Extreme Networks ExtremeWare XOS 11.1 Скачать руководство пользователя | Manualshive

Страница: 230 / 496

background image

Security

ExtremeWare XOS 11.1 Concepts Guide

230

Disadvantages of Web-based Authentication:

●

The login process involves manipulation of IP addresses and must be done outside the scope of a
normal computer login process. It is not tied to Windows login. The client must bring up a login
page and initiate a login.

●

Supplicants cannot be re-authenticated transparently. They cannot be re-authenticated from the
authenticator side.

●

This method is not as effective in maintaining privacy protection.

802.1x Authentication Methods

802.1x authentication methods govern interactions between the supplicant (client) and the
authentication server. The most commonly used methods are Transport Layer Security (TLS); Tunneled
TLS (TTLS), which is a Funk/Certicom standards proposal; and PEAP.

TLS is the most secure of the currently available protocols, although TTLS is advertised to be as strong
as TLS. Both TLS and TTLS are certificate-based and require a Public Key Infrastructure (PKI) that can
issue, renew, and revoke certificates. TTLS is easier to deploy, as it requires only server certificates, by
contrast with TLS, which requires client and server certificates. With TTLS, the client can use the MD5
mode of username/password authentication.

If you plan to use 802.1x authentication, refer to the documentation for your particular RADIUS server,
and 802.1x client on how to set up a PKI configuration.

Campus and ISP Modes

Network login supports two modes of operation, Campus and ISP. Campus mode is intended for
mobile users who tend to move from one port to another and connect at various locations in the
network. ISP mode is meant for users who connect through the same port and VLAN each time (the
switch functions as an ISP).

In campus mode, the clients are placed into a permanent VLAN following authentication with access to
network resources. For wired ports, the port is moved from the temporary to the permanent VLAN.

In ISP mode, the port and VLAN remain constant. Before the supplicant is authenticated, the port is in
an unauthenticated state. After authentication, the port forwards packets.

User Accounts

You can create two types of user accounts for authenticating network login users: netlogin-only enabled
and netlogin-only disabled. A netlogin-only disabled user can log in using network login and can also
access the switch using Telnet or SSH. A netlogin-only enabled user can only log in using network login
and cannot access the switch using the same login.

Add the following line to the RADIUS server dictionary file for netlogin-only disabled users:

Extreme:Extreme-Netlogin-Only = Disabled

Add the following line to the RADIUS server dictionary file for netlogin-only enabled users:

Extreme:Extreme-Netlogin-Only = Enabled

«
...
228
229
230
231
232
...
»

Содержание ExtremeWare XOS 11.1

Страница 1: ...s Inc 3585 Monroe Street Santa Clara California 95051 888 257 3000 408 579 2800 http www extremenetworks com ExtremeWare XOS Concepts Guide Software Version 11 1 Published December 2004 Part number 10...

Страница 2: ...S operating system is based in part on the Linux operating system The machine readable copy of the corresponding source code is available for the cost of distribution Please direct requests to Extreme...

Страница 3: ...Aspen 8810 Switch Only 27 Advanced Core License BlackDiamond 10K Switch Only 28 Security Licensing 29 Software Factory Defaults 29 Chapter 2 Accessing the Switch 31 Understanding the Command Syntax 31...

Страница 4: ...Using the Trivial File Transfer Protocol 50 Connecting to Another Host Using TFTP 50 Understanding System Redundancy 51 Node Election 51 Replicating Data Between Nodes 52 Viewing Node Status 54 Under...

Страница 5: ...Frames on the Aspen 8810 Switch Only 84 Enabling Jumbo Frames 84 Path MTU Discovery 84 IP Fragmentation with Jumbo Frames 85 IP Fragmentation within a VLAN 86 Load Sharing on the Switch 86 Load Sharin...

Страница 6: ...us Monitoring 121 Viewing Port Statistics 121 Viewing Port Errors 122 Using the Port Monitoring Display Keys 123 Slot Diagnostics 123 Running Diagnostics on I O and Management Modules 124 Observing LE...

Страница 7: ...figuration Examples 161 Displaying VLAN Settings 162 Displaying Protocol Information 163 Tunneling VMANs 163 Guidelines for Configuring VMANs 164 Configuring VMANs 165 Displaying VMAN Configurations 1...

Страница 8: ...0 Routing Policy File Syntax 191 Policy Examples 195 Chapter 12 Quality of Service 201 Overview of Policy Based Quality of Service 201 Applications and Types of QoS 202 Voice Applications 202 Video Ap...

Страница 9: ...Displaying Network Login Settings 236 Disabling Network Login 236 Additional Configuration Details 236 MAC Based Authentication 237 DHCP Server 238 DHCP Server on the Switch 238 Displaying DHCP Infor...

Страница 10: ...Protected VLANs 278 Enabling and Disabling Fast Convergence 278 Enabling and Disabling an EAPS Domain 278 Enabling and Disabling EAPS on the Switch 278 Unconfiguring an EAPS Ring Port 279 Displaying...

Страница 11: ...ation Example 321 RSTP 802 1w Configuration Example 322 Displaying STP Settings 323 Chapter 17 Extreme Standby Router Protocol 325 Overview of ESRP 325 ESRP Modes of Operation 325 ESRP and ELRP 326 Re...

Страница 12: ...Chapter 18 Virtual Router Redundancy Protocol 355 Overview 355 Determining the VRRP Master 355 VRRP Tracking 356 Electing the Master Router 358 Additional VRRP Highlights 358 VRRP Operation 359 Simpl...

Страница 13: ...Advertisement of VLANs 383 RIP Version 1 Versus RIP Version 2 383 Overview of OSPF 384 Licensing 384 OSPF Edge Mode 384 Link State Database 384 Areas 386 Point to Point Support 389 Route Redistributio...

Страница 14: ...Image 421 Understanding the Image Version String 421 Software Signatures 422 Rebooting the Switch 422 Rebooting the Management Module 422 Understanding Hitless Upgrade BlackDiamond 10K Switch Only 42...

Страница 15: ...view of the System Health Checker 446 Enabling and Disabling Backplane Diagnostic Packets on the Switch 447 Configuring Backplane Diagnostic Packets on the Switch 447 System Odometer 448 Temperature O...

Страница 16: ...Contents ExtremeWare XOS 11 1 Concepts Guide 16...

Страница 17: ...rks LANs Ethernet concepts Ethernet switching and bridging concepts Routing concepts Internet Protocol IP concepts Routing Information Protocol RIP and Open Shortest Path First OSPF Border Gateway Pro...

Страница 18: ...tem damage or loss of data Warning Risk of severe personal injury Table 2 Text conventions Convention Description Screen displays This typeface indicates command syntax or represents information as it...

Страница 19: ...ference guide for any command mentioned in the user guide To ensure that the quick referencing feature functions properly follow these steps 1 Download both the user guide PDF file and the command ref...

Страница 20: ...Preface ExtremeWare XOS 11 1 Concepts Guide 20...

Страница 21: ...1 Using ExtremeWare XOS...

Страница 22: ......

Страница 23: ...switches ExtremeWare XOS 10 1 and higher Aspen 8810 switch ExtremeWare XOS 11 1 and higher Summary of Features The features of ExtremeWare XOS include Virtual local area networks VLANs including supp...

Страница 24: ...dditionally supports user created virtual routers ExtremeWare XOS supports virtual routers This capability allows a single physical switch to be split into multiple virtual routers This feature separa...

Страница 25: ...formation For more information on SSH see Chapter 13 EAPS With software version 11 0 the switch supports Ethernet Automatic Protection Switching EAPS This Extreme Networks proprietary protocol provide...

Страница 26: ...3 and Layer 2 redundancy can be used separately or together Using ESRP allows you to simplify your network and it works very well in meshed networks where Layer 2 loop protection and Layer 3 redundan...

Страница 27: ...by using a software key Keys are typically unique to the switch and are not transferable Keys are stored in NVRAM and once enabled persist through reboots software upgrades power outages and reconfigu...

Страница 28: ...y purchasing a license voucher from Extreme Networks Please contact your supplier to purchase a voucher The voucher contains information and instructions on obtaining a license key for the switch usin...

Страница 29: ...ail address Ability to use a Web browser to download a file WinZip format to uncompress a zip file Security Features Under License Control ExtremeWare XOS software supports the SSH2 protocol which all...

Страница 30: ...port and contains only that port The switch uses the Ethernet management port for host operation only not for switching or routing 802 1Q tagging All packets are untagged on the default VLAN default...

Страница 31: ...tremeWare XOS commands You may enter configuration commands at the prompt At the prompt you may enter only monitoring commands not configuration commands As you are booting up you may see the command...

Страница 32: ...wable abbreviation of a command or parameter Typically this is the first three letters of the command If you do not enter enough letters to allow the switch to determine which command you mean the syn...

Страница 33: ...tes all ports on slot 3 You can specify a range of slots and ports For example port 2 3 4 5 indicates slot 2 port 3 through slot 4 port 5 Names All named components within a category of the switch con...

Страница 34: ...s in a list one of which must be entered For example in the syntax configure snmp add community readonly readwrite alphanumeric_string you must specify either the read or write community string in the...

Страница 35: ...Interrupts the current CLI command execution Table 6 Common commands Command Description clear session sessId all Terminates a Telnet session from the switch configure account name Configures a user a...

Страница 36: ...characters create vlan vlan_name vr vr name Creates a VLAN NOTE The Aspen 8810 switch does not use the vr optional parameter delete account name Deletes a user account delete vlan vlan_name Deletes a...

Страница 37: ...icular software feature license Specify license_key as an integer The command unconfigure switch all does not clear licensing information This license cannot be disabled once it is enabled on the swit...

Страница 38: ...xt is taken from the SNMP sysname setting The number that follows the colon indicates the sequential line of the specific command or line If an asterisk appears in front of the command line prompt it...

Страница 39: ...urse of action Creating a Management Account The switch can have a total of 16 management accounts You can use the default names admin and user or you can create new names and passwords for the accoun...

Страница 40: ...this account Protect this information carefully To access your switch using the failsafe account you must connect to the serial port of the switch You cannot access the failsafe account through any o...

Страница 41: ...ing command configure dns client default domain For example if you specify the domain xyz inc com as the default domain then a command such as ping accounting1 will be taken as if it had been entered...

Страница 42: ...switch to trace the hops until the time to live has been exceeded for the switch port uses the specified UDP port number icmp uses ICMP echo messages to trace the routed path Table 8 Ping command par...

Страница 43: ...following methods Access the command line interface CLI by connecting a terminal or workstation with terminal emulation software to the console port Access the switch remotely using TCP IP through one...

Страница 44: ...he switch until a connection is terminated or you access the switch via the console If you configure a new limit only new incoming shell sessions are affected If you decrease the limit and the current...

Страница 45: ...subnet_mask configure iproute add default gateway vr vrname metric multicast only unicast only Authenticating Users ExtremeWare XOS provides three methods to authenticate users who log in to the swit...

Страница 46: ...bled and uses VR Mgmt by default NOTE Maximize the Telnet screen so that automatically updating screens display correctly If you use Telnet to establish a connection to the switch you must specify the...

Страница 47: ...und on the rear label of the switch IP address Subnet address mask optional The switch contains a Bootstrap Protocol BOOTP and Dynamic Host Configuration Protocol DHCP client so if you have a BOOTP or...

Страница 48: ...your terminal press Return one or more times until you see the login prompt 3 At the login prompt enter your user name and password Note that they are both case sensitive Ensure that you have entered...

Страница 49: ...tch by typing logout or quit Configuring Telnet Access to the Switch By default Telnet services are enabled on the switch and all virtual routers listen for incoming Telnet requests NOTE The Aspen 881...

Страница 50: ...the Trivial File Transfer Protocol ExtremeWare XOS supports the Trivial File Transfer Protocol TFTP based on RFC 1350 TFTP is a method used to transfer files from one network device to another The Ext...

Страница 51: ...in slot A has master status The Device Manager collects the node health information and forwards that information to the Node Manager The Node Manager then computes the quality of the node which is l...

Страница 52: ...ed to step 2 If the nodes are not synchronized and one MSM is running ExtremeWare XOS 10 1 or earlier proceed to step 3 If the nodes are synchronized proceed to step 3 2 Use the synchronize command to...

Страница 53: ...y NOTE To ensure that all of the configuration commands in the backup s flash are updated issue the save command after you make any changes If a failover occurs the backup MSM continues to use the mas...

Страница 54: ...tus collected by the switch Table 9 Node states Node State Description BACKUP In the backup state this node becomes the master node if the master fails or enters the DOWN state The backup node also re...

Страница 55: ...ExtremeWare XOS boots up it reads and analyzes the installed I O modules ExtremeWare XOS considers the I O modules for power up from the lowest numbered slot to the highest numbered slot based on thei...

Страница 56: ...can mix PSUs with 110V and 220V AC inputs but if any PSUs with 110V AC inputs are present the switch treats all PSUs as if they have 110V AC inputs Displaying Power Supply Information To view the sys...

Страница 57: ...tly support SNMPv1 v2c and SNMPv3 The default is both types of SNMP enabled Network managers can access the device with either SNMPv1 v2c methods or SNMPv3 To enable concurrent support use the followi...

Страница 58: ...e trapreceiver command Entries in the trap receiver list can also be created modified and deleted using the RMON2 trapDestTable MIB table as described in RFC 2021 Community strings The community strin...

Страница 59: ...RFC 2575 View based Access Control Model V ACM for the Simple Network Management Protocol SNMP talks about VACM as a way to access the MIB The SNMPv3 standards for network management were primarily d...

Страница 60: ...ty related aspects like authentication encryption of SNMP messages and defining users and their various access security levels This standard also encompasses protection against message delay and messa...

Страница 61: ...rs use the following command show snmpv3 user hex hex_user_name user_name To delete a user use the following command configure snmpv3 delete user all non defaults hex hex_user_name user_name NOTE The...

Страница 62: ...3 supports three security models SNMPv1 no security SNMPv2c community strings based security SNMPv3 USM security The default is USM You can select the security model based on the network manager in yo...

Страница 63: ...in hex notation this is used for the ExtremeWare XOS CLI 1 3 6 1 2 1 1 fe To define a view that includes the entire MIB 2 use the following subtree mask 1 3 6 1 2 1 1 1 1 1 1 1 0 0 0 which in the CLI...

Страница 64: ...t port_number from src_ip_address tag list tag_list volatile In configuring the target address you supply an address name that identifies the target address a parameters name that indicates the MP mod...

Страница 65: ...target parameter name The filters that make up the profile are created and associated with the profile using a different command To create a filter profile use the following command configure snmpv3 a...

Страница 66: ...otify hex hex_notify_name notify_name To delete an entry from the snmpNotifyTable use the following command configure snmpv3 delete notify hex hex_notify_name notify_name all non defaults You cannot d...

Страница 67: ...u can set up automatic daylight savings adjustment with the command configure timezone GMT_offset autodst If your time zone uses starting and ending dates and times that differ from the default you ca...

Страница 68: ...the switch waits for the sntp client update interval before querying again 5 Optionally the interval for which the SNTP client updates the real time clock of the switch can be changed using the follo...

Страница 69: ...Casablanca Morocco 1 00 60 WAT West Africa Cape Verde Islands 2 00 120 AT Azores Azores 3 00 180 Brasilia Brazil Buenos Aires Argentina Georgetown Guyana 4 00 240 AST Atlantic Standard Caracas La Paz...

Страница 70: ...0 0 1 2 4 00 240 ZP4 Russia Zone 3 Abu Dhabi UAE Muscat Tblisi Volgograd Kabul 5 00 300 ZP5 Russia Zone 4 5 30 330 IST India Standard Time New Delhi Pune Allahabad India 6 00 360 ZP6 Russia Zone 5 7 0...

Страница 71: ...the ExtremeWare XOS applications Understanding the ExtremeWare XOS Software NOTE For information about downloading and upgrading a new software image saving configuration changes and upgrading the Bo...

Страница 72: ...er using TFTP For detailed information about downloading switch configurations see Chapter A Software Upgrade and Boot Options For detailed information about downloading policies and ACLs see Chapter...

Страница 73: ...ion policy files have a pol file extension When you copy a configuration or policy file from the system make sure you specify the appropriate file extension For example if you want to copy a policy fi...

Страница 74: ...Jun 30 17 10 roytest cfg Deleting Files From the Switch To delete a configuration or policy file from your system use the following command rm memorycard file name Where the following is true memoryc...

Страница 75: ...ry partition or another space The file names primary and secondary exist for backward compatibility with ExtremeWare Downloading configuration files ExtremeWare XOS uses the tftp command to download c...

Страница 76: ...graceful Specifies that the process shutdown gracefully by closing all opened connections notifying peers on the network and other types of process cleanup slot Specifies the slot number of the MSM A...

Страница 77: ...tness of the system By isolating and having separate memory space for each individual process you can more easily identify the process or processes that experience a problem To display the current sys...

Страница 78: ...Managing the ExtremeWare XOS Software ExtremeWare XOS 11 1 Concepts Guide 78...

Страница 79: ...therwise if the modular switch is rebooted or the module is removed from the slot the port VLAN and module configuration information is not saved NOTE For information on saving the configuration see A...

Страница 80: ...a module consisting solely of data or I O ports The primary MSM must be in slot A in the Aspen 8810 switch which is referred to as slot 5 when working with the data ports If you have a secondary MSM...

Страница 81: ...2 7 15 Refer to Displaying Port Configuration Information for information on displaying link status Configuring Switch Port Speed and Duplex Setting NOTE Refer to Displaying Port Configuration Informa...

Страница 82: ...link back up and the traffic automatically resumes The Extreme Networks implementation of LFS conforms to the IEEE standard 802 3ae 2002 NOTE On the BlackDiamond 10K switch the 10 Gbps module must hav...

Страница 83: ...t wire speed on all ports The configuration for jumbo frames is saved across reboots of the switch Jumbo frames are used between endstations that support larger frame sizes for more efficient transfer...

Страница 84: ...nfigured maximum MTU size that does not include the additional 4 bytes of CRC Ensure that the NIC maximum MTU size is at or below the maximum MTU size configured on the switch Frames that are larger t...

Страница 85: ...e host continues to set DF in all datagrams so that if the route changes and the new path MTU is lower the host can perform path MTU discovery again IP Fragmentation with Jumbo Frames NOTE The Aspen 8...

Страница 86: ...r to the same feature which allows multiple physical ports to be aggregated into one logical port Refer to IEEE 802 3ad for more information on this feature The advantages to load sharing include an i...

Страница 87: ...must go down before the software controlled redundant port takes effect Load Sharing Algorithms Load sharing or link aggregation algorithms allow you to select the distribution technique used by the...

Страница 88: ...explicitly select an algorithm the port based scheme is used However the address based algorithm has a more even distribution and is the recommended choice Address based load sharing When you configur...

Страница 89: ...switch 128 Aspen 8810 switch 32 The ports in the group do not need to be contiguous A load sharing group that spans multiple modules must use ports that have the same maximum bandwidth capability wit...

Страница 90: ...he load sharing group will have those ports deleted from the VLAN when load sharing becomes enabled Address based load sharing can also span modules Single Module Load Sharing on a Modular Switch The...

Страница 91: ...ts The monitor port can then be connected to a network analyzer or RMON probe for packet analysis The system uses a traffic filter that copies a group of traffic to the monitor port You can have only...

Страница 92: ...e untagged ports send mirrored traffic to the monitor port that traffic also egresses the monitor port as tagged And if mirroring is enabled as untagged on the monitor port all traffic egressing the m...

Страница 93: ...ng add port 6 5 ingress The following example selects slot 3 port 4 as the monitor port and send all traffic sent from slot 6 port 5 to the monitor port enable mirroring to port 3 4 configure mirrorin...

Страница 94: ...EDP is used to by the switches to exchange topology information Information communicated using EDP includes Switch MAC address switch ID Switch software version information Switch IP address Switch V...

Страница 95: ...39 2 40 2 4 1 2 42 Additionally you view EDP information by using the following command show edp port ports detail The following is sample output from the show edp ports 1 1 detail command Port 1 1 E...

Страница 96: ...ort to active if the redundant port fails A typical configuration of software controlled redundant ports is a dual homed implementation Figure 1 This example maintains connectivity only if the link be...

Страница 97: ...tional traffic the recovery is immediate NOTE On the BlackDiamond 10K switch 10 Gbps modules with a serial number lower than 804405 00 09 the software redundant port feature cover only those failures...

Страница 98: ...undant software controlled redundancy ports use the following commands show ports information show port port_list information detail The following is sample output of the show port 1 1 information det...

Страница 99: ...ll the ports or more detailed configuration information on specific ports The following sample output is from the show ports configuration command and displays the port configuration for all ports sho...

Страница 100: ...State D Disabled E Enabled The show ports information command shows you either summary information on all the ports or more detailed information on specific ports The output from the command differs...

Страница 101: ...nabled DLCS Unsupported lbDetect Unsupported Learning Enabled Flooding Enabled Jumbo Disabled BG QoS monitor Unsupported Egress Port Rate 128 Kbps Max Burst Size 200 Kb Broadcast Rate No limit Multica...

Страница 102: ...Learning Enabled Flooding Enabled Jumbo Disabled BG QoS monitor Unsupported QoS Profile None configured Queue QP1 MinBw 0 MaxBw 100 Pri 1 QP2 MinBw 0 MaxBw 100 Pri 2 QP3 MinBw 0 MaxBw 100 Pri 3 QP4 Mi...

Страница 103: ...e power distribution for PoE at the system slot and port levels Real time discovery and classification of 802 3af compliant PDs and many legacy devices Monitor and control of port PoE fault conditions...

Страница 104: ...vides power to the PDs Enabling PoE to the Switch You enable or disable inline power to the entire switch or per slot or per port Then you must reserve power for each PoE Slot refer to Power Reserve B...

Страница 105: ...umbered slots will be powered down NOTE PoE modules are not powered up at all even in data only mode if the reserved PoE power cannot be allocated to that slot To reset the reserved power budget for a...

Страница 106: ...ommand configure inline power priority critical high low ports port_list To reset the PoE priority of the ports to the default value of low use the following command unconfigure inline power priority...

Страница 107: ...s to all PoE modules the threshold measurement applies only to the percentage per slot of measured power to budgeted power use it does not apply to the amount of power used switchwide To configure the...

Страница 108: ...g command unconfigure inline power operator limit ports all port_list If you attempt to set an operator limit outside the accepted range the system returns an error message LEDs Individual port LEDs o...

Страница 109: ...using the following commands enable inline power enable inline power slot slot enable inline power ports all port_list NOTE If your chassis has an inline power module and there is not enough power to...

Страница 110: ...NMP to generate this event When the actual power used by the PDs on a slot exceeds the power budgeted for that slot the switch refuses power to PDs There are two methods used by the switch to refuse p...

Страница 111: ...wer in excess of the slot s reserved power budget the system allocates power to those ports with the highest priorities first If several ports have the same PoE priority the lower port numbers have hi...

Страница 112: ...egacy detection method is enabled The switch unsuccessfully attempted to discover the PD using the standard resistance measurement method To enable the switch to detect legacy non standard PDs use the...

Страница 113: ...list Power Cycling Connected PDs You can power cycle a connected PD without losing the power allocated to its port Use the following command reset inline power ports port_list Displaying PoE Settings...

Страница 114: ...mation for each slot Inline power status The status of inline power The status conditions are Enabled Disabled Firmware status The operational status of the slot The status conditions are Operational...

Страница 115: ...P Operational 111 00 110 00 1 00 Inline Power budgeted 2 loss 51 00 51 00 0 00 Slot 4 G48P Empty Slot 5 G8X Operational 0 00 0 00 0 00 Slot 6 G48T Operational 0 00 0 00 0 00 Slot 7 G48P Operational 11...

Страница 116: ...available to the slot Measured power The amount of power in watts that currently being used by the slot Following is sample output from this command Budgeted Measured Slot Inline Power Firmware Statu...

Страница 117: ...his command provides the following information Config Indicates whether the port is enabled to provide inline power Enabled The port can provide inline power Disabled The port cannot provide inline po...

Страница 118: ...ass 0 device class1 class 1 device class2 class 2 device class3 class 3 device class4 class 4 device Volts Displays the measured voltage A value from 0 to 2 is valid for ports that are in a searching...

Страница 119: ...tate Class Volts Curr Power Fault mA Watts 3 1 delivering class3 48 3 192 9 300 None 3 2 delivering class3 48 3 192 9 300 None 3 3 searching 0 0 0 0 0 None Following is sample output from the show inl...

Страница 120: ...r of times the port had an invalid signature Denied Displays the number of times the port was denied Over current Displays the number of times the port entered an overcurrent state Short Displays the...

Страница 121: ...this way statistics can help you get the best out of your network Status Monitoring The status monitoring facility provides information about the switch This information may be useful for your techni...

Страница 122: ...ed to a multicast address Viewing Port Errors The switch keeps track of errors for each port To view port transmit errors use the following command show ports port_list txerrors The switch collects th...

Страница 123: ...er of frames received by the port with a CRC error and not containing an integral number of octets Receive Frames Lost RX Lost The total number of frames received by the port that were lost because of...

Страница 124: ...s offline and performs a simple ASIC and packet loopback test on all ports extended Takes the switch fabric and ports offline and performs extensive ASIC ASIC memory and packet loopback tests Extended...

Страница 125: ...the Aspen MSM LED behavior during a diagnostic test While diagnostic tests are running the STAT LED blinks amber If a diagnostic test fails the SYS LED and the STAT LED go to solid amber After the MSM...

Страница 126: ...controllers and fans By isolating faults to a specific module backplane connection control plane or component the system health checker notifies you of a possible hardware fault This section describe...

Страница 127: ...stic packets from the I O module to determine the state and connectivity The other I O modules with backplane diagnostic packets disabled continue polling every 60 seconds by default System health che...

Страница 128: ...seconds on the specified slot Only polling is enabled Aspen 8810 switch By default the system health checker discontinues sending backplane diagnostic packets to the specified slot Only polling is ena...

Страница 129: ...ion Disabling Backplane Diagnostics Building upon the previous example the following example disables backplane diagnostics on slot 3 disable sys health check slot 3 Backplane diagnostic packets are n...

Страница 130: ...ds using the following command configure sys health check interval 5 Setting the System Recovery Level You can configure the system either to take no action or to automatically reboot the switch after...

Страница 131: ...owing sample output displays the temperature information PowerSupply 1 information Temperature 30 1 deg C To view the current temperature and status of the fan trays use the following command show fan...

Страница 132: ...stored in memory buffer or NVRAM to a TFTP server Display counts of event occurrences even those not included in filter Display debug information using a consistent configuration method Sending Event...

Страница 133: ...if any of the local targets NVRAM memory or console are matched If so that event gets processed The session and syslog targets are disabled on the backup MSM as they are handled on the primary If the...

Страница 134: ...erbose and debug data require that debug mode be enabled which may cause a performance degradation See Displaying Debug Information on page 143 for more information about debugging Table 20 Severity l...

Страница 135: ...target you further restrict the messages reaching that target The filter may allow only certain categories of messages to pass Only the messages that pass the filter and then pass the specified sever...

Страница 136: ...or example if you want to see the message text and the parameters for the event condition STP InBPDU Trace use the following command show log events stp inbpdu trace details The output produced by the...

Страница 137: ...lter add events stp All STP component events of at least the default threshold severity passes myFilter for the STP component the default severity threshold is error You can further modify this filter...

Страница 138: ...item enables rewriting the filter If the new item is already included or excluded from the currently configured filter the new item is not added to the filter Matching Expressions You can configure t...

Страница 139: ...event definitions the event text and parameter types Only those parameter types that are applicable given the events and severity specified are exposed on the CLI The syntax for the parameter types re...

Страница 140: ...ddress In other words if the match keyword is specified an incident will pass a filter so long as all parameter values in the incident match those in the match criteria but all parameter types in the...

Страница 141: ...essages on page 140 Displaying Event Logs The log stored in the memory buffer and the NVRAM can be displayed on the current session either the console display or telnet To display the log use the foll...

Страница 142: ...s made to the system for further processing Both counters reflect totals accumulated since reboot or since the counters were cleared using the clear log counters or clear counters command The show log...

Страница 143: ...applies only to commands that result in a configuration change To enable configuration logging use the following command enable cli config logging To disable configuration logging use the following co...

Страница 144: ...mple is taken and the maximum number of samples allowed before throttling the sample gathering To configure sFlow on a switch you must do the following tasks Configure the local agent Configure the ad...

Страница 145: ...ow globally with the following command disable sflow When you disable sFlow globally the individual ports are also put into the disabled state If you later enable the global sFlow state individual por...

Страница 146: ...10K only At the hardware level all ports on the same slot are sampled at the same rate so if one port is configured to sample less frequently than another on the same slot the extra samples are discar...

Страница 147: ...monitors port statistics and system variables The agent transfers the information to a management workstation on request or when a predefined threshold is crossed Information collected by RMON includ...

Страница 148: ...group is used to detect changes in traffic and error patterns in critical areas of the network History The History group provides historical views of network performance by taking periodic samples of...

Страница 149: ...re the probeHardwareRev object you can view the current hardware version of the monitored device probeDateTime If you configure the probeDateTime object you can view the current date and time of the p...

Страница 150: ...ation file Runtime data is not stored in the configuration file and is subsequently lost after a system restart or MSM failover Event Actions The actions that you can define for each alarm are shown i...

Страница 151: ...line interface CLI Benefits NOTE The system switches traffic within each VLAN using the Ethernet MAC address The system routes traffic between two VLANs using the IP addresses Implementing VLANs on yo...

Страница 152: ...ate virtual routers ensure that you are creating each VLAN in the desired virtual router domain Also ensure that you are in the correct virtual router domain before you begin modifying each VLAN For i...

Страница 153: ...e you must remove the untagged ports from the VLAN and reset the module To display the serial number of the module issue the show slot slot_number command All the modules on the Aspen 8810 switch supp...

Страница 154: ...e port on each switch must be a member of the corresponding VLANs as well Figure 4 illustrates two VLANs spanning two switches On system 2 ports 25 through 29 are part of VLAN Accounting ports 21 thro...

Страница 155: ...s can span multiple switches using one or more trunks In a port based VLAN each VLAN requires its own pair of trunk ports as shown in Figure 4 Using tags multiple VLANs can span two switches with a si...

Страница 156: ...nected to port 25 on system 1 has a NIC that supports 802 1Q tagging The server connected to port 25 on system 1 is a member of both VLAN Marketing and VLAN Sales All other stations use untagged traff...

Страница 157: ...VLAN and multiple tag based VLANs NOTE For the purposes of VLAN classification packets arriving on a port with an 802 1Q tag containing a VLANid of zero are treated as untagged Protocol Based VLANs P...

Страница 158: ...zed protocol filter based on EtherType Logical Link Control LLC and or Subnetwork Access Protocol SNAP Up to six protocols may be part of a protocol filter To define a protocol filter 1 Create a proto...

Страница 159: ...feff configure protocol fred add snap 9999 A maximum of 15 protocol filters each containing a maximum of 6 protocols can be defined No more than 7 protocols can be active and configured for use NOTE F...

Страница 160: ...it the VLAN names have no significance to the other switch NOTE Extreme Networks recommends that you use VLAN names consistently across your entire network Default VLAN The switch ships with one defa...

Страница 161: ...you must first delete that port from the default vlan if you attempt to add an untagged port to a VLAN prior to deleting it from the default VLAN you see the following error message Error Protocol con...

Страница 162: ...etype 0xf0f0 configure protocol myprotocol add etype 0xffff create vlan myvlan configure myvlan protocol myprotocol Displaying VLAN Settings NOTE The Aspen 8810 switch does not support user created vi...

Страница 163: ...tion for all the traffic on the specified VMAN The encapsulation allows the VMAN traffic to be switched over an Layer 2 infrastructure To encapsulate the packet the system adds a VMAN header that form...

Страница 164: ...raffic flows from the egress trunk port onto the network thereafter without the VMAN tag Ensure that all the switch to switch ports in the VMAN tunnel are configured as tagged ports Configure the VMAN...

Страница 165: ...a tag value to the VMAN 4 Add the ports in the tunnel to the VMAN 5 Configure VMAN member ports as tagged on switch to switch ports and untagged on the ingress and egress ports of the tunnel NOTE You...

Страница 166: ...xample Aspen 8810 Switch The follow example shows the steps to configure VMAN 1 on the Aspen 8810 switch shown in Figure 9 Figure 9 Sample VMAN configuration on Aspen 8810 switch The VMAN is from the...

Страница 167: ...nabled p PIM Enabled r RIP Enabled T Member of STP Domain v VRRP Enabled Total number of Vlan s 3 To display information on a specific VMAN use the following command show vman vlan_name The following...

Страница 168: ...Virtual LANs ExtremeWare XOS 11 1 Concepts Guide 168...

Страница 169: ...l switch some commands in ExtremeWare XOS now require you to specify to which virtual router the command applies For example when you use the ping command you must specify from which virtual router th...

Страница 170: ...unications between all the modules and subsystems in the switch It has no external visible ports and you cannot assign any port to it This virtual router VR Control has no VLAN interface and no VLAN c...

Страница 171: ...isted The virtual router configuration domain simplifies configuration because you do not have to specify the virtual router for each individual protocol configuration command The current configuratio...

Страница 172: ...l be shut down and deleted gracefully Adding Ports to a Virtual Router By default all the user data ports belong to the system default virtual router VR Default and belong to the default VLAN Default...

Страница 173: ...word to every command in every routing protocol Virtual router commands are applied to the current configuration domain The virtual router commands consist of all the BGP OSPF PIM and RIP commands as...

Страница 174: ...virtual router commands affect the virtual router helix The VLAN helix accounting is created Ports that belong to the virtual router helix are added to the VLAN helix accounting The CLI prompt is show...

Страница 175: ...it was received The age of the entry The number of IP FDB entries that use this MAC address as a next hop or last hop Flags Frames destined for MAC addresses that are not in the FDB are flooded to all...

Страница 176: ...pdated as the switch continues to encounter the address in the packets it examines These entries are identified by the d flag in show fdb output Dynamic entries age that is a dynamic entry is removed...

Страница 177: ...ot be present in the FDB during a destination lookup FDB Configuration Examples The following example adds a permanent static entry to the FDB create fdbentry 00 E0 2B 12 34 56 vlan marketing port 3 4...

Страница 178: ...n about MAC based security see Chapter 13 Displaying FDB Entries To display FDB entries use the following command show fdb mac_addr broadcast mac permanent ports portlist vlan vlan_name where the foll...

Страница 179: ...of the routing information based on the policy statements Policies are also used by the access control list ACL application to perform packet filtering and forwarding decisions on packets The ACL appl...

Страница 180: ...i To insert text ahead of the initial cursor position a To append text after the initial cursor position To escape the input mode and return to the command mode press the Escape key There are several...

Страница 181: ...be forwarded by the switch as the new ACL is being setup in the hardware You can disable this behavior To control the behavior of the switch during an ACL refresh use the following commands enable acc...

Страница 182: ...e none To remove a routing policy use the none option in the command ACL Policies ACLs are used to perform packet filtering and forwarding decisions on incoming traffic Each packet arriving on an ingr...

Страница 183: ...acket matches all the match conditions the action in the then statement is taken and the evaluation process terminates If a rule entry does not contain any match condition the packet is considered to...

Страница 184: ...ion increments the counter named in the condition The QoS profile action forwards the packet to the specified QoS profile Aspen 8810 Only For the Aspen 8810 there is an additional action modifier mete...

Страница 185: ...543 kpasswd 761 krb prop 754 krbupdate 760 kshell 544 idap 389 login 513 mobileip agent 434 mobileip mn 435 msdp 639 netbios dgm 138 netbios ns 137 netbios ssn 139 nfsd 2049 nntp 119 ntalk 518 ntp 123...

Страница 186: ...edirect for tos and net 2 Time exceeded ttl eq zero during reassembly 1 ttl eq zero during transit 0 Unreachable communication prohibited by filtering 13 destination host prohibited 10 destination hos...

Страница 187: ...ecedence among L3 L4 rules is determined by their relative position in the ACL file Rules are evaluated sequentially from top to bottom The precedence among L2 rules is determined by their position in...

Страница 188: ...only matches fragmented packets An L4 rule with the fragments keyword is not valid see above With the first fragments keyword specified An L3 only rule with the first fragments keyword matches non fra...

Страница 189: ...ount countername statement For example to associate the meter maxbw with an ACL use syntax similar to the following entry meter_bw if then meter maximum_bandwidth This example will take the actions sp...

Страница 190: ...isplaying and Clearing ACL Counters To display the ACL counters use the following command show access list counter countername any ports portlist vlan vlanname ingress To clear the access list counter...

Страница 191: ...or more match conditions If no match condition is specified every condition matches Zero or more actions If no action is specified the packet is permitted by default Each policy entry in the file use...

Страница 192: ...s a multi character regular expression with 2 byte unsigned Integer being an Atom Regular expression will consist of the AS Numbers and various regular expression symbols Regular expressions must be e...

Страница 193: ...tern 1 or ospf extern 2 Table 27 AS regular expression notation Character Definition N As number N1 N2 Range of AS numbers where N1 and N2 are AS numbers and N1 N2 Nx Ny Group of AS numbers where Nx a...

Страница 194: ...umber 111 and ending with any additional AS number or beginning and ending with AS number 111 as path 111 Policy Action Statements Table 29 lists the possible action statements These are the actions t...

Страница 195: ...e cost type for a route dampening half life minutes 1 45 reuse limit number 1 20000 suppress limit number 1 20000 max suppress minutes 1 255 Sets the BGP route flap dampening parameters deny Denies th...

Страница 196: ...Yes 15 deny any 255 0 0 0 No 20 permit 10 10 0 0 255 255 192 0 No 25 deny 22 44 66 0 255 255 254 0 Yes Equivalent ExtremeWare XOS policy map definition entry entry 5 If nlri 22 16 0 0 14 then permit e...

Страница 197: ...te maps on other Extreme Networks switches This example shows the policy equivalent to an ExtremeWare route map ExtremeWare route map Route Map rt Entry 10 Action permit match origin incomplete Entry...

Страница 198: ...0 if community 6553800 then deny entry entry 30 if med 30 then next hop 10 201 23 10 as path 20 as path 30 as path 40 as path 40 permit entry entry 40 if then local preference 120 weight 2 permit entr...

Страница 199: ...Routing Policies ExtremeWare XOS 11 1 Concepts Guide 199 entry entry 60 if next hop 192 168 1 5 then community add 949616660 permit entry deny_rest if then deny...

Страница 200: ...Policies and ACLs ExtremeWare XOS 11 1 Concepts Guide 200...

Страница 201: ...oS is an effective control mechanism for networks that have heterogeneous traffic patterns Using Policy based QoS you can specify the service level that a particular traffic type receives Policy based...

Страница 202: ...nd impact of packet loss Voice Applications Voice applications typically demand small amounts of bandwidth However the bandwidth must be constant and predictable because voice applications are typical...

Страница 203: ...latency jitter and some packet loss however small packet loss may have a large impact on perceived performance because of the nature of TCP The relevant parameter for protecting browser applications i...

Страница 204: ...te traffic groupings Traffic grouping A classification or traffic type that has one or more attributes in common These can range from a physical port to IP Layer 4 port information You assign traffic...

Страница 205: ...ctivity with large packets Weight This parameter is the relative weighting for each QoS profile 1 through 16 are the available weight values The default value for each QoS profile is 1 giving each que...

Страница 206: ...figured either as a percentage of the total link bandwidth or using absolute peak rates in Kbps or Mbps The default value on all maximum bandwidth parameters is 100 Priority The level of priority assi...

Страница 207: ...LAN association In the event that a given packet matches two or more grouping criteria there is a predetermined precedence for which traffic grouping applies The supported traffic groupings by precede...

Страница 208: ...e bandwidth management and priority handling for that traffic grouping This level of packet filtering has no impact on performance Explicit Class of Service 802 1p and DiffServ Traffic Groupings This...

Страница 209: ...specific queue when subsequently transmitting the packet The 802 1p priority field is located directly following the 802 1Q type field and preceding the 802 1Q VLAN ID as shown in Figure 10 Figure 10...

Страница 210: ...groupings the related flow classifier causes the replacement However the switch is capable of inserting and or overwriting 802 1p priority information when it transmits an 802 1Q tagged frame If 802...

Страница 211: ...ket NOTE This command affects only that traffic based on explicit packet class of service information and physical logical configuration Configuring DiffServ Contained in the header of every IP packet...

Страница 212: ...fServ information can be enabled or disabled by default it is disabled To enable DiffServ examination use the following command enable diffserv examination port port_list all To disable DiffServ exami...

Страница 213: ...ter the QoS profile you want to use to determine the replacement DiffServ code point value To replace DiffServ code points you must enable DiffServ replacement using the following commands enable diff...

Страница 214: ...the same QoS configuration on every network switch To configure the switch follow these steps 1 Using ACLs assign a traffic grouping for traffic from network 10 1 2 x to QP3 configure access list qp3...

Страница 215: ...raffic is transmitted out to any other port To configure a source port traffic grouping use the following command configure ports port_list qosprofile qosprofile In the following modular switch exampl...

Страница 216: ...n detail Aspen 8810 switch display You display which QoS profile if any is configured on the Aspen 8810 switch using the show ports port_list information detail command Following is a sample output of...

Страница 217: ...mple output of this command for a BlackDiamond 10K switch 10 Gbps port Port 8 1 Virtual router VR Default Type XENPAK Random Early drop Disabled Admin state Enabled with 10G full duplex Link State Rea...

Страница 218: ...ble Tag none Mode 802 1D State FORWARDING Protocol Name Default Protocol ANY Match all protocols Trunking Load sharing is not enabled EDP Enabled DLCS Unsupported lbDetect Unsupported Learning Enabled...

Страница 219: ...ns QoS features performance monitoring with a snapshot display of the monitored ports To view switch performance per port use the following command show ports port_list qosmonitor ingress egress NOTE...

Страница 220: ...roupings Egress Traffic Rate Limiting Aspen 8810 Switch Only You can configure the maximum egress traffic allowed per port by specifying the committed rate or you can allow the egress traffic to pass...

Страница 221: ...ort on the switch and from there to the backplane You can configure up to 8 ingress queues which send traffic to the backplane per physical port on the I O module By defining minimum and maximum bandw...

Страница 222: ...ueues on physical ports The impact of the bandwidth setting is determined by the port speed 1 or 10 Gbps NOTE You may see slightly different bandwidths because the switch supports granularity down to...

Страница 223: ...fine rate shaping on a port you assign a minimum and maximum bandwidth or rate plus a priority value to each queue on the ingress port see Table 38 for the number of queues available to each port on t...

Страница 224: ...following commands show qosprofile ingress egress ports all port_list show ports port_list information detail Additionally you can monitor the performance on the BlackDiamond 10K switch by using the f...

Страница 225: ...your network The features described in this chapter are part of an overall approach to network security Network Access Security Network access security features control devices accessing your network...

Страница 226: ...ge is 0 to 500 000 addresses When the learned limit is reached all new source MAC addresses are blackholed at the ingress and egress points This prevent these MAC addresses from learning and respondin...

Страница 227: ...MAC address limit on all S1 ports might prevent ESRP communication between S2 and S3 To resolve this you should add a back to back link between S2 and S3 This link is not needed if MAC address limitin...

Страница 228: ...these choices When web based network login is enabled on a switch port that port is placed into a non forwarding state until authentication takes place To authenticate a user supplicant must open a we...

Страница 229: ...ticated it is deprived of this address The client must obtain a operational address from another DHCP server in the network DHCP is not required for 802 1x because 802 1x uses only Layer 2 frames EAPO...

Страница 230: ...cation refer to the documentation for your particular RADIUS server and 802 1x client on how to set up a PKI configuration Campus and ISP Modes Network login supports two modes of operation Campus and...

Страница 231: ...ality Supplicant Side The supported 802 1x clients supplicants are Windows 2000 SP4 native client Windows XP native clients and Meetinghouse AEGIS Supported authentication types are MD5 TLS TTLS and P...

Страница 232: ...al username password authentication These are used by network login and switch console login respectively Multiple Supplicant Support An important enhancement over the IEEE 802 1x standard is that Ext...

Страница 233: ...he VLAN temp This kind of configuration provides better security as unauthenticated clients do not connect to the corporate subnet and will not be able to send or receive any data They have to get aut...

Страница 234: ...corp add port 1 12 untagged configure vlan corp add port 1 13 untagged configure vlan corp add port 1 14 untagged Network Login Configuration configure vlan temp dhcp address range 198 162 32 20 198 1...

Страница 235: ...In Campus Mode using web based authentication this requirement is mandatory after every logout and before login again as the port moves back and forth between the temporary and permanent VLANs On othe...

Страница 236: ...etwork login settings use the following command show netlogin port portlist vlan vlan name dot1x detail mac web based Disabling Network Login Network login must be disabled on a port before you can de...

Страница 237: ...ege for netlogin users to logout by popping up or not popping up the logout window Logout privilege is enabled by default To enable or disable network login use one of the following commands enable ne...

Страница 238: ...sword encrypted 00 01 30 70 0C 00 48 yaqu 00 01 30 32 7D 00 48 ravdqsr 00 04 96 00 00 00 24 not configured 00 06 00 00 00 00 32 not configured default not configured The user name used to authenticate...

Страница 239: ...table selected entries or all entries You would use this command to troubleshoot IP address allocation on the VLAN To clear entries use the following command clear vlan vlan_name dhcp address allocati...

Страница 240: ...ackets to the CPU This ACL will remain in place to provide relief to the CPU Periodically the ACL will expire and if the attack is still occurring it will be re enabled With the ACL in place the CPU w...

Страница 241: ...rts are not counted when checking for attacks To configure the trusted ports list use the following command configure dos protect trusted ports ports ports all add ports ports to add all delete ports...

Страница 242: ...tion in the local switch database To configure the RADIUS servers use the following command configure radius primary secondary server ipaddress hostname udp_port client ip ipaddress vr vr_name To conf...

Страница 243: ...able RADIUS authentication for accounting information to be generated You can enable and disable accounting without affecting the current state of RADIUS authentication To enable RADIUS accounting use...

Страница 244: ...attribute in the Access Accept packet after successfully authenticating the user Extreme Networks switches grant a RADIUS authenticated user read write privilege if a Service Type value of 6 is transm...

Страница 245: ...ed for this feature must reside on the same physical Radius server Standard Radius and Radius Accounting configuration is required as described earlier in this chapter 2 Modify the Funk SBR vendor ini...

Страница 246: ...two RADIUS servers and enabling idle timeouts on all switches will greatly reduce the chance of a user gaining elevated access due to RADIUS server problems RADIUS Server Configuration Example Merit...

Страница 247: ...h a user through the users file A profile with the permit on keywords allows use of only the listed commands A profile with the deny keyword allows use of all commands except the listed commands CLI c...

Страница 248: ...tch PROFILE2 enable clear counters show management PROFILE3 deny create vlan configure iproute disable show fdb delete configure rip add TACACS Terminal Access Controller Access Control System Plus TA...

Страница 249: ...If you have installed a software module and you terminate the newly installed process without saving your configuration your module may not be loaded when you attempt to restart the process with the...

Страница 250: ...alid user name and password on the switch in order to log in to the switch after the SSH2 session has been established To view the status of SSH2 sessions on the switch use the show management command...

Страница 251: ...h to your current Linux directory using SCP2 use the following command user linux server scp2 admin 192 168 0 120 config primary cfg primary cfg To copy the policy filename test pol from your Linux sy...

Страница 252: ...Security ExtremeWare XOS 11 1 Concepts Guide 252...

Страница 253: ...he changes of two counters over an interval For example you can monitor the ratio between TCP SYN and TCP packets An abnormally large ratio may indicate a SYN attack If the rule conditions are met the...

Страница 254: ...port vlan vlanname any rule rulename detail Or to display all the rules use the following command show clear flow rule all When CLEARFlow is enabled any rules that satisfy the threshold will trigger a...

Страница 255: ...ntries Each CLEARFlow rule specifies how often it should be evaluated The order of evaluation depends on the sampling time and when the CLEARFlow agent receives the counter statistics The order of the...

Страница 256: ...low agent If not specified the default value is 5 seconds The actions will be discussed in the section CLEARFlow Rule Actions on page 259 See the section Count Rule Type Example on page 261 for an exa...

Страница 257: ...eresis value is greater than the threshold value the hysteresis value will be set to zero The action lists will be discussed in the section CLEARFlow Rule Actions on page 259 See the section Delta Rul...

Страница 258: ...rom one sample to the next for each of the two counters The ratio of the differences is then compared to the threshold value The following is the syntax for a CLEARFlow delta ratio rule entry CLFrulen...

Страница 259: ...ill be set to zero The action lists will be discussed in the section CLEARFlow Rule Actions on page 259 See the section Delta Ratio Rule Type Example on page 264 for an example CLEARFlow Rule Actions...

Страница 260: ...n the rule is triggered The message is sent periodically with interval period seconds If period is zero or if this optional parameter is not present the message is sent only once when the rule is trig...

Страница 261: ...er substitutions can be used per rule CLEARFlow Rule Examples In the examples that follow there are one to two ACL rule entries followed by a CLEARFlow rule entry The examples illustrate the four CLEA...

Страница 262: ...ater than or equal to 1000 packets the CLEARFlow agent will send a trap message to the SNMP master and change the ACL acl_rule1 to move the traffic to QP3 In addition reduce the peak rate to 5 Kbps on...

Страница 263: ...e ratio is greater than 5 then the agent will execute the actions in the then clause which consists of logging a message to the syslog server Before logging the syslog string the agent will replace th...

Страница 264: ...deny all SYN traffic on the interface No period value for the syslog message is given so the message will be logged once when the expression first becomes true When the expression transitions from tru...

Страница 265: ...2 Using Switching and Routing Protocols...

Страница 266: ......

Страница 267: ...unning two or more EAPS rings having a switch belonging to multiple EAPS rings or configuring shared ports that allow multiple EAPS domains to share a common link you must have a Core software license...

Страница 268: ...signated the master node see Figure 14 while all other nodes are designated as transit nodes Figure 13 Gigabit Ethernet fiber EAPS MAN ring One port of the master node is designated the master node s...

Страница 269: ...nvergence for the entire switch not by EAPS domain Fault Detection and Recovery EAPS fault detection on a ring is based on a single control VLAN per EAPS domain This EAPS domain provides protection to...

Страница 270: ...node also flushes its FDB and sends a message on the control VLAN to all of its associated transit nodes to flush their forwarding databases as well so that all of the switches can learn the new paths...

Страница 271: ...the master receives its health check packet back on its secondary port and once again declares the ring to be complete Again the master node logically Blocks the protected VLANs on its secondary port...

Страница 272: ...tch a figure eight topology In this example there is an EAPS domain with its own control VLAN running on ring 1 and another EAPS domain with its own control VLAN running on ring 2 A data VLAN that spa...

Страница 273: ...ins Multiple EAPS Rings Sharing a Common Link When you configure EAPS on multiple rings with a common link you may experience a loop situation across both rings To solve this problem you can configure...

Страница 274: ...vironment in this software release you can use the existing solution of configuring EAPS plus STP Configuring EAPS on a Switch To configure and enable an EAPS domain complete the following steps 1 Cre...

Страница 275: ...identifying keyword as well as the actual name If you do not use the keyword the system may return an error message The following command example creates an EAPS domain named eaps_1 create eaps eaps_1...

Страница 276: ...e the failtimer expires The seconds parameter must be greater than the configured value for hellotime The default value is 3 seconds To configure the action taken if there is a break in the ring use t...

Страница 277: ...S messages NOTE A control VLAN cannot belong to more than one EAPS domain If the domain is active you cannot delete the domain or modify the configuration of the control VLAN To configure the EAPS con...

Страница 278: ...NOTE As long as the ring is complete the master node blocks the protected VLANs on its secondary port The following command example adds the protected VLAN orchid to the EAPS domain eaps_1 configure...

Страница 279: ...primary port Displaying EAPS Status Information To display EAPS status information use the following command show eaps This example displays summary EAPS information EAPS Enabled Yes EAPS Fast Conver...

Страница 280: ...nsit node The display from the show eaps detail command shows all the information shown in the show eaps eapsDomain command but displays information for all configured EAPS domains Table 42 explains t...

Страница 281: ...completed Pre Complete The EAPS domain has started operation for Complete state and has sent a request to lower hardware layers to block the secondary port It is in transient state waiting for acknowl...

Страница 282: ...been added as the control VLAN to this EAPS domain or this port has not been added to the control VLAN Hello Timer interval The configured value of the timer in seconds specifying the time that the m...

Страница 283: ...to be in the ready state After EAPS has converged and the EAPS master node has blocked its own secondary ports the controller puts all its ports into forwarding and goes back to ready state Figure 19...

Страница 284: ...t they have converged and blocked their secondary ports the controller opens all ports If you have an EAPS configuration with multiple common links and a second common link fails the controllers conti...

Страница 285: ...r This end does not participate in any form of blocking It is responsible for only sending and receiving health check messages To configure the mode of the shared port use the following command config...

Страница 286: ...APS shared port status information use the following command show eaps shared port port detail If you enter the show eaps shared port command without an argument or keyword the command displays a summ...

Страница 287: ...APS domains sharing this common link Nbr Displays one of the following states Yes Indicates that the EAPS instance on the other end of the common link is configured with matching link ID and opposite...

Страница 288: ...gment port as one of its ring ports Vlan port count available with the detail keyword or by specifying a shared port The total number of VLANs being protected under this segment port Adjacent Blocking...

Страница 289: ...y up to two shared ports per switch There cannot be more than one controller on a switch Valid combinations on any one switch are 1 controller 1 partner 1 controller and 1 partner 2 partners A shared...

Страница 290: ...gle configuration there must be two common links configured on one of the switches Figure 23 shows a Right Angle configuration Figure 23 EAPS shared port right angle configuration EW_096 S4 S3 S2 S1 P...

Страница 291: ...and Right Angle configuration Figure 24 Basic core and right angle configuration EW_098 S7 S3 S4 S2 S1 EAPS5 EAPS2 EAPS1 S8 S12 S11 S5 Controller S14 S15 S13 S9 S10 Common link Partner S6 Common link...

Страница 292: ...hanging off of it This is an extension of a basic core configuration Figure 25 Large core and access ring configuration EW_099 S4 S10 S1 S7 EAPS5 EAPS2 EAPS1 Controller Partner Master Controller Part...

Страница 293: ...Right Angle configuration Figure 26 Advanced configuration EW_101 S2 S1 S8 S9 S11 S10 Controller S14 S3 S13 S12 S7 S4 S5 Common link Common link Common link Common link S6 EAPS3 EAPS6 EAPS4 EAPS2 EAP...

Страница 294: ...Ethernet Automatic Protection Switching ExtremeWare XOS 11 1 Concepts Guide 294...

Страница 295: ...STP in terms used by the IEEE 802 1D specification the switch will be referred to as a bridge Overview of the Spanning Tree Protocol STP is a bridge based mechanism for providing fault tolerance on n...

Страница 296: ...ports that belong to the STPD and the 802 1Q tag used to transport EMISTP or PVST encapsulated BPDUs see Encapsulation Modes on page 297 for more information about encapsulating STP BPDUs Only one ca...

Страница 297: ...ee RSTP When configured in this mode all rapid configuration mechanisms are enabled The benefit of this mode is available on point to point links only and when the peer is likewise configured in 802 1...

Страница 298: ...s It is possible for the physical port to run in different modes for different domains to which it belongs To configure the BPDU encapsulation mode for one or more STP ports use the following command...

Страница 299: ...to an STPD are manually and automatically By default ports are manually added to an STPD NOTE The default VLAN and STPD S0 are already on the switch Manually Binding Ports To manually bind ports use o...

Страница 300: ...t of ports that you remove from a carrier VLAN are automatically removed from the STPD This feature allows the STPD to increase or decrease its span as ports are added to or removed from a carrier VLA...

Страница 301: ...witch s management functions and the backup acts in a standby role Hitless failover transfers switch management control from the primary to the backup and maintains the state of STP STP supports hitle...

Страница 302: ...g four VLANs have been defined Sales is defined on switch A switch B and switch M Personnel is defined on switch A switch B and switch M Manufacturing is defined on switch Y switch Z and switch M Engi...

Страница 303: ...loops are prevented The protected VLAN Marketing which has been assigned to both STPD1 and STPD2 communicates using all five switches The topology has no loops because STP has already blocked the port...

Страница 304: ...ed in an STP topology All VLANs in each switch are members of the same STPD STP can block traffic between switch 1 and switch 3 by disabling the trunk ports for that connection on each switch Switch 2...

Страница 305: ...and S2 still correspond to VLANs A and B respectively you can fine tune STP parameters to make the left link active in S1 and blocking in S2 while the right link is active in S2 and blocking in S1 Onc...

Страница 306: ...local to other VLANs Figure 30 VLAN spanning multiple STPDs In addition the configuration in Figure 30 has these features Each site can be administered by a different organization or department withi...

Страница 307: ...Figure 32 VLAN red the only VLAN in the figure spans STPDs 1 2 and 3 Inside each domain STP produces a loop free topology However VLAN red is still looped because the three domains form a ring among...

Страница 308: ...on the physical port Third party PVST devices send VLAN 1 packets in a special manner ExtremeWare XOS does not support PVST for VLAN 1 Therefore when the switch receives a packet for VLAN 1 the packet...

Страница 309: ...STPD RSTP tries to rapidly move designated point to point links into the forwarding state when a network topology change or failure occurs For rapid convergence to occur the port must be configured as...

Страница 310: ...k types Port Link Type Description Auto Specifies the switch to automatically determine the port link type An auto link behaves like a point to point link if the link is in full duplex mode or if link...

Страница 311: ...the message age timer restarts The edge port remains in the blocking state until no further BPDUs are received and the message age timer expires Table 47 Derived timers Timer Description TCN The root...

Страница 312: ...Is now a root port and no other ports have a recent role assignment that contradicts with its root port role Is a designated port and attaches to another bridge by a point to point link and receives...

Страница 313: ...ing state RSTP requires that the recent root timer stop on the previous root port before the new root port can enter the forwarding state Designated Port Rapid Behavior When a port becomes a new desig...

Страница 314: ...non edge ports entering the forwarding state cause a topology change A loss of network connectivity is not considered a topology change however a gain in network connectivity must be communicated Whe...

Страница 315: ...ge E Figure 35 Down link detected 2 Bridge E believes that bridge A is the root bridge When bridge E receives the BPDU on its root port from bridge F bridge E Determines that it received an inferior B...

Страница 316: ...the BPDU from bridge E on its alternate port bridge D Immediately begins the max age timer on its alternate port Performs a configuration update As shown in Figure 38 after the configuration update b...

Страница 317: ...port status to neighbors 6 To complete the topology change as shown in Figure 40 Bridge D moves the port that received the agree message into the forwarding state Bridge F confirms that its receiving...

Страница 318: ...setting which is 802 1w mode STP Rules and Restrictions This section summarizes the rules and restrictions for configuring STP as follows The carrier VLAN must span all ports of the STPD The StpdID m...

Страница 319: ...ort_list dot1d emistp pvst plus 3 Define the carrier VLAN using the following command configure stpd stpd_name tag stpd_tag NOTE The carrier VLAN s VLANid must be identical to the StpdID of the STPD 4...

Страница 320: ...ngineering Creates the VLAN Engineering Configures the VLANid Adds ports to the VLAN Engineering Creates an STPD named Backbone_st Configures the default encapsulation mode of dot1d for all ports adde...

Страница 321: ...ure red add ports 1 1 1 4 tagged create vlan green configure green tag 200 configure green add ports 1 1 1 2 tagged create vlan yellow configure yellow tag 300 configure yellow add ports 1 3 1 4 tagge...

Страница 322: ...Configure the port link types Enable STP Figure 43 RSTP example In this example the commands configure switch A in STPD1 for rapid reconvergence Use the same commands to configure each switch and STP...

Страница 323: ...play STP settings use the following command show stpd stpd_name detail This command displays the following information STPD name STPD state STPD mode of operation Rapid Root Failover Tag Ports Active...

Страница 324: ...y the STP configuration of the ports assigned to that specific VLAN The command displays the following STPD port configuration STPD port mode of operation STPD path cost STPD priority STPD state root...

Страница 325: ...ides Layer 2 redundancy You can use these layered redundancy features in combination or independently You do not have to configure the switch for routing to make valuable use of ESRP The Layer 2 redun...

Страница 326: ...maximum of two switches can participate in providing redundant Layer 3 or Layer 2 services to a single Virtual LAN VLAN If you configure and use ESRP groups more than two switches can provide redunda...

Страница 327: ...or other unpredictable behavior may occur If you have an untagged master VLAN you must specify an ESRP domain ID The domain ID must be identical on all switches participating in ESRP for that particu...

Страница 328: ...ESRP aware you must create an ESRP domain on the aware switch add a master VLAN to that ESRP domain and configure a domain ID if necessary To participate as an ESRP aware switch the following must be...

Страница 329: ...e requesting switch For example if a slave switch wants to become the master it enters the pre master state notifies the neighbor switch and forces the neighbor to acknowledge the change The neighbor...

Страница 330: ...messages This reduces the amount of packet processing increases the amount of available link bandwidth and does not impact communicating state changes between switches ESRP Domains ESRP domains allow...

Страница 331: ...ic Module MSM modules in a BlackDiamond chassis one MSM assumes the role of primary and the other assumes the role of backup MSM The primary MSM executes the switch s management functions and the back...

Страница 332: ...earned routes from the IP route table Ping Tracks ICMP ping connectivity to specified devices Environment health checks Tracks the environment of the switch including power supply and chassis temperat...

Страница 333: ...a neutral state the switch waits for ESRP to initialize and run A neutral switch does not participate in ESRP elections If the switch leaves the neutral state it enters the slave state Electing the Ma...

Страница 334: ...guration passive A passive configuration acts as a stub area and helps increase the time it takes for recalculating the network A passive configuration also maintains a stable OSPF core For more infor...

Страница 335: ...consider election factors in the following order Stickiness active ports tracking information ESRP priority sticky ports track priority mac Specifies that this ESRP domain should consider election fac...

Страница 336: ...see Chapter 5 Virtual LANs For more information about ESRP master and member VLANs see Adding VLANs to an ESRP Domain on page 337 You can also configure other ESRP domain parameters including ESRP Mod...

Страница 337: ...ain ID see ESRP Domains on page 330 To configure an ESRP domain ID use the following command configure esrp esrpDomain domain id number The number parameter specifies the number of the domain ID The u...

Страница 338: ...main The state of the ESRP device determines whether the member VLAN is in the forwarding or blocking state To add a member VLAN to an ESRP domain use the following command configure esrp esrpDomain a...

Страница 339: ...rmines the maximum available power required for the switch by calculating the number of power supplies and the power required by the installed modules Enabling environmental tracking on the switch wit...

Страница 340: ...Domain add track iproute ipaddress masklength configure esrp esrpDomain delete track iproute ipaddress masklength ESRP Ping Tracking You can configure ESRP to track connectivity using a simple ping to...

Страница 341: ...lowing command configure esrp esrp1 add track iproute 10 10 10 0 24 The route specified in this command must exist in the IP routing table When the route is no longer available the switch implements a...

Страница 342: ...ion with the ESRP switch To remove a port from the restart configuration delete the port from the VLAN and re add it ESRP Host Attach ESRP host attach HA is an optional ESRP configuration that allows...

Страница 343: ...net Automatic Protection Switching EAPS or VRRP A broadcast storm may occur To configure a port to be a host port use the following command configure esrp ports ports mode host normal ESRP Port Weight...

Страница 344: ...le ESRP groups is when two or more sets of ESRP switches are providing fast failover protection within a subnet A maximum of seven distinct ESRP groups can be supported on a single ESRP switch and a m...

Страница 345: ...gure ESRP refer to the ExtremeWare XOS Command Reference Guide Using ELRP with ESRP Extreme Loop Recovery Protocol ELRP is a feature of ExtremeWare XOS that allows you to prevent detect and recover fr...

Страница 346: ...its ESRP domain ports If the master switch receives an ELRP PDU that it sent the master transitions to the slave While in the slave state the switch transitions to the pre master rate and periodically...

Страница 347: ...is 1 second and the range is 1 to 64 seconds To disable the use of ELRP by ESRP in the master state use the following command configure esrp esrpDomain elrp master poll disable Configuring Ports You c...

Страница 348: ...of Extreme Networks devices as edge switches that perform Layer 2 switching for ESRP domain esrp1 and VLAN Sales The edge switches are dual homed to the BlackDiamond 10808 switches The BlackDiamond 1...

Страница 349: ...ion The edge switches being ESRP aware allow traffic within the VLAN to failover quickly because these edge switches sense when a master slave transition occurs and flush FDB entries associated with t...

Страница 350: ...ExtremeWare XOS switches operate in ESRP standard mode To change the mode of operation use the configure esrp mode extended standard command The commands used to configure the BlackDiamond switches ar...

Страница 351: ...the first BlackDiamond 10808 switch uses 802 1Q tagging to carry traffic from both VLANs traffic on one link The BlackDiamond switch counts the link active for each VLAN The second BlackDiamond switch...

Страница 352: ...d master sales configure esrp esrp1 priority 5 enable esrp esrp1 create esrp esrp2 configure esrp esrp2 domain id 4097 configure esrp esrp2 add master engineering enable esrp esrp2 Configuration comma...

Страница 353: ...nd a VLAN but you must do so on separate devices You should be careful to maintain ESRP connectivity between ESRP master and slave switches when you design a network that uses ESRP and STP ESRP and VR...

Страница 354: ...Extreme Standby Router Protocol ExtremeWare XOS 11 1 Concepts Guide 354...

Страница 355: ...sers VRRP is used to eliminate the single point of failure associated with manually configuring a default gateway address on each host in a network Without using VRRP if the configured default gateway...

Страница 356: ...lover If any of the configured routes are not available within the route table the router automatically relinquishes master status and remains in INIT mode To add or delete a tracked route use the fol...

Страница 357: ...routing table When the route is no longer available the switch implements a VRRP failover to the backup To configure ping tracking as shown in Figure 50 use the following command configure vlan vrrp1...

Страница 358: ...all backup routers This signals the backup routers that they do not need to wait for the master down interval to expire and the master election process for a new master can begin immediately The maste...

Страница 359: ...ckup router The master router is responsible for forwarding packets sent to the virtual router When the VRRP network becomes active the master router broadcasts an ARP request that contains the virtua...

Страница 360: ...Fully redundant VRRP configuration In Figure 52 switch A is configured as follows IP address 192 168 1 3 Master router for VRID 1 Backup router for VRID 2 MAC address 00 00 5E 00 01 01 Switch B is con...

Страница 361: ...p_address This is the IP address associated with this virtual router You can associate one or more IP addresses to a virtual router This parameter has no default value advertisement_interval This is t...

Страница 362: ...ch A are as follows configure vlan vlan1 ipaddress 192 168 1 3 24 create vrrp vlan vlan1 vrid 1 configure vrrp vlan vlan1 vrid 1 prioirty 255 configure vrrp vlan vlan1 vrid 1 add 192 168 1 3 enable vr...

Страница 363: ...vlan vlan1 vrid 1 add 192 168 1 3 create vrrp vlan vlan1 vrid 2 configure vrrp vlan vlan1 vrid 2 add 192 168 1 5 enable vrrp The configuration commands for switch B are as follows configure vlan vlan...

Страница 364: ...onfigured with IP addresses 1 1 1 1 24 and 2 2 2 2 24 the following configurations are allowed VRRP VR on VLAN v1 with VRID 99 with virtual IP addresses 1 1 1 2 and 1 1 1 3 VRRP VR on VLAN v1 with VRI...

Страница 365: ...protocols see Chapter 21 Overview of IP Unicast Routing The switch provides full Layer 3 IP unicast routing It exchanges routing information with other routers on the network using either the Routing...

Страница 366: ...affic within each VLAN is switched using the Ethernet MAC addresses Traffic between the two VLANs is routed using the IP addresses Figure 55 Routing between VLANs Populating the Routing Table The swit...

Страница 367: ...e advertised using one of the following commands enable rip export bgp direct e bgp i bgp ospf ospf extern1 ospf extern2 ospf inter ospf intra static cost number tag number policy policy name or disab...

Страница 368: ...ts on behalf of ARP incapable devices Proxy ARP can also be used to achieve router redundancy and to simplify IP client configuration The switch supports proxy ARP for this type of network configurati...

Страница 369: ...th the host at address 100 101 45 67 the IP hosts communicates as if the two hosts are on the same subnet and sends out an IP ARP request The switch answers on behalf of the device at address 100 101...

Страница 370: ...VLANs using the following command enable ipforwarding broadcast vlan vlan_name 5 Turn on RIP or OSPF using one of the following commands enable rip enable ospf Verifying the IP Unicast Routing Config...

Страница 371: ...ter by way of the VLAN Finance Ports on slots 2 and 4 reach the router by way of the VLAN Personnel All other traffic NetBIOS is part of the VLAN MyCompany The example in Figure 56 is configured as fo...

Страница 372: ...prior to that supported a multinetting implementation that required separate VLANs for each IP network The implementation introduced in ExtremeWare XOS 11 0 is simpler to configure does not require t...

Страница 373: ...Transfer Protocol TFTP Secure Shell 2 SSH2 and others to the switch from a host residing in either the primary or the secondary subnet of the VLAN Other host functions such as traceroute are also supp...

Страница 374: ...figured on per VLAN basis There is no way to configure a routing protocol on an individual primary or secondary interface Configuring a protocol parameter on a VLAN automatically configures the parame...

Страница 375: ...ondary interface addresses can be used as the source interface for a BGP neighbor Direct routes corresponding to secondary interfaces can be exported into the BGP domain by enabling export of direct r...

Страница 376: ...on that host DHCP Relay When the switch is configured as a DHCP relay agent it will forward the DHCP request received from a client to the DHCP server When doing so the system sets the GIADDR field i...

Страница 377: ...d 1 1 1 99 one virtual IP address is owned by the switch and one is not VRRP VR on v1 with VRID of 100 with virtual IP addresses of 2 2 2 2 and 2 2 2 99 one virtual IP address is owned by the switch a...

Страница 378: ...tocol DHCP or BOOTP requests coming from clients on subnets being serviced by the switch and going to hosts on different subnets This feature can be used in various applications including DHCP service...

Страница 379: ...nces a DHCP server may not properly handle a DHCP request packet containing a relay agent option To prevent DHCP reply packets with invalid or missing relay agent options from being forwarded to the c...

Страница 380: ...echo packets to measure the transit time for data between the transmitting and receiving end To enable UDP echo server support use the following command enable udp echo server vr vrid udp port port To...

Страница 381: ...65 OSPF Database Overflow RFC 2370 The OSPF Opaque LSA Option RFC 3101 The OSPF Not So Stubby Area NSSA Option Interconnections Bridges and Routers by Radia Perlman ISBN 0 201 56332 0 Published by Add...

Страница 382: ...tination networks A large amount of bandwidth taken up by periodic broadcasts of the entire routing table Slow convergence Routing decisions based on hop count no concept of link costs or delay Flat n...

Страница 383: ...s a hop count of 16 which defines that router as unreachable Triggered Updates Triggered updates occur whenever a router changes the metric for a route The router is required to send an update message...

Страница 384: ...License for the switch from Extreme Networks A subset of OSPF called OSPF Edge Mode is available with an Advanced Edge license OSPF Edge Mode OSPF Edge Mode is a subset of OSPF available on platforms...

Страница 385: ...ds after which the system ceases to be in overflow state A timeout value of zero leaves the system in overflow state until OSPF is disabled and re enabled Opaque LSAs Opaque LSAs are a generic OSPF me...

Страница 386: ...0 and then expand into other areas NOTE Area 0 0 0 0 exists by default and cannot be deleted or changed The backbone allows summary information to be exchanged between ABRs Every ABR hears the area su...

Страница 387: ...order routers where translation is to be enforced If translate is not used on any NSSA border router in a NSSA one of the ABRs for that NSSA is elected to perform translation as indicated in the NSSA...

Страница 388: ...area For example in Figure 59 if the connection between ABR1 and the backbone fails the connection using ABR2 provides redundancy so that the discontiguous area can continue to communicate with the b...

Страница 389: ...nk types Link Type Number of Routers Description Auto Varies ExtremeWare XOS automatically determines the OSPF link type based on the interface type This is the default setting Broadcast Any Routers m...

Страница 390: ...SPF Likewise for any other combinations of protocols you must separately configure each to export routes to the other Redistributing Routes into OSPF Enable or disable the exporting of BGP RIP static...

Страница 391: ...export bgp direct e bgp i bgp ospf ospf extern1 ospf extern2 ospf inter ospf intra static cost number tag number policy policy name disable rip export bgp direct e bgp i bgp ospf ospf extern1 ospf ext...

Страница 392: ...raffic from stations connected to slots 1 and 3 have access to the router by way of the VLAN Finance Ports on slots 2 and 4 reach the router by way of the VLAN Personnel All other traffic NetBIOS is p...

Страница 393: ...e under all circumstances To specify the timer intervals use the following commands configure ospf area area identifier timer retransmit interval transit delay hello interval dead interval wait timer...

Страница 394: ...he hello interval the network synchronizes very quickly but might not elect the correct DR or BDR The default value is equal to the dead router wait interval NOTE The OSPF standard specifies that wait...

Страница 395: ...internal routers Uses default routes for inter area routing Two router configurations for the example in Figure 62 are provided in the following section Configuration for ABR1 The router labeled ABR1...

Страница 396: ...n about all OSPF interfaces in a detail format ExtremeWare XOS provides several filtering criteria for the show ospf lsdb command You can specify multiple search criteria and only those results matchi...

Страница 397: ...ons for BGP RFC 1966 BGP Route Reflection RFC 1997 BGP Communities Attribute RFC 1745 BGP IDRP for IP OSPF Interaction RFC 2385 Protection of BGP Sessions via the TCP MD5 Signature Option RFC 2439 BGP...

Страница 398: ...ocol IGP Exterior Gateway Protocol EGP and incomplete AS_Path The list of ASs that are traversed for this route Next_hop The IP address of the next hop BGP router to reach the destination listed in th...

Страница 399: ...o serve as a central routing point for the AS A cluster is formed by the route reflector and its client routers Peer routers that are not part of the cluster must be fully meshed according to the rule...

Страница 400: ...configure vlan to_nc ipaddress 10 0 0 2 24 enable ipforwarding vlan to_nc create vlan to_c1 configure vlan to_c1 add port 1 2 configure vlan to_c1 ipaddress 20 0 0 2 24 enable ipforwarding vlan to_c1...

Страница 401: ...to multiple sub ASs and to group these sub ASs into a routing confederation Within the confederation each sub AS must be fully meshed The confederation is advertised to other networks as a single AS R...

Страница 402: ...or 192 1 1 5 remote AS number 65001 create bgp neighbor 192 1 1 18 remote AS number 65001 enable bgp neighbor all To configure router B use the following commands create vlan ba configure vlan ba add...

Страница 403: ...bgp neighbor 192 1 1 17 remote AS number 65001 enable bgp neighbor all To configure router D use the following commands create vlan db configure vlan db add port 1 configure vlan db ipaddress 192 1 1...

Страница 404: ...se BGP route aggregation 1 Enable aggregation using the following command enable bgp aggregation 2 Create an aggregate route using the following command configure bgp add aggregate address address fam...

Страница 405: ...atory parameters are inherited from the peer group If you specify the acquire all option all of the parameters of the peer group are inherited This command disables the neighbor before adding it to th...

Страница 406: ...ften a route has flapped once it stops flapping it will again be advertised after the maximum route suppression time Configuring Route Flap Dampening Using a route map you enable BGP route flap dampen...

Страница 407: ...st AS path lowest origin code lowest Multi Exit Discriminator MED route from external peer lowest cost to next hop lowest routerID Stripping Out Private AS Numbers from Route Updates Private AS number...

Страница 408: ...interface routes to BGP use the following commands enable bgp export direct ospf ospf extern1 ospf extern2 ospf inter ospf intra rip static address family ipv4 unicast ipv4 multicast export policy po...

Страница 409: ...is a function that allows a single IP host to send a packet to a group of IP hosts This group of hosts can include devices that reside on or outside the local network and within or across a routing d...

Страница 410: ...o prune and graft multicast routes PIM DM routers perform reverse path multicasting RPM However instead of exchanging its own unicast route tables for the RPM algorithm PIM DM uses the existing unicas...

Страница 411: ...r the switch can be configured to disable the generation of periodic IGMP query packets IGMP should be enabled when the switch is configured to perform IP unicast or IP multicast routing IGMP Snooping...

Страница 412: ...e igmp snooping vlan vlanname ports portlist delete static group ip_address all configure igmp snooping vlan vlanname ports portlist delete static router To display the IGMP snooping static groups use...

Страница 413: ...PF configuration on a switch See Chapter 20 for more information about configuring OSPF PIM DM Configuration Example In Figure 65 the system labeled IR 1 is configured for IP multicast routing using P...

Страница 414: ...ABR1 is configured for IP multicast routing using PIM SM Figure 66 IP multicast routing using PIM SM configuration example The router labeled ABR1 has the following configuration configure vlan HQ_10_...

Страница 415: ...48 2 2 255 255 255 0 configure vlan CHI_160_26_26 ipaddress 160 26 26 1 255 255 255 0 configure ospf add vlan all area 0 0 0 0 enable ipforwarding enable ipmcforwarding configure pim add vlan all spar...

Страница 416: ...IP Multicast Routing ExtremeWare XOS 11 1 Concepts Guide 416...

Страница 417: ...3 Appendixes...

Страница 418: ......

Страница 419: ...lash slot of the Management Switch Fabric Module MSM Downloading a new image involves the following steps Loading the new image onto a TFTP server on your network if you will be using TFTP Loading the...

Страница 420: ...s named with the file extension xmod while the core images use the file extension xos Modular software packages are built at the same time as core images and are designed to work in concert with the c...

Страница 421: ...active partition use the following command show switch Output from this command includes the selected and booted images and if they are in the primary or secondary partition If two MSMs are installed...

Страница 422: ...dd yyyy hh mm ss NOTE When you configure a timed reboot of the switch use the show switch command to see the scheduled time To reboot the switch immediately use the following command reboot If you do...

Страница 423: ...MSM which allows the backup to take over the management functions of the primary NOTE If you download an image to the backup MSM the image passes through the primary MSM before the image is downloaded...

Страница 424: ...up MSM is installed in slot A specify msm A Before the download begins the switch prompts you to install the image immediately after the download is finished If you install the image immediately after...

Страница 425: ...software packages see Installing a Modular Software Package on page 420 To perform a hitless upgrade follow the steps described in the previous section Performing a Hitless Upgrade Hitless Upgrade Ex...

Страница 426: ...er the name of the file in the CLI the system automatically adds the cfg file extension If you have made a mistake or you must revert to the configuration as it was before you started making changes y...

Страница 427: ...s use the following command unconfigure switch This command resets the entire configuration with the exception of user accounts and passwords that have been configured and the date and time To erase t...

Страница 428: ...ress g r remote_file Where the following is true host name Is the host name of the TFTP server ip_address Is the IP address of the TFTP server g Gets the specified file from the TFTP server and copies...

Страница 429: ...s the old configuration files on the backup MSM only upon a successful file synchronization If an error occurs the switch does not delete the old configuration files on the backup MSM For example if y...

Страница 430: ...d image is booted If you do not specify an image name the default image is booted Selecting a configuration To select a different configuration from the one currently running use the config default fi...

Страница 431: ...ation auto install install on demand Where the following is true auto install Specifies ExtremeWare XOS to automatically upgrade the firmware if the software detects a newer firmware image is availabl...

Страница 432: ...Software Upgrade and Boot Options ExtremeWare XOS 11 1 Concepts Guide 432...

Страница 433: ...he PoE Module Aspen 8810 Switch Only on page 449 Untagged Frames on the 10 Gbps Module BlackDiamond 10K Switch Only on page 449 Running MSM Diagnostics from the Bootloader BlackDiamond 10K Switch Only...

Страница 434: ...for a related I O module error If the error is an inserted I O module that conflicts with the software configuration use one of the following commands to reset the slot configuration clear slot confi...

Страница 435: ...elnet facility Telnet access is enabled for the switch If you attempt to log in and the maximum number of Telnet sessions are being used you should receive an error message indicating so Traps are not...

Страница 436: ...over cable This is a CAT5 cable that has pins 1 and 2 on one end connected to pins 3 and 6 on the other end Excessive RX CRC errors When a device that has autonegotiation disabled is connected to an E...

Страница 437: ...Error Protocol conflict when adding untagged port 1 1 Either add this port as tagged or assign another protocol to this VLAN you already have a VLAN using untagged traffic on a port Only one VLAN usi...

Страница 438: ...domain You might be attempting to add Another 802 1D mode STP port to a physical port that already contains an 802 1D mode STP port only one 802 1D encapsulation STP port can be configured on a parti...

Страница 439: ...se the VLANid as the domain ID you must specify a different domain ID You cannot delete the master VLAN from the ESRP domain If you attempt to remove the master VLAN before disabling the ESRP domain y...

Страница 440: ...cates a loop in the Layer 2 network Once a loop is detected through ELRP different recovery actions can be taken such as blocking certain ports to prevent loop or logging a message to system log The a...

Страница 441: ...ecified ports of a VLAN using a particular count and interval use one of the following commands configure elrp client one shot vlan_name ports ports all interval sec retry count log print print and lo...

Страница 442: ...mary and secondary images of the compact flash To use the rescue software image you must be running ExtremeWare XOS 11 1 or later Earlier versions of ExtremeWare XOS do not support the rescue software...

Страница 443: ...the BOOTLOADER command prompt After you download the ExtremeWare XOS image file the switch installs the software and reboots After the switch reboots the switch enters an uninitialized state At this...

Страница 444: ...rd Specifies that saving debug information to the external memory card is enabled off Specifies that saving debug information to the external memory card is disabled This is the default behavior To sa...

Страница 445: ...e the file extensions the file may be unrecognized by the system For example if you have an existing configuration file named test cfg the new filename must include the cfg file extension Copying File...

Страница 446: ...FC 2348 TFTP Blocksize Option to enable faster file downloads and larger file downloads System Health Check This section provides a brief overview the system health check functionality of the followin...

Страница 447: ...eceives diagnostic packets from the I O module to determine the state and connectivity If you disable backplane diagnostics the system health checker stops sending backplane diagnostic packets Enablin...

Страница 448: ...irst Recorded Field Replaceable Units Days Start Date Chassis BD 10808 107 Feb 23 2004 Slot 1 G60X 99 Dec 10 2003 Slot 2 G60X 74 Mar 22 2004 Slot 3 G60X 151 Jan 12 2004 Slot 4 Slot 5 10G6X 49 Apr 09 2...

Страница 449: ...onfigured inline power budget for that slot However actual aggregate power can be delivered up to the configured inline power budget for the slot for example when delivered power from ports increases...

Страница 450: ...tics for image 2 initiates diagnostics for the secondary image For example to run diagnostics on the primary image use the following command boot 3 When the test is finished the MSM reboots and runs t...

Страница 451: ...address for transmission on Ethernet hardware RFC 2338 Virtual Router Redundancy Protocol Draft VRRP spec v2 06 minor modifications to RFC 2338 Extreme Standby Router Protocol ESRP IEEE 802 1D 1998 S...

Страница 452: ...1997 BGP Communities Attribute RFC 1745 BGP4 IDRP for IP OSPF Interaction RFC 2385 Protection of BGP Sessions via the TCP MD5 Signature Option RFC 2439 BGP Route Flap Dampening MBGP PoE RFC 3621 Power...

Страница 453: ...sing and Dispatching for the Simple Network Management Protocol SNMP RFC 2573 Simple Network Management Protocol SNMP Applications RFC 2574 User based Security Model USM for version 3 of the Simple Ne...

Страница 454: ...pts Guide 454 DiffServ Standards and MIBs RFC 2474 Definition of the Differentiated Services Field DS Field in the IPv4 and IPv6 Headers RFC 2475 An Architecture for Differentiated Services RFC 2597 A...

Страница 455: ...on Protocol ARP is part of the TCP IP suite used to dynamically associate a device s physical address MAC address with its logical address IP address The system broadcasts an ARP request containing th...

Страница 456: ...the new DR The BDR is elected by the protocol each hello packet has a field that specifies the BDR for the network BGP Border Gateway Protocol BGP is a router protocol in the IP suite designed to exch...

Страница 457: ...ween clients on the same radio So bridged traffic can be forwarded from one AP to another AP without having to pass through the switch on the wired network broadcast A broadcast message is forwarded t...

Страница 458: ...d to a given STPD not just to one individual port The encapsulation modes are 802 1d This mode is used for backward compatibility with previous STP versions and for compatibility with third party swit...

Страница 459: ...R Designated router In OSPF the DR generates an LSA for the multiaccess network and has other special responsibilities in the running of the protocol The DR is elected by the OSPF protocol dropped pac...

Страница 460: ...u can configure ports within an STPD to accept specific BPDU encapsulations The three encapsulation modes are 802 1D This mode is used for backward compatibility with previous STP versions and for com...

Страница 461: ...r the entire switch not by EAPS domain FDB Forwarding database The switch maintains a database of all MAC address received on all of its ports and uses this information to decide whether a frame shoul...

Страница 462: ...hin an AS ICMP Internet Control Message Protocol ICMP is the part of the TCP IP protocol that allows generation of error messages test packets and operating messages For example the ping command allow...

Страница 463: ...Although you can have a static IP address many IP addresses are assigned dynamically from a pool Many corporate networks and online services economize on the number of IP addresses they use by sharing...

Страница 464: ...etwork interface card on each device MAN Metropolitan area network A MAN is a data network designed for a town or city MANs may be operated by one organization such as a corporation with several offic...

Страница 465: ...e This Extreme Networks proprietary name refers to the module that holds both the control plane and the switch fabric for switches that run the ExtremeWare XOS software One MSM is required for switch...

Страница 466: ...nager performs the process of node election which selects the master or primary MSM when you have two MSMS installed in the chassis The Node Manager is useful for system redundancy NSSA Not so stubby...

Страница 467: ...er table updates throughout the network This protocol is more efficient and scalable than vector distance routing protocols P packet This is the unit of data sent across a network Packet is a generic...

Страница 468: ...r the POST completes contact your supplier for advice primary port In EAPS a primary port is a port on the master node that is designated the primary port to the ring protected VLAN In STP protected V...

Страница 469: ...parameters for networking RIP Routing Information Protocol This IGP vector distance routing protocol is part of the TCP IP suite and maintains tables of all known destinations and the number of hops r...

Страница 470: ...port is a port on the master node that is designated the secondary port to the ring The transit node ignores the secondary port distinction as long as the node is configured as a transit node SMF Sing...

Страница 471: ...D The two modes of operation are 802 1d Compatible with legacy STP and other devices using the IEEE 802 1d standard 802 1w Compatible with Rapid Spanning Tree RSTP stub areas In OSPF a stub area is co...

Страница 472: ...4 protocol unicast A unicast packet is communication between a single sender and a single receiver over a network untagged VLAN A VLAN remains untagged unless you specifically configure the IEEE 802 1...

Страница 473: ...switch It has no ports and you cannot assign any ports to it It also cannot be associated with VLANs or routing protocols Referred to as VR 1 in earlier ExtremeWare XOS software versions VR Default Th...

Страница 474: ...r router become unavailable In case the master router fails the virtual IP address is mapped to a backup router s IP address this backup becomes the master router This allows any of the virtual router...

Страница 475: ...igure eaps secondary port 277 configure eaps shared port domain 285 configure eaps shared port mode 285 configure eaps shared port segment timeout 285 configure edp advertisement interval 95 configure...

Страница 476: ...ty 58 configure snmp add trapreceiver community 58 configure snmp delete trapreceiver 58 configure snmpv3 add access 61 configure snmpv3 add filter subtree type 65 configure snmpv3 add filter profile...

Страница 477: ...e power slot 109 disable ipforwarding 247 disable learning port 177 disable log debug mode 443 disable log target 133 disable netlogin 237 disable netlogin logout privilege 237 disable netlogin ports...

Страница 478: ...re 431 install image 420 424 425 L logout 49 ls 51 73 74 75 445 M mv 72 75 445 N nslookup 41 P ping 37 41 42 Q quit 49 R reboot 53 54 422 refresh policy 181 reset inline power ports 107 113 rm 74 75 4...

Страница 479: ...62 show snmpv3 filter 65 show snmpv3 filter profile 65 show snmpv3 group 62 show snmpv3 mib view 63 show snmpv3 notify 66 show snmpv3 target addr 64 show snmpv3 target params 65 show snmpv3 user 61 sh...

Страница 480: ...ExtremeWare XOS 11 1 Concepts Guide 480 Index of Commands use configuration 75 426 use image 421 424 V virtual router 173...

Страница 481: ...n statements policy 194 actions ACL 184 active interface 410 Address Resolution Protocol See ARP address based load sharing 87 88 admin account 38 Advanced Core license 28 advertisement interval EDP 9...

Страница 482: ...g 429 exiting 430 prompt 430 BOOTP relay configuring 378 viewing 379 BOOTP server 47 BOOTP using 47 BootROM upgrading 430 Bootstrap Protocol See BOOTP Border Gateway Protocol See BGP bulk checkpointin...

Страница 483: ...29 users 38 default VLAN 160 denial of service protection 239 DHCP network login and 229 requirement for web based network login 229 DHCP relay and IP multinetting 376 configuring 378 viewing 379 DHC...

Страница 484: ...ormation 95 100 egress traffic rate limiting 220 election algorithms ESRP 334 ELRP and ESRP 346 description 345 loop detection 440 master behavior ESRP 346 pre master behavior ESRP 346 standalone 440...

Страница 485: ...8 Ether type 167 Ethernet Automatic Protection Switching See EAPS Event Management System See EMS Events RMON 149 explicit packet marking QoS 208 extended mode ESRP domain 325 329 Extreme Discovery Pr...

Страница 486: ...aces router 365 Internet Group Management Protocol See IGMP Internet Router Discovery Protocol See IRDP interoperability requirements 231 IP address entering 48 IP fragmentation 85 IP multicast routin...

Страница 487: ...tabase See LSDB link state protocol description 382 load sharing algorithms 87 88 and control protocols 87 and ESRP don t count 343 and ESRP host attach 343 and software controlled redundant ports 87...

Страница 488: ...ewing 54 non aging entries FDB 176 normal area OSPF 387 notification tags SNMPv3 66 notification SNMPv3 64 Not So Stubby Area See NSSA NSSA 387 See also OSPF O opaque LSAs OSPF 385 Open Shortest Path...

Страница 489: ...ts 194 autonomous system expressions 193 examples translating a route map 197 translating an access profile 195 file syntax 191 rule entry 191 policy file copying 73 445 deleting 74 445 displaying 74...

Страница 490: ...h devices outside subnet 369 conditions 368 configuring 368 description 368 MAC address in response 368 proxy ARP continued responding to requests 368 subnets 369 public community SNMP 58 PVST descrip...

Страница 491: ...rate limiting displaying 100 egress traffic 220 rate shaping bi directional See bi directional rate shaping read only switch access 58 read write switch access 58 reboot MSM 422 switch 422 receive er...

Страница 492: ...421 Secure Shell 2 See SSH2 protocol security license 29 security name SNMPv3 61 sessions console 43 deleting 50 maximum number of 43 shell 44 SSH2 50 Telnet 46 TFTP 50 severity levels EMS 134 sFlow c...

Страница 493: ...ing setting 99 100 speed ports configuring 82 displaying 99 100 split horizon RIP 383 SSH2 license 29 SSH2 protocol authentication key 249 description 50 249 enabling 249 maximum number of sessions 50...

Страница 494: ...7 modes of operation BlackDiamond 10K switch 127 system health monitoring 126 system LEDs 433 system location SNMP 58 system name SNMP 58 system odometer 448 system recovery 130 system redundancy bulk...

Страница 495: ...tual routers 24 VLANs 153 155 160 161 437 VMANs 83 VRRP 364 439 VRRP and ESRP 364 trunks 155 tunneling 163 167 See also VMANs Type of Service See TOS U UDP echo server 380 untagged frames VLANs 153 16...

Страница 496: ...ring 87 and virtual routers 164 configuring 165 description 163 displaying 167 displaying settings 100 example 165 166 guidelines 164 jumbo frames 83 names 33 tagging ports 164 troubleshooting 87 165...

Отзывы:

Нет отзывов

Похожие инструкции для ExtremeWare XOS 11.1

Бренд: Xerox Страницы: 100

Бренд: Juniper Страницы: 748

Бренд: Adobe Страницы: 323

Бренд: COMPRO Страницы: 36

Бренд: Paradyne Страницы: 86

AMIGOPOD 0.99.35

Бренд: AMIGOPOD Страницы: 23

Бренд: AMIGOPOD Страницы: 47

Бренд: Apogee Страницы: 12

Бренд: Oracle Страницы: 130

Бренд: Pantone Страницы: 12

Secure Backup 10.3

Бренд: Oracle Страницы: 174

Бренд: Bay Networks Страницы: 112

SmartCell ZX-250

Бренд: Cabletron Systems Страницы: 34

FLASH MX 2004-ACTIONSCRIPT LANGUAGE

Бренд: MACROMEDIA Страницы: 1104

FLASH MX 2004-LEARNING FLASH

Бренд: MACROMEDIA Страницы: 122

Бренд: IBM Страницы: 388

Parametric Convolution Reverb IR-1

Бренд: Waves Страницы: 40

Бренд: Samsung Страницы: 116

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды