP protocol
number, etc.

range

A range of numeric values. To specify the numeric range, use the notation:

number - number

bit-field

Used to match specific bits in an IP packet, such as TCP flags and the fragment flag.

mac-address

6-byte hardware address.

Table 21: ACL Match Conditions (continued)

Match Conditions

Description

Applicable
IP Protocols

«
...
115
116
117
118
119
...
»

Содержание ExtremeWare XOS 10.1

Страница 1: ...Networks Inc 3585 Monroe Street Santa Clara California 95051 888 257 3000 http www extremenetworks com ExtremeWare XOS Concepts Guide Software Version 10 1 Published February 2004 Part number 100150 0...

Страница 2: ...Specifications are subject to change without notice The ExtremeWare XOS operating system is based in part on the Linux operating system The machine readable copy of the corresponding source code is a...

Страница 3: ...uters 17 Virtual LANs VLANs 18 Spanning Tree Protocol 18 Quality of Service 18 Unicast Routing 18 IP Multicast Routing 19 Load Sharing 19 Chapter 2 Accessing the Switch Understanding the Command Synta...

Страница 4: ...ther Host Using Telnet 35 Configuring Switch IP Parameters 36 Disconnecting a Telnet Session 38 Using Trivial File Transfer Protocol TFTP 38 Connecting to Another Host Using TFTP 38 Enabling the TFTP...

Страница 5: ...les 59 Verifying the Load Sharing Configuration 59 Switch Port Mirroring 59 Modular Switch Port Mirroring Example 60 Extreme Discovery Protocol 60 Chapter 5 Virtual LANs VLANs Overview of Virtual LANs...

Страница 6: ...nd DiffServ Traffic Groupings 86 Configuring DiffServ 87 Physical Groupings 89 Verifying Configuration and Performance 89 QoS Monitor 90 Displaying QoS Profile Information 90 Chapter 8 Status Monitori...

Страница 7: ...tries 117 Using Access Lists on the Switch 118 Displaying and Clearing ACL Counters 119 Switch Protection 119 Policies 120 Creating Policies 120 Policy File Syntax 120 Policy Examples 125 Using Polici...

Страница 8: ...s 163 Chapter 11 Virtual Router Redundancy Protocol Overview 165 Determining the VRRP Master 166 VRRP Tracking 166 Electing the Master Router 168 Additional VRRP Highlights 168 VRRP Operation 169 Simp...

Страница 9: ...1 Versus RIP Version 2 188 Overview of OSPF 188 Link State Database 188 Areas 189 Point to Point Support 193 Route Re Distribution 193 Configuring Route Re Distribution 194 OSPF Timers and Authentica...

Страница 10: ...on for ABR1 223 Part 3 Appendixes Appendix A Software Upgrade and Boot Options Downloading a New Image 227 Selecting a Primary or a Secondary Image 228 Understanding the Image Version String 228 Softw...

Страница 11: ...XOS 10 1 Concepts Guide 11 Contents Debug Mode 240 System Health Check 240 System Odometer 240 Contacting Extreme Technical Support 241 Appendix C Supported Protocols MIBs and Standards Index Index o...

Страница 12: ...12 ExtremeWare XOS 10 1 Concepts Guide Contents...

Страница 13: ...s LANs Ethernet concepts Ethernet switching and bridging concepts Routing concepts Internet Protocol IP concepts Routing Information Protocol RIP and Open Shortest Path First OSPF Border Gateway Proto...

Страница 14: ...tion Risk of personal injury system damage or loss of data Warning Risk of severe personal injury Table 2 Text Conventions Convention Description Screen displays This typeface indicates command syntax...

Страница 15: ...Part 1 Using ExtremeWare XOS...

Страница 16: ......

Страница 17: ...rmation and switch ports can belong to one and only one virtual router packets arriving at a port on one virtual router can never be switched to the ports on another In this release of ExtremeWare XOS...

Страница 18: ...which is a bridge based mechanism for providing fault tolerance on networks STP enables you to implement parallel paths for network traffic and ensure that redundant paths are Disabled when the main...

Страница 19: ...ned by the Protocol Independent Multicast dense mode or sparse mode NOTE For more information on IP multicast routing see Chapter 15 Load Sharing Load sharing allows you to increase bandwidth and resi...

Страница 20: ...20 ExtremeWare XOS 10 1 Concepts Guide ExtremeWare XOS Overview...

Страница 21: ...XOS software However only a subset of commands are described here and in some cases only a subset of the options that a command supports The ExtremeWare XOS Command Reference Guide should be consider...

Страница 22: ...that might be used as the next option In situations where this list might be very long the syntax helper will list only one line of names followed by an ellipses to indicate that there are more names...

Страница 23: ...se the parameter portlist in the syntax A portlist can be one port on a particular slot For example port 3 1 A portlist can be a range of numbers For example port 3 1 3 3 You can add additional slot a...

Страница 24: ...are brackets Enclose a required value or list of required arguments One or more values or arguments can be specified For example in the syntax use image primary secondary you must specify either the p...

Страница 25: ...left Right Arrow Moves cursor to right Home or Ctrl A Moves cursor to first character in line End or Ctrl E Moves cursor to last character in line Ctrl L Clears screen and movers cursor to beginning o...

Страница 26: ...Reference Guide configure vlan vlan_name ipaddress ipaddress ipNetmask Configures an IP address and subnet mask for a VLAN create account admin user account name password Creates a user account This...

Страница 27: ...level account can view and change all switch parameters It can also add and delete users and change the password associated with any account name The administrator can disconnect a management session...

Страница 28: ...dd a default admin password by entering the following command configure account admin 4 Enter the new password at the prompt 5 Re enter the new password at the prompt To add a password to the default...

Страница 29: ...at have been created you must have administrator privileges To see the accounts use the following command show accounts Deleting an Account To delete a account you must have administrator privileges T...

Страница 30: ...tistics are tabulated after the ping is interrupted Traceroute The traceroute command enables you to trace the routed path between the switch and a destination endstation The traceroute command syntax...

Страница 31: ...stname of the destination endstation To use the hostname you must first configure DNS from uses the specified source address in the ICMP packet If not specified the address of the transmitting interfa...

Страница 32: ...32 ExtremeWare XOS 10 1 Concepts Guide Accessing the Switch...

Страница 33: ...ds Access the CLI by connecting a terminal or workstation with terminal emulation software to the console port Access the switch remotely using TCP IP through one of the switch ports or through the de...

Страница 34: ...itch concurrently If you configure a new limit only new incoming XOS shell sessions are affected If you decrease the limit and the current number of sessions already exceeds the new maximum the switch...

Страница 35: ...active Telnet sessions can access the switch concurrently If idletimeouts are enabled the Telnet connection will time out after 20 minutes of inactivity If a connection to a Telnet session is lost in...

Страница 36: ...P on a per VLAN basis by using the following commands disable bootp vlan vlan all disable dhcp vlan vlan_name all To view the current state of the BOOTP or DHCP client use the following command show d...

Страница 37: ...able you to access all switch functions The default user names have no passwords assigned If you have been assigned a user name and password with administrator privileges enter them at the login promp...

Страница 38: ...k device to another The ExtremeWare XOS TFTP client is a command line application used to contact an external TFTP server on the network For example XOS uses TFTP to download software image files swit...

Страница 39: ...Manager provides its own user interface to the management facilities The following sections describe how to get started if you want to use an SNMP manager It assumes you are already familiar with SNMP...

Страница 40: ...for individually for each trap receiver All community strings must also be added to the switch using the configure snmp add community command To configure a trap receiver on a switch use the following...

Страница 41: ...3414 The User Based Security Model for Version 3 of the Simple Network Management Protocol SNMPv3 describes the User Based Security Model USM RFC 3415 View based Access Control Model V ACM for the Si...

Страница 42: ...noauth authnopriv priv volatile SNMPv3 Security In SNMPv3 the User Based Security Model USM for SNMP was introduced USM deals with security related aspects like authentication encryption of SNMP messa...

Страница 43: ...following command configure snmpv3 delete user all non defaults hex user_name NOTE The SNMPv3 specifications describe the concept of a security name In the ExtremeWare XOS implementation the user nam...

Страница 44: ...oPriv Authentication no privacy Messages are tested only for authentication AuthPriv Authentication privacy This represents the highest level of security and requires every message exchange to pass th...

Страница 45: ...iew has been created you can repeatedly use the configure snmpv3 add mib view command to include and or exclude MIB subtree mask combinations to precisely define the items you wish to control access t...

Страница 46: ...e processing model security model security level and user name security name used for messages sent to the target address See Message Processing on page 42 and Users Groups and Security on page 43 for...

Страница 47: ...tifier To delete a filter or all filters from a filter profile use the following command configure snmpv3 delete filter all hex profile_name subtree object_identifier To remove the association of a fi...

Страница 48: ...Plus TACACS is a mechanism for providing authentication authorization and accounting on a centralized server similar in function to the RADIUS client The ExtremeWare XOS version of TACACS is used to...

Страница 49: ...e starting and ending date and time in terms of a floating day as follows configure timezone name MET 60 autodst name MDT begins every last sunday march at 1 30 ends every last sunday october at 1 30...

Страница 50: ...gain 5 Optionally the interval for which the SNTP client updates the real time clock of the switch can be changed using the following command configure sntp client update interval update interval The...

Страница 51: ...kon Standard 10 00 600 AHST Alaska Hawaii Standard CAT Central Alaska HST Hawaii Standard 11 00 660 NT Nome 12 00 720 IDLW International Date Line West 1 00 60 CET Central European FWT French Winter M...

Страница 52: ...switch are as follows configure timezone 480 autodst configure sntp client update interval 1200 enable sntp client configure sntp client primary 10 0 1 1 configure sntp client secondary 10 0 1 2 11 00...

Страница 53: ...ot must be saved to non volatile storage Otherwise if the modular switch is rebooted or the module is removed from the slot the port VLAN and module configuration information is not saved NOTE For inf...

Страница 54: ...the port number is as follows slot port For example if an I O module that has a total of four ports is installed in slot 2 of the chassis the following ports are valid 2 1 2 2 2 3 2 4 You can also us...

Страница 55: ...and respond to pause frames 10 100 Mbps Ethernet ports also respond to pause frames but do not advertise support Neither 10 100 Mbps or Gigabit Ethernet ports initiate pause frames Flow Control is en...

Страница 56: ...ommand enable jumbo frame ports port_list all NOTE Some network interface cards NICs have a configured maximum MTU size that does not include the additional 4 bytes of CRC Ensure that the NIC maximum...

Страница 57: ...e to jumbo frame fragmentation is not supported Only jumbo frame to normal frame fragmentation is supported To configure VLANs for IP fragmentation 1 Enable jumbo frames on the incoming port 2 Add the...

Страница 58: ...It can be thought of as the logical port representing the entire port group All the ports in a load sharing group must have the same exact configuration including auto negotiation duplex setting and...

Страница 59: ...hes The following example defines a load sharing group that contains ports 9 through 12 on slot 3 and uses the first port as the master logical port 9 enable sharing 3 9 grouping 3 9 3 12 In this exam...

Страница 60: ...Extreme Networks switches EDP is used to by the switches to exchange topology information Information communicated using EDP includes Switch MAC address switch ID Switch software version information...

Страница 61: ...ed by flexible user groups you create with the command line interface Benefits Implementing VLANs on your networks has the following advantages VLANs help to control traffic With traditional networks...

Страница 62: ...emove it from the default VLAN unless the new VLAN uses a protocol other than the default protocol any A port can be a member of only one port based VLAN On the Extreme switch in Figure 1 ports 9 thro...

Страница 63: ...using slot 8 port 4 on system 1 the BlackDiamond switch and port 29 on system 2 the other switch Figure 2 Single port based VLAN spanning two switches To create multiple VLANs that span two switches...

Страница 64: ...tch must have a dedicated port for each VLAN Each dedicated port must be connected to a port that is a member of its VLAN on the next switch Tagged VLANs Tagging is a process that inserts a marker cal...

Страница 65: ...ip for the port must be accompanied by tags In addition to configuring the VLAN tag for the port the server must have a Network Interface Card NIC that supports 802 1Q tagging Assigning a VLAN Tag Eac...

Страница 66: ...and VLAN Sales The trunk port on each switch is tagged The server connected to port 25 on system 1 has a NIC that supports 802 1Q tagging EX_064 System 1 Marketing Sales M S Tagged port Marketing Sal...

Страница 67: ...other words a port can simultaneously be a member of one port based VLAN and multiple tag based VLANs NOTE For the purposes of VLAN classification packets arriving on a port with an 802 1Q tag contain...

Страница 68: ...on EtherType Logical Link Control LLC and or Subnetwork Access Protocol SNAP Up to six protocols may be part of a protocol filter To define a protocol filter 1 Create a protocol using the following co...

Страница 69: ...d add llc feff configure protocol fred add snap 9999 A maximum of 15 protocol filters each containing a maximum of six protocols can be defined On products that use the Inferno chip set all 15 protoco...

Страница 70: ...re only meaningful to that switch If another switch is connected to it the VLAN names have no significance to the other switch NOTE You should use VLAN names consistently across your entire network De...

Страница 71: ...guration Examples The following modular switch example creates a port based VLAN named accounting assigns the IP address 132 15 121 1 and assigns slot 2 ports 1 2 3 and 6 and slot 4 ports 1 and 2 to i...

Страница 72: ...following modular switch example defines a protocol filter myprotocol and applies it to the VLAN named myvlan This is an example only and has no real world application create protocol myprotocol conf...

Страница 73: ...pts Guide 73 Displaying Protocol Information To display protocol information use the following command show protocol name This show command displays protocol information which includes Protocol name L...

Страница 74: ...74 ExtremeWare XOS 10 1 Concepts Guide Virtual LANs VLANs...

Страница 75: ...received and the age of the entry Frames destined for MAC addresses that are not in the FDB are flooded to all members of the VLAN How FDB Entries Get Added Entries are added into the FDB in the foll...

Страница 76: ...nd through the CLI but may then be updated as the switch encounters the MAC address in the packets that it examines A permanent dynamic entry is typically used to associate QoS profiles with the FDB e...

Страница 77: ...ntries are useful as a security measure or in special circumstances where a specific source or destination address must be discarded Blackhole entries may be created through the CLI or they may be cre...

Страница 78: ...permanent static entries can be deleted if the switch is reset Supported aging is between 15 and 1 000 000 seconds MAC Based Security MAC based security allows you to control the way the FDB is learne...

Страница 79: ...f ff permanent Displays all permanent entries including the ingress and egress QoS profiles ports portlist Displays the entries for a set of ports or slots and ports remap Displays the remapped FDB en...

Страница 80: ...80 ExtremeWare XOS 10 1 Concepts Guide Forwarding Database FDB...

Страница 81: ...ffic Groupings on page 86 Configuring DiffServ on page 87 Physical Groupings on page 89 Verifying Configuration and Performance on page 89 Policy based Quality of Service QoS is a feature of ExtremeWa...

Страница 82: ...rs are satisfied Up to eight physical queues per port are available NOTE Policy based QoS has no impact on switch performance Using even the most complex traffic groupings has no cost in terms of swit...

Страница 83: ...ypically be distinguished from each other by their server source and destinations Most browser based applications are distinguished by the dataflow being asymmetric small dataflows from the browser cl...

Страница 84: ...f these QoS components in detail QoS Profiles A QoS profile defines a class of service by specifying traffic behavior attributes such as bandwidth The parameters that make up a QoS profile include Min...

Страница 85: ...traffic grouping is a classification of traffic that has one or more attributes in common Traffic is typically grouped based on the applications discussed starting on page 82 Traffic groupings are sep...

Страница 86: ...penalty The documented capabilities for 802 1p priority markings or DiffServ capabilities if supported are not impacted by the switching or routing configuration of the switch For example 802 1p infor...

Страница 87: ...QoS profile has configurable bandwidth parameters and priority In this way an 802 1p priority value seen on ingress can be mapped to a particular QoS profile and with specific bandwidth management and...

Страница 88: ...erv information can be enabled or disabled by default it is disabled To view DiffServ information use the following command show diffserv Changing DiffServ Code point assignments in the Q0S Profile Be...

Страница 89: ...ers of the QoS profile QP3 configure qp3 min 10 max 100 2 Configure the switch so that other switches can signal class of service that this switch should observe enable diffserv examination Physical G...

Страница 90: ...per port performance use the following command show ports port_list qosmonitor Displaying QoS Profile Information The QoS monitor can also be used to verify the QoS configuration and monitor the use...

Страница 91: ...oblems arising before they cause major network faults In this way statistics can help you get the best out of your network Status Monitoring The status monitoring facility provides information about t...

Страница 92: ...and ports offline and performs extensive ASIC ASIC memory and packet loopback tests Extended diagnostic tests take a maximum of 15 minutes The CPU is not tested Console access is available during ext...

Страница 93: ...rt statistics use the following command show ports port_list statistics The switch collects the following port statistic information Link Status The current status of the link Options are Ready the po...

Страница 94: ...ns or excessive collisions Transmit Parity Frames TX Parity The bit summation has a parity mismatch To view port receive errors use the following command show ports port_list rxerrors The switch colle...

Страница 95: ...CSimC2 20 20 Slot 3 PCSimC2 20 30 Slot 4 PCSimC2 20 40 Slot 5 PCSimC256 20 50 Slot 6 PCSimC256 20 60 Slot 7 PCSimC256 20 70 Slot 8 MSM A PCSimMSM 20 90 MSM B PCSimMSM 21 00 You can also view the tempe...

Страница 96: ...ealth checker use the following command disable sys health check slot slot To configure the how often packets are forwarded use the following command configure sys health check interval interval Syste...

Страница 97: ...tion of the number of links available and the total bandwidth of these links Software health This number represents the percent of processes available Software version Represents the software version...

Страница 98: ...y node_pri To bring a node back online use the following command configure node slot slot_id online priority node_pri Relinquishing Primary Status You can force the primary node to failover to the bac...

Страница 99: ...does not have the primary s active configuration it will use the configuration stored in its flash memory NOTE If you issue the reboot command before you save your configuration changes the switch pro...

Страница 100: ...f logging targets for example syslog host and NVRAM Filter events on a per target basis by Component subcomponent or specific condition for example BGP messages IGMP Snooping messages or the IP Forwar...

Страница 101: ...essages NVRAM messages remain after reboot Syslog host The first four types of targets exist by default but before enabling any syslog host the host s information needs to be added to the switch using...

Страница 102: ...one of the severity level specified by the standard BSD syslog values RFC 3164 critical error warning notice and info plus three severity levels for extended debugging debug summary debug verbose and...

Страница 103: ...certain categories of messages to pass Only the messages that pass the filter and then pass the specified severity level will reach the target Finally you can specify the severity levels of messages...

Страница 104: ...U Ign Debug Summary 2 total STP InBPDU Mismatch Warning 2 total The display above lists the five conditions contained in the STP InBPDU component the severity of the condition and the number of parame...

Страница 105: ...cluded events are blocked To configure your filter use the following command configure log filter name add delete exclude events event condition all event component severity severity only For example...

Страница 106: ...st the current configuration of the filter to try to logically simplify the configuration Existing items will be replaced by logically simpler items if the new item enables rewriting the filter If the...

Страница 107: ...show log events all command can be used to display event definitions the event text and parameter types Only those parameter types that are applicable given the events and severity specified are expos...

Страница 108: ...ia but all parameter types in the match criteria need not be present in the event definition Formatting Event Messages Event messages are made up of a number of items The individual items can be forma...

Страница 109: ...essages on page 108 Displaying Events Logs The log stored in the memory buffer and the NVRAM can be displayed on the current session either the console display or telnet To display the log use the fol...

Страница 110: ...d One counter displays the number of times an event has occurred and the other displays the number of times that notification for the event was made to the system for further processing Both counters...

Страница 111: ...er includes this event Notified of times this event has occurred when Included was Y es Displaying Debug Information By default a switch will not generate events of severity Debug Summary Debug Verbos...

Страница 112: ...112 ExtremeWare XOS 10 1 Concepts Guide Status Monitoring and Statistics...

Страница 113: ...of features in concert you can substantially improve the security of your network The features described in this chapter are part of an overall approach to network security Network Access Security Ne...

Страница 114: ...ing Access Lists on the Switch on page 118 Displaying and Clearing ACL Counters on page 119 Creating IP Access Lists ACLs are created by writing a text file containing a number of rule entries Name th...

Страница 115: ...hing any of them it is permitted Often an ACL will have a rule entry at the end of the ACL with no match conditions This entry will match any packets not otherwise processed so that user can specify a...

Страница 116: ...761 krb prop 754 krbupdate 760 kshell 544 idap 389 login 513 mobileip agent 434 mobileip mn 435 msdp 639 netbios dgm 138 netbios ns 137 netbios ssn 139 nfsd 2049 nntp 119 ntalk 518 ntp 123 pop3 110 p...

Страница 117: ...rect for tos and host 3 redirect for tos and net 2 Time exceeded ttl eq zero during reassembly 1 ttl eq zero during transit 0 Unreachable communication prohibited by filtering 13 destination host proh...

Страница 118: ...ags syn_ack then accept count tcpcnt The following example denies ICMP echo request packets from the 10 203 134 0 24 subnet and increments the counter icmpcnt entry icmp if source address 10 203 134 0...

Страница 119: ...se the following command show access list counter countername any ports portlist ingress To clear the access list counters use the following command clear access list counter countername any ports por...

Страница 120: ...Any common text editor can be used to create a policy file The file is then transferred to the switch using TFTP and then applied To transfer policy files to the switch use the following command tftp...

Страница 121: ...ements on page 124 Policy Match Conditions Table 23 lists the possible policy entry match conditions Table 23 Policy Match Conditions Match Condition Description as path as number as path regular expr...

Страница 122: ...gin different from BGP route origin of a route A match statement route origin bgp will match routes whose origin are I bgp or e bgp or I mbgp or e mbgp Similarly the match statement route origin ospf...

Страница 123: ...3 15 The following AS Path statement matches AS paths beginning with AS number 111 and ending with any AS number from 2 8 as path 111 2 8 The following AS Path statement matches AS paths beginning wit...

Страница 124: ...remove Strips off the entire community attribute from a route Communities must be enclosed in double quotes cost cost 0 4261412864 Sets the cost metric for a route cost type ase type 1 ase type 2 ext...

Страница 125: ...reme Networks switches This example shows the policy equivalent to an access profile ExtremeWare Access Profile Seq_No Action IP Address IP Mask Exact 5 permit 22 16 0 0 255 252 0 0 No 10 permit 192 1...

Страница 126: ...policy above can be optimized by combining some of the if into a single expression The compact form of the policy will look like this entry permit_entry If match any nlri 22 16 0 0 14 nlri 192 168 0...

Страница 127: ...permit match med 30 set next hop 10 201 23 10 set as path 20 set as path 30 set as path 40 set as path 40 Entry 40 Action permit set local preference 120 set weight 2 Entry 50 Action permit match ori...

Страница 128: ...try 40 if then local preference 120 weight 2 permit entry entry 50 match any if origin incomplete community 19661200 then dampening half life 20 reuse limit 1000 suppress limit 3000 max suppress 40 pe...

Страница 129: ...en a policy file is changed adding deleting an entry adding deleting modifying a statement etc the new file can be downloaded to the switch and the user must refresh the policy so that the latest copy...

Страница 130: ...configure radius primary secondary server ipaddress hostname udp_port client ip ipaddress vr vr_name To configure the timeout if a server fails to respond use the following command configure radius t...

Страница 131: ...fecting the current state of RADIUS authentication To enable RADIUS accounting use the following command enable radius accounting To disable RADIUS accounting use the following command disable radius...

Страница 132: ...RADIUS when you configure users for read write access Configuring TACACS Terminal Access Controller Access Control System Plus TACACS is a mechanism for providing authentication authorization and acc...

Страница 133: ...Part 2 Using Switching and Routing Protocols...

Страница 134: ......

Страница 135: ...col STP functionality of the switch makes your network more fault tolerant The following sections explain more about STP and the STP features supported by ExtremeWare XOS NOTE STP is a part of the 802...

Страница 136: ...hird party switches running this version of STP For more information about how to configure the default encapsulation mode see Encapsulation Modes on page 139 encapsulation mode You can configure port...

Страница 137: ...a VLAN to an STPD that VLAN becomes a member of the STPD The two types of member VLANs in an STPD are Carrier Protected Carrier VLAN A carrier VLAN defines the scope of the STPD which includes the ph...

Страница 138: ...compatibility with third party switches using IEEE standard 802 1d When configured in this mode all rapid configuration mechanisms are disabled 802 1w mode Use this mode for compatibility with Rapid...

Страница 139: ...TP The STPDs running in this mode have a one to one relationship with VLANs and send and process packets in PVST format These encapsulation modes are for STP ports not for physical ports When a physic...

Страница 140: ...ng A port in the forwarding state accepts ingress traffic learns new MAC source addresses forwards traffic and receives and processes STP BPDUs Disabled A port in the disabled state does not participa...

Страница 141: ...atically removed from the STPD This allows the STPD to increase or decrease its span as ports are added to or removed from a carrier VLAN NOTE The carrier VLAN s StpdID must be identical to the VLANid...

Страница 142: ...reful attention to the STP configuration and its effect on the forwarding of VLAN traffic This section describes three types of STP configurations Basic STP Multiple STPDs on a single port EMISTP A VL...

Страница 143: ...r STP converges all the VLANs can communicate and all bridging loops are prevented The protected VLAN Marketing which has been assigned to both STPD1 and STPD2 communicates using all five switches The...

Страница 144: ...in an STP topology All VLANs in each switch are members of the same STPD STP can block traffic between switch 1 and switch 3 by disabling the trunk ports for that connection on each switch Switch 2 ha...

Страница 145: ...1 and S2 still correspond to VLANs A and B respectively you can fine tune STP parameters to make the left link active in S1 and blocking in S2 while the right link is active in S2 and blocking in S1 O...

Страница 146: ...e domains local to other VLANs Figure 12 VLAN spanning multiple STPDs In addition the configuration in Figure 12 has these features Each site can be administered by a different organization or departm...

Страница 147: ...Figure 14 VLAN red the only VLAN in the figure spans domains 1 2 and 3 Inside each domain STP produces a loop free topology However VLAN red is still looped because the three domains form a ring among...

Страница 148: ...s on the physical port Third party PVST devices send VLAN 1 packets in a special manner ExtremeWare XOS does not support PVST for VLAN 1 Therefore when the switch receives a packet for VLAN 1 the pack...

Страница 149: ...t Supports the designated port on the same attached LAN segment Backup ports only exist when the bridge is connected as a self loop or to a shared media segment For more information about the backup p...

Страница 150: ...If the link is in full duplex mode or if link aggregation is enabled on the port an auto link behaves like a point to point link edge Configures the ports as edge ports point to point Configures the p...

Страница 151: ...to the forwarding state The default is 15 seconds The range is 4 to 30 seconds Table 32 Derived timers Timer Description TCN The root port uses the TCN timer when it detects a change in the network t...

Страница 152: ...e in RSTP Their role does not need to be confirmed If an edge port receives a BPDU it enters an inconsistency state An inconsistency state puts the edge port into the blocking state and starts the mes...

Страница 153: ...warding state there is a loop between these two ports To prevent this type of loop from occurring the recent backup timer starts The root port transition rule does not allow a new root port to be in t...

Страница 154: ...es the new STP topology Synchronizes all of the designated ports if the receiving port is the root port of the new topology Puts all unsynced designated ports into the blocking state Sends down furthe...

Страница 155: ...down bridge F detects the root port is down At this point bridge F Immediately disables that port from the STP Performs a configuration update After the configuration update bridge F Considers itself...

Страница 156: ...bridge E Regards itself as the new root bridge Sends BPDU messages on both of its designated ports to bridges F and D respectively Figure 18 New root bridge selected 3 When bridge F receives the super...

Страница 157: ...firmation of its designated role and to rapidly move the port into the designated state Figure 20 Sending a propose message to confirm a port role 5 Upon receiving the proposal bridge E Performs a con...

Страница 158: ...cy STP bridges Each RSTP bridge contains a port protocol migration state machine to ensure that the ports in the STPD operate in the correct configured mode The state machine is a protocol entity with...

Страница 159: ...h PVST and non PVST ports it must be enabled If it is disabled the BPDUs are flooded in the format of the incoming STP port which may be incompatible with those of the connected devices 802 1d ports m...

Страница 160: ...Port priority Port mode NOTE The device supports the RFC 1493 Bridge MIB RSTP 03 and Extreme Networks STP MIB Parameters of the s0 default STPD support RFC 1493 and RSTP 03 Parameters of any other ST...

Страница 161: ...defined STPDs is emistp EMISTP Configuration Example Figure 24 is an example of EMISTP Figure 24 EMISTP configuration example The following commands configure the switch located between S1 and S2 NOTE...

Страница 162: ...w Configuration Example Figure 25 is an example of a network with multiple STPDs that can benefit from RSTP For RSTP to work you need to do the following Create an STPD Configure the mode of operation...

Страница 163: ...ged configure vlan personnel add ports 1 1 2 1 tagged configure vlan marketing add ports 1 1 2 1 tagged configure stpd stpd1 add vlan sales ports all configure stpd stpd1 add vlan personnel ports all...

Страница 164: ...ge port etc STPD port state forwarding blocking and so on Configured port link type Operational port link type If you have a VLAN that spans multiple STPDs use the show vlan vlan_name stpd command to...

Страница 165: ...ocol VRRP RFC 2787 Definitions of Managed Objects for the Virtual Router Redundancy Protocol Draft IETF VRRP Specification v2 06 Overview VRRP is a protocol that allows multiple switches to provide re...

Страница 166: ...r more physical devices that acts as the default gateway for hosts on the network The virtual router is identified by a virtual router identifier VRID and an IP address VRRP router Any router that is...

Страница 167: ...wn in Figure 26 use the following command configure vlan vrrp1 add track iproute 10 10 10 0 24 The route specified in this command must exist in the IP routing table When the route is no longer availa...

Страница 168: ...rs This signals the backup routers that they do not need to wait for the master down interval to expire and the master election process for a new master can begin immediately The master down interval...

Страница 169: ...dcasts an ARP request that contains the virtual router MAC address in this case 00 00 5E 00 01 01 for each IP address associated with the virtual router Hosts on the network use the virtual router MAC...

Страница 170: ...8 1 3 Master router for VRID 1 Backup router for VRID 2 MAC address 00 00 5E 00 01 01 Switch B is configured as follows IP address 192 168 1 5 Master router for VRID 2 Backup router for VRID 1 MAC add...

Страница 171: ...range is 1 254 The default value is 100 ip_address One or more IP addresses associated with this virtual router This parameter has no default value advertisement_interval Time interval between adverti...

Страница 172: ...1 3 24 configure vrrp vlan vlan1 vrid 1 configure vrrp vlan vlan1 vrid 1 prioirty 255 configure vrrp vlan vlan1 vrid 1 add 192 168 1 3 enable vrrp The configuration commands for switch B are as follo...

Страница 173: ...an1 vrid 2 configure vrrp vlan vlan1 vrid 2 add 192 168 1 5 enable vrrp The configuration commands for switch B are as follows configure vlan vlan1 ipaddress 192 168 1 5 24 create vlan vlan1 vrid 2 co...

Страница 174: ...174 ExtremeWare XOS 10 1 Concepts Guide Virtual Router Redundancy Protocol...

Страница 175: ...quirements for IP Version 4 Routers NOTE For more information on interior gateway protocols see Chapter 13 For information on exterior gateway protocols see Chapter 14 Overview of IP Unicast Routing T...

Страница 176: ...ferent VLANs In Figure 31 a BlackDiamond switch is depicted with two VLANs defined Finance and Personnel All ports on slots 1 and 3 are assigned to Finance all ports on slots 2 and 4 are assigned to P...

Страница 177: ...outes are aged out of the table when an update for the network is not received for a period of time as determined by the routing protocol Static Routes Static routes are manually entered into the rout...

Страница 178: ...how to use proxy ARP with the switch ARP Incapable Devices To configure the switch to respond to ARP Requests on behalf of devices that are incapable of doing so you must configure the IP address and...

Страница 179: ...ets to 100 101 45 67 Relative Route Priorities Table 35 lists the relative priorities assigned to routes depending upon the learned source of the route NOTE Although these priorities can be changed do...

Страница 180: ...spf Verifying the IP Unicast Routing Configuration Use the show iproute command to display the current configuration of IP unchaste routing for the switch and for each VLAN The show iproute command di...

Страница 181: ...raffic is directed to the VLAN MyCompany In this configuration all IP traffic from stations connected to slots 1 and 3 have access to the router by way of the VLAN Finance Ports on slots 2 and 4 reach...

Страница 182: ...from clients on subnets being serviced by the switch and going to hosts on different subnets This feature can be used in various applications including DHCP services between Windows NT servers and cl...

Страница 183: ...P Echo Server You can use UDP Echo packets to measure the transit time for data between the transmitting and receiving end To enable UDP echo server support use the following command rtlookup To disab...

Страница 184: ...184 ExtremeWare XOS 10 1 Concepts Guide IP Unicast Routing...

Страница 185: ...on page 199 Displaying OSPF Settings on page 200 This chapter assumes that you are already familiar with IP unicast routing If not refer to the following publications for additional information RFC 10...

Страница 186: ...ical routing table created from information obtained from all routers in the autonomous system Each router builds a shortest path tree using itself as the root The link state protocol ensures that upd...

Страница 187: ...the route timeout period 180 seconds by default the router assumes the connection between it and its neighbor is no longer available Split Horizon Split horizon is a scheme for avoiding problems caus...

Страница 188: ...ained from the perspective of that router From the link state database LSDB each router constructs a tree of shortest paths using itself as the root The shortest path tree provides the route to each d...

Страница 189: ...n the OSPF database Opaque LSAs are most commonly used to support OSPF traffic engineering Normally support for opaque LSAs is auto negotiated between OSPF neighbors In the event that you experience i...

Страница 190: ...from all other ABRs The ABR then forms a picture of the distance to all networks outside of its area by examining the collected advertisements and adding in the backbone distance to each advertising...

Страница 191: ...is elected to perform translation as indicated in the NSSA specification The option should not be used on NSSA internal routers Doing so inhibits correct operation of the election algorithm Normal Are...

Страница 192: ...area For example in Figure 34 if the connection between ABR1 and the backbone fails the connection using ABR2 provides redundancy so that the discontiguous area can continue to communicate with the b...

Страница 193: ...mous system and a RIP autonomous system Table 37 OSPF Link Types Link Type Number of Routers Description Auto Varies ExtremeWare XOS automatically determines the OSPF link type based on the interface...

Страница 194: ...tion functions For example to run OSPF and RIP simultaneously you must first configure both protocols and then verify the independent operation of each Then you can configure the routes to export from...

Страница 195: ...ociated with the export command the policy is applied on every exported route The exported routes can also be filtered using policies Verify the configuration using the command show ospf Re Distributi...

Страница 196: ...s on slots 2 and 4 have been assigned IP address 192 207 36 1 MyCompany Port based VLAN All ports on slots 1 through 4 have been assigned Figure 36 RIP configuration example The stations connected to...

Страница 197: ...must have a unique router ID It is recommended that you manually set the router ID of the switches participating in OSPF instead of having the switch automatically choose its router ID based on the h...

Страница 198: ...ets Smaller times allow routers to discover each other more quickly but also increase network traffic The default value is 10 seconds Dead router wait interval Dead Interval The interval after which a...

Страница 199: ...ters ABR1 and ABR2 Network number 10 0 x x Two identified VLANs HQ_10_0_2 and HQ_10_0_3 Area 5 is connected to the backbone area by way of ABR1 and ABR2 It is located in Chicago and has the following...

Страница 200: ...255 255 255 0 configure vlan LA_161_48_2 ipaddress 161 48 2 2 255 255 255 0 configure vlan Chi_160_26_26 ipaddress 160 26 26 1 255 255 255 0 create ospf area 0 0 0 5 create ospf area 0 0 0 6 enable i...

Страница 201: ...ll of the criteria are displayed This allows you to control the displayed entries in large routing tables To display the current link state database use the following command show ospf lsdb detail sta...

Страница 202: ...202 ExtremeWare XOS 10 1 Concepts Guide Interior Gateway Protocols...

Страница 203: ...efer to the following documents RFC 1771 Border Gateway Protocol version 4 BGP 4 RFC 1965 Autonomous System Confederations for BGP RFC 1966 BGP Route Reflection RFC 1997 BGP Communities Attribute RFC...

Страница 204: ...iminator Used to select a particular border router in another AS when multiple border routers exist Local_Preference Used to advertise this router s degree of preference to other routers within the AS...

Страница 205: ...g the Loopback Interface on page 211 BGP Peer Groups on page 211 BGP Route Flap Dampening on page 212 BGP Route Selection on page 213 Route Re Distribution on page 214 BGP Static Network on page 215 R...

Страница 206: ...ice versa Routes received from 1 1 1 1 will be reflected to all clients To configure router 1 1 1 1 use the following commands create vlan to_rr config vlan to_rr add port 1 1 config vlan to_rr ipaddr...

Страница 207: ...o_rr config bgp router 3 3 3 3 config bgp as number 100 create bgp neighbor 20 0 0 2 remote as 100 enable bgp neighbor all enable bgp To configure router 4 4 4 4 use the following commands create vlan...

Страница 208: ...confederation and outside ASs To configure router A use the following commands create vlan ab configure vlan ab add port 1 configure vlan ab ipaddress 192 1 1 6 30 enable ipforwarding vlan ab configur...

Страница 209: ...routerid 192 1 1 22 configure bgp confederation id 200 enable bgp create bgp neighbor 192 1 1 6 remote AS number 65001 create bgp neighbor 192 1 1 21 remote AS number 65001 create bgp neighbor 192 1...

Страница 210: ...ber 65002 configure bgp routerid 192 1 1 14 configure bgp confederation id 200 enable bgp create bgp neighbor 192 1 1 9 remote AS number 65001 create bgp neighbor 192 1 1 13 remote AS number 65002 con...

Страница 211: ...gateway protocol you may decide to advertise the interface as available regardless of the status of any particular interface The loopback interface can also be used for EBGP multihop Using the loopbac...

Страница 212: ...e route becomes available again an Advertisement message is sent and propagated throughout the network As a route repeatedly changes from available to unavailable large numbers of messages propagate t...

Страница 213: ...esired parameters Disabling Route Flap Dampening To disable route flap dampening for a BGP neighbor disabling the dampening will also delete all the configured dampening parameters use the following c...

Страница 214: ...remove private AS numbers Route Re Distribution BGP OSPF and RIP can be enabled simultaneously on the switch Route re distribution allows the switch to exchange routes including static direct and VIP...

Страница 215: ...om the routing table to BGP If you use both commands to redistribute routes the routes redistributed using the network command take precedence over routes redistributed using the export command BGP St...

Страница 216: ...216 ExtremeWare XOS 10 1 Concepts Guide Exterior Gateway Routing Protocols...

Страница 217: ...ersion 2 The following URLs point to the Web sites for the IETF Working Groups IEFT PIM Working Group http www ietf org html charters pim charter html Overview IP multicast routing is a function that...

Страница 218: ...s beneficial for large networks that have group members who are sparsely distributed Using PIM SM the router sends a join message to the rendezvous point RP The RP is a central multicast router that i...

Страница 219: ...fic floods within a given VLAN IGMP snooping expects at least one device on every VLAN to periodically generate IGMP query messages The static IGMP snooping entries do not require periodic query but d...

Страница 220: ...see Management Access Security on page 129 After you have created an policy file use the following command to associate the policy file and filter a set of ports configure igmp snooping vlan vlan name...

Страница 221: ...outing using PIM DM In Figure 41 the system labeled ABR1 is configured for IP multicast routing using PIM SM PIM DM Configuration Example Figure 40 IP multicast routing using PIM DM configuration exam...

Страница 222: ...ble ospf enable ipmcforwarding configure pim add vlan all dense enable pim The following example configures PIM SM Figure 41 IP multicast routing using PIM SM configuration example Area 0 10 0 1 1 10...

Страница 223: ...HQ_10_0_3 ipaddress 10 0 3 1 255 255 255 0 configure vlan LA_161_48_2 ipaddress 161 48 2 2 255 255 255 0 configure vlan CHI_160_26_26 ipaddress 160 26 26 1 255 255 255 0 configure ospf add vlan all ar...

Страница 224: ...224 ExtremeWare XOS 10 1 Concepts Guide IP Multicast Routing...

Страница 225: ...Part 3 Appendixes...

Страница 226: ......

Страница 227: ...either a Trivial File Transfer Protocol TFTP server on the network or from a PC connected to the serial port using the XMODEM protocol Downloading a new image involves the following steps Loading the...

Страница 228: ...ndary When downloading a new image you select which partition primary or secondary to install the new image If you do not specify a partition the software image is downloaded and installed into the cu...

Страница 229: ...run on the switch As you make configuration changes the new settings are stored in run time memory Settings that are stored in run time memory are not retained by the switch when the switch is reboot...

Страница 230: ...ges or n to cancel the process To use the configuration use the following command use configuration primary secondary file_name Where the following is true primary Specifies the primary saved configur...

Страница 231: ...cified file from the local host and copies it to the TFTP server local_file Specifies the name of the configuration file that you want to save to the TFTP server If you upload a configuration file and...

Страница 232: ...ion file and see the following message Error Transfer timed out Check to make sure that you entered the file name correctly including the cfg extension and that you entered the correct IP address for...

Страница 233: ...show images command Selecting an image To change the image that the switch boots from in flash memory use the boot image name command If you specify image name the specified image is booted If you do...

Страница 234: ...234 ExtremeWare XOS 10 1 Concepts Guide Software Upgrade and Boot Options...

Страница 235: ...cure Cables are free from damage The devices at both ends of the link are powered up Both ends of the Gigabit link are set to the same autonegotiation state The Gigabit link must be enabled or disable...

Страница 236: ...power up the switch If this does not work try using a different power source different power strip outlet and power cord Using the Command Line Interface The initial welcome prompt does not display C...

Страница 237: ...device a problem with the original port is indicated Re examine the connections and cabling A network problem may be preventing you accessing the device over the network Try accessing the device thro...

Страница 238: ...Extreme switch and another network device will cause poor network performance Viewing statistics using the show ports rxerrors command on the Extreme switch may display a constant increment of CRC err...

Страница 239: ...should have a corresponding VLAN ID for the VLAN on the other switch If you are connecting to a third party device and have checked that the VLAN IDs are the same the Ethertype field used to identify...

Страница 240: ...Statistics on page 91 System Health Check The system health check tests the backplane the CPU and I O modules by periodically forwarding packets and checking for the validity of these packets If you...

Страница 241: ...pport If you have a network issue that you are unable to resolve contact Extreme Networks technical support Extreme Networks maintains several Technical Assistance Centers TACs around the world to ans...

Страница 242: ...242 ExtremeWare XOS 10 1 Concepts Guide Troubleshooting...

Страница 243: ...ess Resolution Protocol Or converting network protocol addresses to 48 bit Ethernet address for transmission on Ethernet hardware RFC 2338 Virtual Router Redundancy Protocol Draft VRRP spec v2 06 mino...

Страница 244: ...ns for BGP RFC 2796 BGP Route Reflection An Alternative to Full Mesh IBGP RFC 1997 BGP Communities Attribute RFC 1745 BGP4 IDRP for IP OSPF Interaction RFC 2385 Protection of BGP Sessions via the TCP...

Страница 245: ...imple Network Management Protocol SNMP Applications RFC 3414 User based Security Model USM for version 3 of the Simple Network Management Protocol SNMPv3 RFC 3415 View based Access Control Model VACM...

Страница 246: ...and Standards DiffServ Standards and MIBs RFC 2474 Definition of the Differentiated Services Field DS Field in the IPv4 and IPv6 Headers RFC 2475 An Architecture for Differentiated Services RFC 2597 A...

Страница 247: ...onomous system path 204 cluster 205 community 205 description 204 features 205 loopback interface 211 peer groups creating 211 description 211 mandatory parameters 211 neighbors 212 redistributing to...

Страница 248: ...See FDB G Greenwich Mean Time Offsets table 51 groups 43 I IEEE 802 1Q 64 IGMP description 219 snooping 219 static 219 image downloading 227 primary and secondary 228 upgrading 227 interfaces router 1...

Страница 249: ...stub area 190 virtual link 191 wait interval configuring 197 P partition 228 passwords default 28 forgetting 29 path MTU discovery 56 permanent entries FDB 77 Per VLAN Spanning Tree See PVST PIM mode...

Страница 250: ...Routing Information Protocol See RIP routing table populating 177 routing See IP unicast routing RSTP configuring link types 150 designated port rapid behavior 154 link types 150 auto 150 broadcast 15...

Страница 251: ...41 Telnet connecting to another host 35 disconnecting a session 38 maximum sessions 35 opening a session 35 using 35 Terminal Access Controller Access Control System Plus See TACACS TFTP connecting to...

Страница 252: ...8 171 master router 166 multicast address 168 operation 169 preempt mode 171 priority 166 168 171 redundancy 170 route table tracking 166 skew time 168 171 tracking description 166 virtual router 166...

Страница 253: ...configure node priority 98 configure osfp area nssa 191 configure osfp area stub 190 configure osfp ase limit 189 configure ospf area timer 197 configure ospf timer 197 configure ospf virtual link tim...

Страница 254: ...01 disable ospf capability opaque lsa 189 disable ospf export 177 195 disable ports 26 54 disable radius 130 disable radius accounting 131 disable rip export 195 disable rip exportstatic 177 disable s...

Страница 255: ...ow odometer 240 show ospf 195 200 show ospf area 201 show ospf interfaces 201 show ospf lsdb 201 show ospf lsdb area lstype 201 show ports info 89 90 show ports qosmonitor 90 show ports rxerrors 94 sh...

Страница 256: ...4 ExtremeWare XOS 10 1 Concepts Guide Index of Commands...

Отзывы:

Нет отзывов

Похожие инструкции для ExtremeWare XOS 10.1

Бренд: Samsung Страницы: 7

and Vantage Pro

Бренд: DAVIS Страницы: 16

Бренд: KIP Страницы: 22

Бренд: TANDBERG Страницы: 10

Бренд: FARONICS Страницы: 80

Бренд: Tascam Страницы: 6

Бренд: TRENDnet Страницы: 21

READIRIS 12 PRO

Бренд: IRIS Страницы: 6

Бренд: EverFocus Страницы: 123

FILES AND FOLDERS

Бренд: Pfaff Страницы: 8

CONTRIBUTE 3-DEPLOYING CONTRIBUTE

Бренд: MACROMEDIA Страницы: 38

Бренд: ZENEC Страницы: 80

VIAVOICE-SIMPLY DICTATION FOR MAC OS X

Бренд: IBM Страницы: 92

Interactive UNIX

Бренд: ICP Страницы: 6

Бренд: Quantum Страницы: 16

Бренд: Minolta Страницы: 92

ThinkCentre M51

Бренд: Lenovo Страницы: 72

Бренд: Janome Страницы: 7

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды