Extreme Networks ExtremeWare XOS 11.3 Скачать руководство пользователя страница 313 | Manualshive

Страница: 313 / 698

background image

ExtremeWare XOS 11.3 Concepts Guide

313

16

Security

This chapter describes the following topics:

●

Security Overview on page 313

●

Safe Defaults Mode on page 314

●

MAC Address Security on page 315

●

Denial of Service Protection on page 320

●

Authenticating Users Using RADIUS or on page 322

●

Secure Shell 2 on page 335

●

Secure Socket Layer on page 339

Security Overview

Security is a term that covers several different aspects of network use and operation. One general type
of security is control of the devices or users that can access the network. Ways of doing this include
authenticating the user at the point of logging in. You can also control access by defining limits on
certain types of traffic. Another general type of security operates to protect the operation of the switch
itself. Security measures in this category include routing policies that can limit the visibility of parts of
the network

or denial of service protection that prevents the CPU from being overloaded. Finally,

management functions for the switch can be protected from unauthorized use. This type of protection
uses various types of user authentication.

ExtremeWare XOS 11.3 introduces enhanced security features designed to protect, rapidly detect, and
correct anomalies in your network. Extreme Networks products incorporate a number of features
designed to enhance the security of your network while resolving issues with minimal network
disruption. No one feature can ensure security, but by using a number of features in concert, you can
substantially improve the security of your network.

The following list provides a brief overview of some of the available security features:

●

Access Control Lists—Access Control Lists (ACLs) are policy files used by the ACL application to
perform packet filtering and forwarding decisions on incoming traffic and packets. Each packet
arriving on an ingress port is compared to the ACL applied to that port and is either permitted or
denied.

For more information about using ACLs to control and limit network access, see

Chapter 13

, “

Access

Lists (ACLs)

.”

●

CLEAR-Flow—CLEAR-Flow is a security rules engine available only on the BlackDiamond 10K
switch. CLEAR-Flow inspects Layer 2 and Layer 3 packets, isolates suspicious traffic, and enforces
policy-based mitigation actions. Policy-based mitigation actions include the switch taking an
immediate, pre-determined action or sending a copy of the traffic off-switch for analysis. Working
together, CLEAR-Flow and Sentriant

™

provide a rapid response to network threats. For off-switch

analysis, CLEAR-Flow sends the suspicious traffic to Sentriant

and Sentriant stops the threats.

For more information about CLEAR-Flow, see

Chapter 18

, “

CLEAR-Flow

.” For more information

about Sentriant, contact your Extreme Networks representative.

«
...
311
312
313
314
315
...
»

Содержание ExtremeWare XOS 11.3

Страница 1: ...s Inc 3585 Monroe Street Santa Clara California 95051 408 579 2800 888 257 3000 http www extremenetworks com ExtremeWare XOS Concepts Guide Software Version 11 3 Published September 2005 Part number 1...

Страница 2: ...eWare XOS operating system is based in part on the Linux operating system The machine readable copy of the corresponding source code is available for the cost of distribution Please direct requests to...

Страница 3: ...kDiamond 10K Switch Only 34 Obtaining a License Voucher 35 Enabling and Verifying Licenses 35 Security Licensing 35 Software Factory Defaults 36 Chapter 2 Accessing the Switch 39 Understanding the Com...

Страница 4: ...elnet 64 Configuring Switch IP Parameters 64 Configuring Telnet Access to the Switch 66 Disconnecting a Telnet Session 68 Using Secure Shell 2 69 Using the Trivial File Transfer Protocol 69 Connecting...

Страница 5: ...ng CPU Monitoring 106 Enabling CPU Monitoring 106 Displaying CPU Utilization History 107 Chapter 5 Configuring Slots and Ports on a Switch 109 Configuring a Slot on a Modular Switch BlackDiamond 10K S...

Страница 6: ...tion Information 140 Port Display Summit X450 Switch Only 143 Port Display BlackDiamond 8800 Family of Switches Only 144 Port Display BlackDiamond 10K Series Switch Only 145 Chapter 6 Link Layer Disco...

Страница 7: ...Switch Only 185 Observing LED Behavior During a Diagnostic Test 186 Displaying Diagnostic Test Results 189 System Health Checking Modular Switches Only 189 Understanding the System Health Checker Bla...

Страница 8: ...228 Configuring VLANs on the Switch 229 VLAN Configuration Examples 229 Displaying VLAN Settings 230 Displaying Protocol Information 232 Tunneling VMANs 232 Overview 232 QoS Queue on Egress Port 234 G...

Страница 9: ...achine 258 Checking Policies 258 Refreshing Policies 259 Applying Policies 259 Applying ACL Policies 259 Applying Routing Policies 260 Chapter 13 Access Lists ACLs 261 ACLs 261 ACL Policy File Syntax...

Страница 10: ...0 Switch Only 309 Bi Directional Rate Shaping BlackDiamond 10K Switch Only 310 Bandwidth Settings 311 Configuring Bi Directional Rate Shaping 312 Chapter 16 Security 313 Security Overview 313 Safe Def...

Страница 11: ...3 Web Based Authentication 363 Enabling and Disabling Web Based Network Login 364 Configuring the Base URL 364 Configuring the Redirect Page 364 Configuring Session Refresh 365 Configuring Logout Priv...

Страница 12: ...imers 405 Configuring the Primary and Secondary Ports 406 Configuring the EAPS Control VLAN 406 Configuring the EAPS Protected VLANs 407 Enabling and Disabling Fast Convergence 407 Enabling and Disabl...

Страница 13: ...s 447 Configuring STP on the Switch 447 STP Configuration Examples 448 Basic 802 1D Configuration Example 448 EMISTP Configuration Example 449 RSTP 802 1w Configuration Example 450 Displaying STP Sett...

Страница 14: ...etting 484 ESRP and STP 484 ESRP and VRRP 484 ESRP Groups and Host Attach 484 Port Configurations and ESRP 484 Chapter 22 Virtual Router Redundancy Protocol 485 Overview 485 Determining the VRRP Maste...

Страница 15: ...6 Addresses 516 Neighbor Discovery Protocol 518 Populating the Routing Table 519 Configuring IP Unicast Routing 522 Verifying the IP Unicast Routing Configuration 522 Routing Configuration Example 522...

Страница 16: ...Configuring OSPF Wait Interval 551 OSPF Wait Interval Parameters 552 OSPF Configuration Example 553 Configuration for ABR1 554 Configuration for IR1 554 Displaying OSPF Settings 555 Chapter 28 OSPFv3...

Страница 17: ...Selecting a Primary or a Secondary Image 593 Installing a Core Image 593 Installing a Modular Software Package 594 Rebooting the Switch 596 Rebooting the Management Module Modular Switches Only 597 Un...

Страница 18: ...rmation 627 Copying Debug Information 627 Managing Files on the External Memory Card Modular Switches Only 627 TOP Command 629 TFTP Server Requirements 629 System Health Check Modular Switches Only 62...

Страница 19: ...37 Enabling the CNA Agent 637 Connecting to the CNA Server 637 Configuring the Interface 638 Clearing the Counters 638 Displaying CNA Agent Information 638 Troubleshooting 639 Appendix D Supported Pro...

Страница 20: ...Contents ExtremeWare XOS 11 3 Concepts Guide 20...

Страница 21: ...rks LANs Ethernet concepts Ethernet switching and bridging concepts Routing concepts Internet Protocol IP concepts Routing Information Protocol RIP and Open Shortest Path First OSPF Border Gateway Pro...

Страница 22: ...10 switch formerly known as Aspen Summit X450 switch BlackDiamond 8806 switch When a feature or feature implementation applies to specific platforms the specific platform is noted in the heading for t...

Страница 23: ...nd reference guide for any command mentioned in the user guide To ensure that the quick referencing feature functions properly follow these steps 1 Download both the user guide PDF file and the comman...

Страница 24: ...o the command reference PDF file when the command reference PDF file is closed that is not currently open on your computer desktop the system will close the user guide PDF file and open the command re...

Страница 25: ...1 Using ExtremeWare XOS...

Страница 26: ......

Страница 27: ...her BlackDiamond 8810 switch formerly known as Aspen ExtremeWare XOS 11 1 and higher Summit X450 switch ExtremeWare XOS 11 2 and higher BlackDiamond 8806 switch ExtremeWare XOS 11 3 1 and higher NOTE...

Страница 28: ...lient and per command authentication support TACACS support Console command line interface CLI connection Telnet CLI connection Secure Shell SSH2 connection Simple Network Management Protocol SNMP sup...

Страница 29: ...gle virtual router that spans more than one physical router and allows multiple switches to provide redundant routing services to users For more information about VRRP see Chapter 22 For more informat...

Страница 30: ...ee Chapter 15 sFlow sFlow is a technology for monitoring traffic in data networks containing switches and routers The technology relies on statistical sampling of packets from high speed networks plus...

Страница 31: ...k its port connection is in an unauthenticated state denying any access to the network During authentication the user supplies a password to the switch using the host If authenticated the port connect...

Страница 32: ...e Link Layer Discovery Protocol LLDP LLDP is a Layer 2 protocol IEEE standard 802 1ab that is used to determine the capabilities of devices such as repeaters bridges access points routers and wireless...

Страница 33: ...Advanced Core license level to the Core license You have BGP functionality with a Core license When you are working with modular switches the license belongs with the switch chassis not with the parti...

Страница 34: ...t for this feature at this license level Upgrading on the BlackDiamond 10K Switch Only The licensing levels on the BlackDiamond 10K switch depend on the MSM you have in your system The MSM 1 ships wit...

Страница 35: ...etworks Technical Support at 800 998 2408 408 579 2826 Enabling and Verifying Licenses To enable the license use the following command enable license key To verify the current license level as well as...

Страница 36: ...eparate software module to run SSH SNMP access Enabled SSL Disabled You must install a separate software module to run SSL SSH module SNMP read community string public SNMP write community string priv...

Страница 37: ...l EMISTP Forwarding database aging period 300 seconds 5 minutes IPv4 Routing Disabled RIP Disabled OSPFv2 Disabled BGPv4 Disabled IPv6 Routing Disabled RIPng Disabled OSPFv3 Disabled Smart Redundancy...

Страница 38: ...ExtremeWare XOS Overview ExtremeWare XOS 11 3 Concepts Guide 38...

Страница 39: ...eatures of the ExtremeWare XOS software However only a subset of commands are described here and in some cases only a subset of the options that a command supports The ExtremeWare XOS Command Referenc...

Страница 40: ...cursor at the end of the command you have entered so far ready for the next option If you enter an invalid command the syntax helper notifies you of your error and indicates where the error is located...

Страница 41: ...d NOTE If you use the same name across categories for example STPD and VLAN names Extreme Networks recommends that you specify the identifying keyword as well as the actual name If you do not use the...

Страница 42: ...an address for ipaddress when entering the command Do not type the angle brackets square brackets Enclose a required value or list of required arguments One or more values or arguments can be specifi...

Страница 43: ...t has a total of four ports is installed in slot 2 of the chassis the following ports are valid 2 1 2 2 2 3 2 4 You can also use wildcard combinations to specify multiple modular slot and port combina...

Страница 44: ...command Ctrl U Clears all characters typed from cursor to beginning of line Ctrl W Deletes previous word Ctrl C Interrupts the current CLI command execution Table 7 Common commands Command Descriptio...

Страница 45: ...ssword Creates a user account This command is available to admin level users and to users with RADIUS command authorization The username is between 1 and 32 characters the password is between 0 and 32...

Страница 46: ...g of the screen display when show command output reaches the end of the page The default setting is enabled enable idletimeout Enables a timer that disconnects all sessions both Telnet and console aft...

Страница 47: ...of your network by taking the following actions change your admin password change your SNMP public and private strings consider using SNMPv3 to secure network management traffic All the changes you ma...

Страница 48: ...he user logged on by way of the Telnet connection is notified that the session has been terminated If you have logged on with administrator capabilities the command line prompt ends with a sign For ex...

Страница 49: ...specified account press Enter twice Viewing Accounts To view the accounts that have been created you must have administrator privileges To see the accounts use the following command show accounts Dele...

Страница 50: ...p text Exit Use this command to exit the failsafe account and return to the login prompt Typically you use the Login command to correct the problem that initially required you to use the failsafe acco...

Страница 51: ...rd while logged out of the CLI contact your local technical support representative who will advise on your next course of action Applying Security to Passwords You can increase the security of your sy...

Страница 52: ...using the configure cli max failed logins num of logins command This command also sets the number of failed logins that terminate the particular session Once locked out using the configure account pa...

Страница 53: ...ws a sample display from the show accounts command User Name Access LoginOK Failed admin R W 3 1 user RO 0 0 dbackman R W 0 0 ron RO 0 0 nocteam RO 0 0 Account locked Access to Both MSM Console Ports...

Страница 54: ...commands when running them on VR Mgmt The switch offers the following commands for checking basic connectivity ping traceroute Ping The ping command enables you to send Internet Control Message Proto...

Страница 55: ...ified the address of the transmitting interface is used host is the host of the destination endstation To use the hostname you must first configure DNS ttl configures the switch to trace the hops unti...

Страница 56: ...tem Watchdog Enabled Current Time Wed May 19 11 04 32 2004 Timezone Auto DST Enabled GMT Offset 480 minutes name is PST DST of 0 minutes is currently in effect name is PDT DST begins every first Sunda...

Страница 57: ...tes name is UTC Boot Time Fri Feb 13 23 57 48 2004 Next Reboot None scheduled Current State OPERATIONAL Image Selected primary Image Booted primary Primary ver 11 2 0 16 Secondary ver 11 2 0 10 Config...

Страница 58: ...Accessing the Switch ExtremeWare XOS 11 3 Concepts Guide 58...

Страница 59: ...e Protocol on page 92 Overview Using ExtremeWare XOS you can manage the switch using the following methods Access the command line interface CLI by connecting a terminal or workstation with terminal e...

Страница 60: ...tion of eight Telnet and SSH connections can access the switch even though Telnet and SSH each support eight connections For example if you have six Telnet sessions and two SSH sessions no one else ca...

Страница 61: ...primary MSM acquires the IP address of the previous primary MSM To configure the IP address and subnet mask for the VLAN mgmt use the following command configure vlan mgmt ipaddress ip_address subnet_...

Страница 62: ...remeWare XOS version of TACACS is used to authenticate prospective users who are attempting to administer the switch TACACS is used to communicate between the switch and an authentication database For...

Страница 63: ...e connection is established you see the switch prompt and you can log in The same is true if you use the switch to connect to another host From the CLI you must specify the IP address or host name of...

Страница 64: ...nd you have a Bootstrap Protocol BOOTP server set up correctly on your network you must provide the following information to the BOOTP server Switch Media Access Control MAC address found on the rear...

Страница 65: ...LAN NOTE For information on creating and configuring VLANs see Chapter 9 To manually configure the IP settings 1 Connect a terminal or workstation running terminal emulation software to the console po...

Страница 66: ...log out of the switch by typing logout or quit Configuring Telnet Access to the Switch By default Telnet services are enabled on the switch and all virtual routers listen for incoming Telnet requests...

Страница 67: ...two methods to load ACL policies to the switch Use the edit policy command to launch a VI like editor on the switch You can create the policy directly on the switch Use the tftp command to transfer a...

Страница 68: ...of Telnet including the current TCP port the virtual router used to establish a Telnet session and whether ACLs are controlling Telnet access use the following command show management Disabling and En...

Страница 69: ...al File Transfer Protocol ExtremeWare XOS supports the Trivial File Transfer Protocol TFTP based on RFC 1350 TFTP is a method used to transfer files from one network device to another The ExtremeWare...

Страница 70: ...ver the management functions if the master MSM fails Node Election Node election is based on leader election between the MSMs installed in the chassis The MSM installed in slot A has master status The...

Страница 71: ...the master MSM showing MASTER and the backup MSM showing BACKUP InSync A node may not be synchronized because checkpointing did not occur incompatible software is running on the master and backup or t...

Страница 72: ...initialization of a standby or backup MSM the master s saved configuration is copied to local flash After the configuration is saved the master transfers the current active configuration to the backup...

Страница 73: ...ys in percentages the amount of copying completed by each process and the traffic statistics between the process on both the master and the backup MSMs Viewing Node Status ExtremeWare XOS allows you t...

Страница 74: ...lows but subsequent behavior depends on the routing protocols used Static layer 3 configurations and routes are hitless You must configure OSPF graceful restart for OSPF routes to be maintained See Ch...

Страница 75: ...h the same ports set to forwarding blocking If the master fails over there is no change in the backup s state There should be no data loss If the backup MSM state is Preforwarding and the master MSM i...

Страница 76: ...over all hardware and software caches are cleared and learning from the hardware is restarted This causes a traffic interruption since it is the same as if the switch rebooted for all Layer 3 multicas...

Страница 77: ...relearns routes from all of them This causes an increase in control traffic onto the network No Power over Ethernet PoE The PoE configuration is checkpointed to the backup MSM This ensures that if the...

Страница 78: ...ports to be able to pass traffic again I O modules not yet in the Operational state are powered off and the card state machine is restarted to bring them to the Operational state This results in a de...

Страница 79: ...BlackDiamond 8800 family of switches there are specific power budget requirements and configurations associated with PoE that are not described in this section For more detailed information about PoE...

Страница 80: ...as enough power to continue operation If you install or provide power to a new PSU I O modules powered down due to earlier insufficient power are considered for power up from the lowest slot number to...

Страница 81: ...dules to power down To resume using automatic power supply management on a PSU use the configure power supply ps_num auto command The setting for each PSU is stored as part of the switch configuration...

Страница 82: ...ommand show power controller num Using the Simple Network Management Protocol Any network manager program running the Simple Network Management Protocol SNMP can manage the switch provided the Managem...

Страница 83: ...ord snmpv3 After a switch reboot all slots must be in the Operational state before SNMP can manage and access the slots To verify the current state of the slot use the show slot command Understanding...

Страница 84: ...rc_ip_address mode trap_mode enhanced standard You can delete a trap receiver using the configure snmp delete trapreceiver command Entries in the trap receiver list can also be created modified and de...

Страница 85: ...associated with an SNMPv3 engine RFC 2574 The User Based Security Model for Version 3 of the Simple Network Management Protocol SNMPv3 describes the User Based Security Model USM RFC 2575 View based...

Страница 86: ...model snmpv1 snmpv2c snmpv3 sec model snmpv1 snmpv2c usm sec level noauth authnopriv priv volatile SNMPv3 Security In SNMPv3 the User Based Security Model USM for SNMP was introduced USM deals with se...

Страница 87: ...The default password for admin is password For the other default users the default password is the user name To display information about a user or all users use the following command show snmpv3 use...

Страница 88: ...user and a group use the following command configure snmpv3 delete group hex hex_group_name group_name user all non defaults hex hex_user_name user_name sec model snmpv1 snmpv2c usm Security Models an...

Страница 89: ...B 2 is 1 3 6 1 2 and the System group is defined as MIB 2 1 1 or directly as 1 3 6 1 2 1 1 To define a MIB view which includes only the System group use the following subtree mask combination 1 3 6 1...

Страница 90: ...dress use the following command configure snmpv3 add target addr hex hex_addr_name addr_name param hex hex_param_name param_name ipaddress ip_address netmask ip_address transport port port_number from...

Страница 91: ...eate a filter profile you are associating only a filter profile name with a target parameter name The filters that make up the profile are created and associated with the profile using a different com...

Страница 92: ...otify hex hex_notify_name notify_name To delete an entry from the snmpNotifyTable use the following command configure snmpv3 delete notify hex hex_notify_name notify_name all non defaults You cannot d...

Страница 93: ...ing date and time in terms of a floating day as follows configure timezone name MET 60 autodst name MDT begins every last sunday march at 1 30 ends every last sunday october at 1 30 You can also speci...

Страница 94: ...tch cannot obtain the time it restarts the query process Otherwise the switch waits for the sntp client update interval before querying again 5 Optionally the interval for which the SNTP client update...

Страница 95: ...Mexico City Mexico 7 00 420 MST Mountain Standard Saskatchewan Canada 8 00 480 PST Pacific Standard Los Angeles CA Santa Clara CA Seattle WA USA 9 00 540 YST Yukon Standard 10 00 600 AHST Alaska Hawai...

Страница 96: ...timezone 480 autodst configure sntp client update interval 1200 enable sntp client configure sntp client primary 10 0 1 1 configure sntp client secondary 10 0 1 2 10 00 600 EAST East Australian Standa...

Страница 97: ...ation is a built in mechanism of ExtremeWare XOS The system infrastructure provides basic redundancy support and libraries for all of the ExtremeWare XOS applications Understanding the ExtremeWare XOS...

Страница 98: ...xtremeWare XOS File System The file system in ExtremeWare XOS is the structure by which files are organized stored and named The switch can store multiple user defined configuration and policy files e...

Страница 99: ...ary MSM to the backup MSM For example if you rename a file on the primary MSM the same file on the backup MSM is renamed For the memorycard option this command can move files between the external memo...

Страница 100: ...is copied to the backup MSM For the memorycard option the source and or destination is the memorycard You must mount the memory card for this operation to succeed This command copies a file from the...

Страница 101: ...ar 31 09 41 test_1 pol rwxr xr x 1 root 0 223599 Mar 31 10 02 v11_1_3 cfg Deleting Files From the Switch To delete a configuration or policy file from your system use the following command rm memoryca...

Страница 102: ...ility with ExtremeWare Downloading configuration files ExtremeWare XOS uses the tftp command to download configuration files to the switch from the network TFTP server For more information about downl...

Страница 103: ...name of all of the processes or the specified process running on the switch slotid Specifies the slot number of the MSM A specifies the MSM installed in slot A B specifies the MSM installed in slot B...

Страница 104: ...n the process is immediately shutdown without any of the normal process cleanup graceful Specifies that the process shutdown gracefully by closing all opened connections notifying peers on the network...

Страница 105: ...g Memory Protection ExtremeWare XOS provides memory management capabilities With ExtremeWare XOS each process runs in a protected memory space This infrastructure prevents one process from overwriting...

Страница 106: ...k utilization Monitoring the workload of the CPU allows you to troubleshoot and identify suspect processes before they become a problem By default the switch monitors CPU utilization every 20 seconds...

Страница 107: ...s secs min mins mins hour User System util util util util util util util util CPU Usage secs MSM A System 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 9 MSM B System 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 MSM A GNSS_cpuif...

Страница 108: ...util util util util util CPU Usage secs System n a n a 0 0 0 9 0 1 0 2 0 5 34 6 aaa n a n a 0 0 0 0 0 0 0 0 0 0 1 8 1 72 0 78 acl n a n a 0 0 0 0 0 0 0 0 0 0 0 0 0 40 0 24 bgp n a n a 0 0 0 0 0 0 0 0...

Страница 109: ...y NOTE The BlackDiamond 8800 family of switches was formerly known as Aspen This section discusses configuring slots on a modular switch which are the BlackDiamond 10K switch and the BlackDiamond 8800...

Страница 110: ...et to default settings To display information about a particular slot use the following command show slot Information displayed includes Module type part number and serial number Current state power d...

Страница 111: ...dule consisting solely of data or I O ports The primary MSM must be in slot A in the BlackDiamond 8806 switch which is referred to as slot 3 when working with the data ports If you have a secondary MS...

Страница 112: ...x y Specifies a non contiguous series of ports on a stand alone switch x y a d Specifies a contiguous series of ports and a series of noncontagious ports on a stand alone switch Modular Switch Numeric...

Страница 113: ...actor SFP gigabit Ethernet interface converter GBIC fiber ports Autonegotiation determines the port speed and duplex setting for each port except 10 Gbps ports You can manually configure the duplex se...

Страница 114: ...system sends LinkDown and LinkUp traps when these events occur Additionally the system writes one or more information messages to the syslog as shown in the following example 09 09 2004 14 59 08 03 I...

Страница 115: ...other networking equipment and a straight through cable to connect to endstations The autopolarity feature is enabled by default To disable or enable autopolarity detection use the following command c...

Страница 116: ...t X450 Switch Only The following information applies to jumbo frames on the BlackDiamond 8800 family of switches and the Summit X450 switch The BlackDiamond 8800 family of switches and the Summit X450...

Страница 117: ...nown The host sends all datagrams on that path with the don t fragment DF bit set which restricts fragmentation If any of the datagrams must be fragmented by an Extreme switch along the path the Extre...

Страница 118: ...5 Set the MTU size for the VLAN using the following command configure ip mtu mtu vlan vlan_name The ip mtu value ranges between 1500 and 9216 with 1500 the default NOTE To set the MTU size greater tha...

Страница 119: ...d port becomes active again traffic is redistributed to include that port NOTE Load sharing must be enabled on both ends of the link or a network loop may result Link aggregation is most useful when T...

Страница 120: ...onfigured to load share The switch ports at each end must be specifically configured as part of a load sharing group NOTE The platform related load sharing algorithms apply to LACP as well as static l...

Страница 121: ...aring group is used to forward traffic out of the switch Address based Uses addressing information to determine which physical port in the load sharing group to use to forward traffic out of the switc...

Страница 122: ...aggregation by first assigning a primary or logical port to the group or LAG and then specifying the other ports you want in the LAG LACP using an automatically generated key determines which links ca...

Страница 123: ...the status of the links for changes that may require reconfiguration For example if one of the links in a LAG goes down and there are standby links in that LAG LACP automatically moves the standby por...

Страница 124: ...ee Configuring LACP on page 124 for the maximum number of links selected and standby per LACP Configuring Load Sharing on the BlackDiamond 10K Series of Switches The following rules apply to load shar...

Страница 125: ...aring port delete ports port_list NOTE Always verify the LACP configuration by issuing the show ports sharing command look for the ports listed as being in the aggregator Configuring LACP on BLackDiam...

Страница 126: ...s example when configuring or viewing VLANs VLANs configured to use other ports in the load sharing group will have those ports deleted from the VLAN when load sharing becomes enabled Address based lo...

Страница 127: ...column displays which ports in the LACP LAG are added to the aggregator at the hardware level Only those ports that are added to the aggregator actually send and receive traffic The Y means the port...

Страница 128: ...ch show lacp lag 1 detail Lag Actor Actor Partner Partner Partner Agg Sys Pri Key MAC Sys Pri Key Count 4 5 100 0x0fa5 00 01 30 f9 9c 30 321 0x1f47 16 Up Yes Enabled Yes Unack count 0 Wait for count 0...

Страница 129: ...Wait pending No Ack pending No LAG Id S pri 0 S id 00 04 96 1f a5 2e K 0x03ed P pri 0 P num 1005 T pri 0 T id 00 04 96 1f a5 76 L 0x03ed Q pri 0 Q num 1005 Stats Rx Accepted 13980 Rx Dropped due to er...

Страница 130: ...s traffic sent from the port Ingress and egress Mirrors all traffic forwarded by the port If you omit the optional parameters all traffic is forwarded the default for port based mirroring is ingress a...

Страница 131: ...tor port This feature allows you to mirror multiple ports or VLANs to a monitor port while preserving the ability of a single protocol analyzer to track and differentiate traffic within a broadcast do...

Страница 132: ...ches and the Summit X450 Switch Only The following example selects slot 3 port 4 on a modular switch as the monitor port and sends all traffic received at slot 6 port 5 to the monitor port enable mirr...

Страница 133: ...ort configuration Port number 3 12 in all vlans ingress only Port number 5 4 in all vlans egress only Port number 8 30 in all vlans Displaying Switch Port Mirroring Configuration on the Summit X450 Sw...

Страница 134: ...unters for EDP protocol data units PDUs sent and received per EDP port Switch PDUs transmitted VLAN PDUs transmitted Transmit PDUs with errors Switch PDUs received VLAN PDUs received Received PDUs wit...

Страница 135: ...rnet port primary with a redundant dedicated Ethernet port both ports are on the same switch If the primary port fails the switch will establish a link on the redundant port and the redundant port bec...

Страница 136: ...red on that port If you do not want the automatic restoration of the primary link when it becomes active disable Smart Redundancy Guidelines for Software Controlled Redundant Ports and Port Groups Sof...

Страница 137: ...redundant port use the following command configure ports primaryPort redundant secondaryPort link on off The first port specified is the primary port The second port specified is the redundant port T...

Страница 138: ...ue QP1 MinBw 0 MaxBw 100 Pri 1 QP2 MinBw 0 MaxBw 100 Pri 2 QP3 MinBw 0 MaxBw 100 Pri 3 QP4 MinBw 0 MaxBw 100 Pri 4 QP5 MinBw 0 MaxBw 100 Pri 5 QP6 MinBw 0 MaxBw 100 Pri 6 QP7 MinBw 0 MaxBw 100 Pri 7 Q...

Страница 139: ...e preferred media setting issue the following command show ports mgmt port_list information detail Refer to Displaying Port Configuration Information for more information on the show ports information...

Страница 140: ...ce The default preferred medium is fiber If you use the force option it disables automatic failover If you force the preferred medium to fiber and the fiber link goes away the copper link is not used...

Страница 141: ...ports the Media Primary column displays NONE when no module is installed and SR LR or ER depending on the module installed when there is one present The following sample command displays the port conf...

Страница 142: ...led M Multicast Flooding Enabled B Broadcast Flooding Enable Beginning with ExtremeWare XOS software version 11 3 you can display real time port utilization information by issuing the following comman...

Страница 143: ...802 1D State FORWARDING Protocol Name Default Protocol ANY Match all protocols Trunking Load sharing is not enabled EDP Enabled DLCS Unsupported lbDetect Unsupported Learning Enabled Unicast Flooding...

Страница 144: ...ble Tag none Mode 802 1D State FORWARDING Protocol Name Default Protocol ANY Match all protocols Trunking Load sharing is not enabled EDP Enabled DLCS Unsupported lbDetect Unsupported Learning Enabled...

Страница 145: ...limit No limit STP cfg Protocol Name peggy Protocol ANY Match all protocols Trunking Load sharing is not enabled EDP Enabled DLCS Unsupported lbDetect Unsupported Learning Enabled Unicast Flooding Ena...

Страница 146: ...Configuring Slots and Ports on a Switch ExtremeWare XOS 11 3 Concepts Guide 146...

Страница 147: ...ertisements LLDP provides a standard method of discovering and representing the physical network connections of a given network management domain LLDP works concurrently with Extreme Discovery Protoco...

Страница 148: ...2 00 00 0E and the EtherType is defined as 0x88CC Figure 4 LLDP packet format The following characteristics apply to LLDP packets They are IEEE 802 3 Ethernet frames The frames are sent as untagged fr...

Страница 149: ...egular intervals Chassis ID mandatory Port ID mandatory Time to live mandatory Port description System name System description sent by default System capabilities Management address 802 1 specific inf...

Страница 150: ...action ensures that only valid information is stored in the LLDP agent Once you enable LLDP you can enable the LLDP specific SNMP traps the traps are disabled by default You configure the period betw...

Страница 151: ...to advertise Table 18 lists all the defined TLVs if they are included by default once you enable LLDP if they can be configured if they are mandatory or optional and if you can repeat that TLV in one...

Страница 152: ...switches and the combination of slot and port number on modular switches TTL TLV The TTL TLV is mandatory sent by default once LLDP is enabled and nonconfigurable This TLV indicates how long the recor...

Страница 153: ...gure this TLV to be advertised or not advertised The port description TLV contains the ifDescr object which is the ASCII string you entered using the configure ports display string command If you have...

Страница 154: ...ftware allows you to advertise VLAN name information to neighboring devices This TLV associates a VLAN name to the IEEE 802 1Q tag assigned to that VLAN You can enable this TLV for tagged and untagged...

Страница 155: ...ying power over Ethernet PoE This TLV allows network management to advertise and discover the power via MDI capabilities of the sending 802 3 LAN station The device type field contains a binary value...

Страница 156: ...ll ports by default When you enable LLDP on the ports you select whether the ports will only transmit LLDP messages only receive the messages or both transmit and receive LLDP messages To enable LLDP...

Страница 157: ...gered update LLDP messages is referred to as the transmit delay and the default value is 2 seconds You can change the default transmit delay value to a specified number of seconds or to be automatical...

Страница 158: ...ommends that you advertise only one or two VLANS on specified ports to avoid dropping TLVs from the LLDPDU You configure LLDP ports to advertise any of the following optional TLVs Port description TLV...

Страница 159: ...ol based VLAN per LLDP enabled port To do so add one optional port and protocol VLAN ID TLV for each VLAN you want to advertise To advertise these VLANs issue the following command configure lldp port...

Страница 160: ...s unconfigure lldp port all port_list Displaying LLDP Settings The system displays information on the LLDP status and statistical counters of the ports as well as about the LLDP advertisements receive...

Страница 161: ...rval 5 seconds LLDP reinitialize delay 2 seconds LLDP Port Configuration Port Rx Tx SNMP Optional enabled transmit TLVs Mode Mode Notification LLDP 802 1 802 3 1 Enabled Enabled Disabled ND N VLAN Def...

Страница 162: ...all switch ports use the show lldp neighbors detailed command The following is sample output from the this command show lldp all neighbors detailed LLDP Port 4 1 detected 2 neighbors Neighbor 00 04 96...

Страница 163: ...er covers the following topics Summary of PoE Features on page 163 Power Checking for PoE Module on page 164 Power Delivery on page 164 LEDs on page 168 Configuring PoE on page 169 Displaying PoE Sett...

Страница 164: ...eviously are powered up If you lose power or the overall available power decreases the system removes power to the I O modules beginning with the highest numbered slots until enough power is available...

Страница 165: ...without disabling the slot first you can reconfigure dynamically These settings are preserved across reboots and other power cycling conditions The total of all reserved slot power budgets cannot be...

Страница 166: ...default value is low If you configure the disconnect precedence of the switch as lowest priority the switch disconnects those PDs with lower PoE port priorities when the reserved slot power budget is...

Страница 167: ...PoE slot you cannot configure it differently for each PoE module You can also configure the system to log an Event Management System EMS message when the usage threshold is crossed refer to Chapter 8...

Страница 168: ...by using the following command configure inline power operator limit milliwatts ports all port_list If the measured power for a specified port exceeds the port s operator limit the power is withdrawn...

Страница 169: ...s in the case of excessive power demands Configure the threshold for initiating system alarms on power usage Additionally you can configure the switch to use legacy PDs apply specified PoE limits to p...

Страница 170: ...et for a PoE module to the default value of 50 W use the following command unconfigure inline power budget slot slot To display the reserved power budget for the PoE modules use the following command...

Страница 171: ...inline power budget for the slot for example when delivered power from ports increases or when the configured inline power budget for the slot is reduced Configuring the PoE Port Priority You can conf...

Страница 172: ...cifically enable the switch to detect these non standard PDs the default value for this detection method is disabled This configuration applies to the entire switch you cannot configure the detection...

Страница 173: ...string ports port_list To rename a port or to return it to a blank label reissue the command To display the PoE port labels use the following command show inline power configuration ports port_list Po...

Страница 174: ...output indicates the following inline power status information for each slot Inline power status The status of inline power The status conditions are Enabled Disabled Firmware status The operational...

Страница 175: ...P Operational 111 00 110 00 1 00 Inline Power budgeted 2 loss 51 00 51 00 0 00 Slot 4 G48P Empty Slot 5 G8X Operational 0 00 0 00 0 00 Slot 6 G48T Operational 0 00 0 00 0 00 Slot 7 G48P Operational 11...

Страница 176: ...available to the slot Measured power The amount of power in watts that is currently being used by the slot Following is sample output from this command Budgeted Measured Slot Inline Power Firmware Sta...

Страница 177: ...his command provides the following information Config Indicates whether the port is enabled to provide inline power Enabled The port can provide inline power Disabled The port cannot provide inline po...

Страница 178: ...ass 0 device class1 class 1 device class2 class 2 device class3 class 3 device class4 class 4 device Volts Displays the measured voltage A value from 0 to 2 is valid for ports that are in a searching...

Страница 179: ...tate Class Volts Curr Power Fault mA Watts 3 1 delivering class3 48 3 192 9 300 None 3 2 delivering class3 48 3 192 9 300 None 3 3 searching 0 0 0 0 0 None Following is sample output from the show inl...

Страница 180: ...r of times the port had an invalid signature Denied Displays the number of times the port was denied Over current Displays the number of times the port entered an overcurrent state Short Displays the...

Страница 181: ...des information about the switch This information may be useful for your technical support representative if you have a problem ExtremeWare XOS includes many command line interface CLI show commands t...

Страница 182: ...uence FCS but excludes bytes in the preamble Received Broadcast RX Bcast The total number of frames received by the port that are addressed to a broadcast address Received Multicast RX Mcast The total...

Страница 183: ...link is present at this port Ready R The port is ready to accept a link Not Present NP The port is configured but the module is not installed in the slot modular switches only Receive Bad CRC Frames...

Страница 184: ...e written to and read from correctly Memory addresses are accessed correctly Application Specific Integrated Circuit ASICs and Central Processing Unit CPUs operate as required Data and control fabric...

Страница 185: ...he slot number of an I O module When the diagnostics test is complete the system attempts to bring the I O module back online NOTE On the BlackDiamond 8810 switch formerly known as Aspen if you run di...

Страница 186: ...avior during a diagnostic test After the MSM completes the diagnostic test or the diagnostic test is terminated the SYS LED is reset During normal operation the status LED blinks green I O Module LED...

Страница 187: ...nostic test is in progress on the primary MSM Mstr Diag Green Off Diagnostic failure has occurred Off Green Depending the situation this state indicates Diagnostic test in progress on the primary MSM...

Страница 188: ...ackup MSM Diagnostic test has passed Mstr Diag Off Green Depending on the situation this state indicates Diagnostic test in progress on the backup MSM Diagnostic test has passed Sys Stat Off Green Dia...

Страница 189: ...utomatically corrects correctable memory errors and kills packets that encounter checksum and parity errors during processing Errored packets are not propagated through the system The primary responsi...

Страница 190: ...5 seconds by default The polling value is not a user configured parameter The system health check polls the control plane health between MSMs and I O modules monitors memory levels on the I O module m...

Страница 191: ...r on the BlackDiamond 10K switch and the BlackDiamond 8800 family of switches For more detailed information about the system health check commands see the chapter Commands for Status Monitoring and St...

Страница 192: ...s Enabling and Configuring Backplane Diagnostics The following example Enables backplane diagnostic packets on slot 3 Configures backplane diagnostic packets to be sent every 7 seconds 1 Enable backpl...

Страница 193: ...command configure sys recovery level all none Where the following is true all Configures ExtremeWare XOS to log an error into the syslog and automatically reboot the system after any task exception n...

Страница 194: ...overy is reset For more information about system recovery see Configuring System Recovery on page 193 By using the default settings the switch resets the offending MSM or I O module if fault detection...

Страница 195: ...he run diagnostics normal slot command to run operational diagnostics on the offending I O module to ensure that you are not experiencing a hardware issue If the module continues to enter the failed s...

Страница 196: ...n a Summit X450 switch the output includes the current temperature and operating status of the switch and the XGM 2xn card The following sample output displays the current temperature and operating st...

Страница 197: ...messages where the messages are sent and how they are displayed Using EMS you can Send event messages to a number of logging targets for example syslog host and NVRAM Filter events per target by Compo...

Страница 198: ...s once the buffer is full Use the following command to stop sending messages to the target disable log target console memory buffer nvram primary msm backup msm session syslog all ipaddress ipPort vr...

Страница 199: ...e targets are also associated with a default match expression that matches any messages the expression that matches any message is displayed as Match none from the command line And finally each target...

Страница 200: ...o pass Only the messages that pass the filter and then pass the specified severity level reach the target Finally you can specify the severity levels of messages that reach the target by associating a...

Страница 201: ...bcomponent and condition names For example you can refer to the InBPDU subcomponent of the STP component as STP InBPDU On the CLI you can abbreviate or TAB complete any of these A component or subcomp...

Страница 202: ...component or event To do this you construct a filter that passes only the items of interest and you associate that filter with a target The first step is to create the filter using the create log fil...

Страница 203: ...erity E Comp Sub comp Condition CEWNISVD I STP InBPDU E STP CreatPortMsgFail E I STP Include Exclude I Include E Exclude Component Unreg Component Subcomponent is not currently registered Severity Val...

Страница 204: ...ee Formatting Event Messages on page 206 Simple Regular Expressions A simple regular expression is a string of single characters including the dot character which are optionally combined with quantifi...

Страница 205: ...sk number number port portlist process process name slot slotid string match expression vlan vlan name vlan tag vlan tag Beginning with ExtremeWare XOS 11 2 you can specify the ipaddress type as IPv4...

Страница 206: ...nfigure log filter events match command This is best explained with an example Suppose an event in the XYZ component named XYZ event5 contains a physical port number a source MAC address but no destin...

Страница 207: ...ay be saved to the FLASH configuration and is restored on boot up to the console display session To turn on log display for the current session enable log target session This setting only affects the...

Страница 208: ...ces EMS adds the ability to count the number of occurrences of events Even when an event is filtered from all log targets the event is counted To display the event counters use the following command s...

Страница 209: ...s where it is needed To place the switch in debug mode use the following command enable log debug mode Once the switch is in debug mode any filters configured for your targets still affect which messa...

Страница 210: ...Non extended data Only those packets that do not match an ACL rule are considered for sampling Only port based sampling No MIB support Configuring sFlow ExtremeWare XOS allows you to collect sFlow sta...

Страница 211: ...gure sflow collector ipaddress ip address port udp port number vr vrname To unconfigure the remote collector and remove it from the database use the following command unconfigure sflow collector ipadd...

Страница 212: ...Do not configure the sample rate to a number lower than the default unless you are sure that the traffic rate on the source is low Per Port Sampling Rate You can set the sampling rate on individual po...

Страница 213: ...e switch NOTE You can only use the RMON features of the system if you have an RMON management application and have enabled RMON on the switch About RMON RMON is the common abbreviation for the Remote...

Страница 214: ...tics The switch supports the following four of these groups as defined in RFC 1757 Statistics History Alarms Events The switch also supports the following parameters for configuring the RMON agent and...

Страница 215: ...ich provides a mechanism for an automated response to certain occurrences RMON Probe Configuration Parameters The RMON probe configuration parameters supported in ExtremeWare XOS are a subset of the p...

Страница 216: ...gement The switch accurately maintains RMON statistics at the maximum line rate of all of its ports To enable or disable the collection of RMON statistics on the switch use one of the following comman...

Страница 217: ...ing on the switch the enable disable state for RMON polling use the following command show management To view the RMON memory usage statistics for a specific RMON feature for example statistics events...

Страница 218: ...Status Monitoring and Statistics ExtremeWare XOS 11 3 Concepts Guide 218...

Страница 219: ...me physical LAN Any set of ports including all ports on the switch is considered a VLAN LAN segments are not restricted by the hardware that physically connects them The segments are defined by flexib...

Страница 220: ...t virtual router VR Default The management VLAN is always in the management virtual router VR Mgmt Once you create virtual routers ExtremeWare XOS software allows you to designate one of these virtual...

Страница 221: ...TE On the BlackDiamond 10K switch the 10 Gbps module must have the serial number 804405 00 09 or higher to support untagged frames If your configuration has untagged frames but the wrong 10 Gbps modul...

Страница 222: ...want to have span across the switches At least one port on each switch must be a member of the corresponding VLANs as well Figure 7 illustrates two VLANs spanning two switches On system 2 ports 25 th...

Страница 223: ...ed a tag into the Ethernet frame The tag contains the identification number of a specific VLAN called the VLANid valid numbers are 1 to 4094 NOTE The use of 802 1Q tagged packets may lead to the appea...

Страница 224: ...fault mode of the switch is to have all ports assigned to the VLAN named default with an 802 1Q VLAN tag VLANid of 1 assigned Not all ports in the VLAN must be tagged As traffic from a port is forward...

Страница 225: ...iple VLANs with the stipulation that only one of its VLANs uses untagged traffic In other words a port can simultaneously be a member of one port based VLAN and multiple tag based VLANs NOTE For the p...

Страница 226: ...IPv6 IPX NetBIOS DECNet IPX_8022 IPX_SNAP AppleTalk Defining Protocol Filters If necessary you can define a customized protocol filter based on EtherType Logical Link Control LLC and or Subnetwork Acc...

Страница 227: ...scribed previously For example configure protocol fred add llc feff configure protocol fred add snap 9999 A maximum of 15 protocol filters each containing a maximum of 6 protocols can be defined No mo...

Страница 228: ...s recommends that you specify the identifying keyword as well as the actual name If you do not use the keyword the system may return an error message VLAN names can be specified using the tab key for...

Страница 229: ...an IP address to the VLAN NOTE Beginning with ExtremeWare XOS 11 2 the software supports using IPv6 addresses in addition to IPv4 addresses You can configure the VLAN with an IPv4 address IPv6 address...

Страница 230: ...nt configure development ipaddress 2001 0DB8 8 800 200C 417A 64 configure default delete port 1 3 configure development add port 1 3 The following modular switch example creates a protocol based VLAN...

Страница 231: ...f VLANs configured on the switch EAPs information ESRP information IP forwarding information Multicasting information Routing protocol information Use the detail option to display the detailed format...

Страница 232: ...n tunnel is completely isolated from other tunnels or VLANs For the metropolitan area network MAN provider the tagging numbers and methods used by the customer are transparent to the provider You esta...

Страница 233: ...egress or trunk port as untagged so that the VMAN header is stripped from the frame Each tunnel port that accesses the user can support or belong to only one VMAN tunnel the remaining ports throughout...

Страница 234: ...gress Queue on the BlackDiamond 10K Switch Only On VMAN packets the BlackDiamond 10K switch examines the packet s inner 802 1p tag and then directs the packet to the appropriate egress queue on the eg...

Страница 235: ...00 family of switches and the Summit X450 switch Configuring VMANs BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only NOTE On the BlackDiamond 8800 family of switches you cannot conf...

Страница 236: ...Assign a tag value to the VMAN 3 Add the ports in the tunnel to the VMAN 4 Configure VMAN member ports as tagged on switch to switch ports and untagged on the ingress and egress ports of the tunnel NO...

Страница 237: ...0 120 120 1 24 enable ipforwarding vman_tunnel_1 enable ipmcforwarding vman_tunnel_1 VMAN Example BlackDiamond 8810 Switch The follow example shows the steps to configure VMAN 1 on the BlackDiamond 88...

Страница 238: ...t Flags C EAPS Control vlan E ESRP Enabled f IP Forwarding Enabled i ISIS Enabled I IP Forwarding lpm routing Enabled L Loopback Enabled m IPmc Forwarding Enabled n IP Multinetting Enabled N Network L...

Страница 239: ...ail command shows all the information shown in the show vman vlan_name command but displays information for all configured VMANs To display the EtherType used the following command show vman etherType...

Страница 240: ...Virtual LANs ExtremeWare XOS 11 3 Concepts Guide 240...

Страница 241: ...s on same switch are connected through a Layer 2 domain the intermediate Layer 2 switches will learn same MAC address of the switch on different ports and may send traffic into the wrong virtual route...

Страница 242: ...VLAN can be created in this virtual router and the Mgmt VLAN cannot be deleted from it No routing protocol is running or can be added to this virtual router This virtual router is called VR 0 in Extre...

Страница 243: ...uter configuration domain any virtual router commands are applied only to that virtual router The virtual router commands consist of all the BGP OSPF PIM and RIP commands and the commands listed in Ta...

Страница 244: ...issue the following command delete virtual router vr name Before you delete a virtual router you must delete all VLANs created in that virtual router All of the ports assigned to this virtual router...

Страница 245: ...ted the tagged VLAN bldg_200 in VR green and the tagged VLAN bldg_300 in VR blue configure vlan default delete ports 3 5 configure vr vr default delete ports 3 5 configure vlan bldg_200 add ports 3 5...

Страница 246: ...isplays the virtual router configuration domain Use the virtual router command with no virtual router name or use the name VR Default to return to the default configuration domain Now you can create V...

Страница 247: ...n is displayed At the end of the example the virtual router is ready to be configured for OSPF using ExtremeWare XOS commands BD10K 1 create virtual router helix BD10K 2 configure vlan default delete...

Страница 248: ...Virtual Routers ExtremeWare XOS 11 3 Concepts Guide 248...

Страница 249: ...erence Guide for details of the commands related to the FDB The switch maintains a database of all MAC addresses received on all of its ports It uses the information in this database to decide whether...

Страница 250: ...abase are dynamic except for certain entries created by the switch at boot up Entries in the database are removed aged out if after a period of time aging time the device has not transmitted This prev...

Страница 251: ...cted on another virtual port that is not defined in the static FDB entry for the MAC address that address is handled as a blackhole entry Permanent entries Permanent entries are retained in the databa...

Страница 252: ...ied VLANs all blackhole entries Use the following command to clear dynamic entries from the FDB clear fdb mac_addr ports port_list vlan_name blackhole You clear permanent FDB entries by targeting all...

Страница 253: ...s allowed per virtual port You can also lock the FDB entries for a virtual port so that the current entries will not change and no additional addresses can be learned on the port You can also prioriti...

Страница 254: ...here you want to disable Layer 2 egress flooding on specified ports to enhance security and network performance Figure 13 Upstream forwarding or disabling egress flooding example In this example the t...

Страница 255: ...as for all packets on the ports of the BlackDiamond 8800 family of switches formerly known as Aspen or the Summit X450 switch Disabling multicasting egress flooding does not affect those packets withi...

Страница 256: ...ound QOS Monitoring Enabled R Software redundant port Redunda nt s diffserv Replacement Enabled v Vman Enabled f Unicast Flooding Enabled M Multicast Flooding Enabled B Broadcast Flooding Enabled NOTE...

Страница 257: ...ket filtering and forwarding decisions on packets The ACL application will program these policies into the packet filtering hardware on the switch Packets can be dropped forwarded moved to a different...

Страница 258: ...nd mode The following are the most commonly used dd To delete the current line yy To copy the current line p To paste the line copied w To write save the file q To quit the file if no changes were mad...

Страница 259: ...sh use the following commands enable access list refresh blackhole disable access list refresh blackhole Applying Policies ACL policies and routing policies are applied using different commands Applyi...

Страница 260: ...none Commands that use the keyword route policy control the routes advertised or received by the protocol For BGP and RIP here are some examples configure bgp neighbor remoteaddr all address family ip...

Страница 261: ...has no impact on switch performance with the minor exception of the mirror cpu action modifier ACLs are typically applied to traffic that crosses Layer 3 router boundaries but it is possible to use ac...

Страница 262: ...ntries are evaluated in order from the beginning of the file to the end as follows If the packet matches all the match conditions the action in the then statement is taken and the evaluation process t...

Страница 263: ...Evaluation BlackDiamond 8800 Family and Summit X450 Only On the BlackDiamond 8800 family and Summit X450 all matching rule actions in a policy are applied to a given packet Conflicting actions deny vs...

Страница 264: ...ingress egress To log packets Packets are logged only when they go to the CPU so packets in the fastpath are not automatically logged You must use both the mirror cpu action modifier and the log or lo...

Страница 265: ...THER P 8021Q 0x8100 ETHER P IPV6 0x86DD Ethernet Ingress only ethernet source address mac address Ethernet source MAC address Ethernet Ingress only ethernet destination address mac address Ethernet de...

Страница 266: ...d 525 who 513 xdmcp 177 zephyr clt 2103 or zephyr hm 2104 TCP UDP Ingress and Egress TCP flags bitfield TCP flags Normally you specify this match in conjunction with the protocol match statement In pl...

Страница 267: ...stination network prohibited 9 destination network unknown 6 fragmentation needed 4 host precedence violation 14 host unreachable 1 host unreachable for TOS 12 network unreachable 0 network unreachabl...

Страница 268: ...e change will not take effect until you reboot the switch Use the following command to configure the IPv6 ACL masks configure ipv6acl address mask destination ipv6_address source ipv6_address Dynamic...

Страница 269: ...ons are concatenated into a single string The actions parameter corresponds to the then portion of the ACL policy file entry From the command line you can get a list of match conditions and actions by...

Страница 270: ...ted before any L2 rules The precedence among L3 L4 rules is determined by their relative position in the ACL file Rules are evaluated sequentially from top to bottom The precedence among L2 rules is d...

Страница 271: ...ragmented packets An L4 rule with the fragments keyword is not valid see above With the first fragments keyword specified An L3 only rule with the first fragments keyword matches non fragmented or ini...

Страница 272: ...the following entry meter_bw if then meter maximum_bandwidth This example will take the actions specified for the meter maximum_bandwidth for all the traffic that this ACL is applied to Applying ACL...

Страница 273: ...r the host 140 158 18 16 with source port 190 and a destination port in the range of 1200 to 1250 entry udpacl if source address 10 203 134 0 24 destination address 140 158 18 16 32 protocol udp sourc...

Страница 274: ...ommand entry permit established if source address 10 10 20 0 24 protocol TCP tcp flags syn then deny The following entry denies every packet and increments the counter default entry default if then de...

Страница 275: ...match criteria together unless relative precedence with other policy rules is required Using VLAN based or wildcards ACLs requires that the ACL masks are allocated on every port in the system For exam...

Страница 276: ...reful to avoid wasting masks For example consider the following policy policy3 pol entry one if source address 1 1 1 1 32 then count debug entry two if protocol tcp destination port 23 then deny entry...

Страница 277: ...ACL rules in order to function Here are is a list by feature dot1p examination 1 mask 8 rules always enabled DiffServ examination 1 mask 64 rules disabled by default IGMP snooping 2 masks 2 rules enab...

Страница 278: ...Access Lists ACLs ExtremeWare XOS 11 3 Concepts Guide 278...

Страница 279: ...the type of routing protocol involved but these policies are sometimes more efficient and easier to implement than access lists Routing policies can also modify and filter routing information receive...

Страница 280: ...ction The next sections list detailed information about policy match conditions about matching BGP AS paths and about action statements For information on those subjects see the following sections Pol...

Страница 281: ...mask length origin igp egp incomplete Where igp egp and incomplete are the Border Gateway Protocol BGP route origin values tag number Where number is a 4 byte unsigned number route origin direct stat...

Страница 282: ...th any AS number from 2 8 as path 111 2 8 The following AS Path statement matches AS paths beginning with AS number 111 and ending with any additional AS number or beginning and ending with AS number...

Страница 283: ...ities must be enclosed in double quotes cost cost 0 4261412864 Sets the cost metric for a route cost type ase type 1 ase type 2 external internal Sets the cost type for a route dampening half life min...

Страница 284: ...out none policy configure rip vlan vlan name all route policy in out policy name none Other examples of commands that use route policies include configure ospf area area identifier external filter po...

Страница 285: ...then permit entry entry 15 if nlri any 8 then deny entry entry 20 if nlri 10 10 0 0 18 then permit entry entry 25 if nlri 22 44 66 0 23 exact then deny The policy above can be optimized by combining...

Страница 286: ...Action permit match origin incomplete Entry 20 Action deny match community 6553800 Entry 30 Action permit match med 30 set next hop 10 201 23 10 set as path 20 set as path 30 set as path 40 set as pa...

Страница 287: ...1 23 10 as path 20 as path 30 as path 40 as path 40 permit entry entry 40 if then local preference 120 weight 2 permit entry entry 50 match any if origin incomplete community 19661200 then dampening h...

Страница 288: ...Routing Policies ExtremeWare XOS 11 3 Concepts Guide 288 entry deny_rest if then deny...

Страница 289: ...ve control mechanism for networks that have heterogeneous traffic patterns Using Policy based QoS you can specify the service level that a particular traffic type receives Policy based QoS allows you...

Страница 290: ...f packet loss Voice Applications Voice applications or voice over IP VoIP typically demand small amounts of bandwidth However the bandwidth must be constant and predictable because voice applications...

Страница 291: ...latency jitter and some packet loss however small packet loss may have a large impact on perceived performance because of the nature of TCP The relevant parameter for protecting browser applications i...

Страница 292: ...roupings Traffic grouping A classification or traffic type that has one or more attributes in common These can range from a physical port to IP Layer 4 port information You assign traffic groupings to...

Страница 293: ...make up a QoS profile on the BlackDiamond 8800 family of switches and the Summit X450 switch include Buffer This parameter is the maximum amount of packet buffer memory available to all packets associ...

Страница 294: ...th that is reserved for use by a hardware queue on a physical port each physical port has eight hardware queues corresponding to a QoS profile The minimum bandwidth value is configured either as a per...

Страница 295: ...to the profile A traffic grouping is a classification of traffic that has one or more attributes in common Traffic is typically grouped based on the needs of the applications discussed starting on pag...

Страница 296: ...ed on any combination of the following items IP source or destination address IP protocol TCP flag TCP UDP or other Layer 4 protocol TCP UDP port information IP fragmentation MAC source or destination...

Страница 297: ...2 1p priority Configuring DiffServ Configuring 802 1p Priority Extreme Networks switches support the standard IEEE 802 1p priority bits that are part of a tagged Ethernet packet The 802 1p bits can be...

Страница 298: ...pport 2 queues based on flows you can define up to 6 additional queues The transmitting queue determines the characteristics used when transmitting packets NOTE See for Chapter 9 information regarding...

Страница 299: ...cement configuration is based on the ingress port To replace 802 1p priority information use the following command enable dot1p replacement ports port_list all NOTE The port in this command is the ing...

Страница 300: ...ions DiffServ information on the BlackDiamond 10K only Observing DiffServ information Changing DiffServ code point DSCP mapping Replacing DSCP information DiffServ information on the BlackDiamond 10K...

Страница 301: ...of the 64 code points using the following command configure diffserv examination code point code point qosprofile qosprofile Once assigned the rest of the switches in the network prioritize the packe...

Страница 302: ...e replaced in the IP packet To view currently configured DiffServ information use the following command show diffserv examination replacement DiffServ example for the BlackDiamond 8800 family of switc...

Страница 303: ...traffic coming from network 10 1 2 x with a specific DiffServ code point This allows all other network switches to send and observe the Diffserv code point instead of repeating the same QoS configura...

Страница 304: ...traffic grouping indicates that all intra VLAN switched traffic and all routed traffic sourced from the named VLAN uses the indicated QoS profile To configure a VLAN traffic grouping use the following...

Страница 305: ...l ANY Match all protocols Trunking Load sharing is not enabled EDP Enabled DLCS Unsupported lbDetect Unsupported Learning Enabled Flooding Enabled Jumbo Disabled BG QoS monitor Unsupported Egress Port...

Страница 306: ...MinBw 0 MaxBw 100 Pri 5 Qp6 MinBw 0 MaxBw 100 Pri 6 Qp7 MinBw 0 MaxBw 100 Pri 7 Qp8 MinBw 0 MaxBw 100 Pri 8 Ingress Rate Shaping support IQP1 8 IQP1 MinBw 0 MaxBw 100 Pri 1 IQP2 MinBw 0 MaxBw 100 Pri...

Страница 307: ...Qp5 MinBw 0 MaxBw 100 Pri 5 Qp6 MinBw 0 MaxBw 100 Pri 6 Qp7 MinBw 0 MaxBw 100 Pri 7 Qp8 MinBw 0 MaxBw 100 Pri 8 Ingress Rate Shaping support IQP1 2 IQP1 MinBw 0 MaxBw 100 Pri 1 IQP2 MinBw 0 MaxBw 100...

Страница 308: ...Information You can also verify the QoS configuration in place Refer to Verifying Physical and Logical Groupings on page 304 for additional information on displaying QoS information for each port Disp...

Страница 309: ...is higher than the limit allowed to egress the specified port s for a burst or short duration The default behavior is to have no limit on the egress traffic per port To view the configured egress port...

Страница 310: ...nteed minimum rates The number of queues from the ingress port to the backplane differs between I O modules The 1 Gbps I O module has 2 queues from the ingress port to the backplane and the 10 Gbps I...

Страница 311: ...maximum committed rates vary with the number of active ports on each I O module The rates shown in Table 48 are what you can expect when you all running all ports at traffic level If you are using fe...

Страница 312: ...gement system You can enter any integer from 0 in the CLI however functionally the switch operates only in multiples of 62 5 Kbps Also note that the CLI system does not accept decimals Rate shaping is...

Страница 313: ...cts incorporate a number of features designed to enhance the security of your network while resolving issues with minimal network disruption No one feature can ensure security but by using a number of...

Страница 314: ...used by routing protocol applications to control the advertisement reception and use of routing information by the switch By using policies a set of routes can be selectively permitted or denied base...

Страница 315: ...hapter 11 Forwarding Database The following section Limiting Dynamic MAC Addresses describes how MAC address security allows you to limit the number of dynamically learned MAC addresses allowed per vi...

Страница 316: ...om learning and responding to ICMP and ARP packets Dynamically learned entries still get aged and can be cleared If entries are cleared or aged out after the learning limit has been reached new entrie...

Страница 317: ...r Layer 2 switch Configuring a MAC address limit on all S1 ports might prevent ESRP communication between S2 and S3 To resolve this you should add a back to back link between S2 and S3 This link is no...

Страница 318: ...ber lock learning unlimited learning unlock learning When you remove the lock down using the unlock learning option the learning limit is reset to unlimited and all associated entries in the FDB are f...

Страница 319: ...rver addresses and WINS server information for a particular VLAN use the following command unconfigure vlan vlan_name dhcp options To remove all the DHCP information for a particular VLAN use the foll...

Страница 320: ...ttempting to characterize the problem and filter out the offending traffic so that other functions can continue When a flood of CPU bound packets reach the switch DoS Protection will count these packe...

Страница 321: ...interval at which the switch checks for DoS attacks use the following command configure dos protect interval seconds To configure the alert threshold use the following command configure dos protect ty...

Страница 322: ...witch NOTE You cannot enable RADIUS and TACACS at the same time You define a primary and secondary RADIUS server for the switch to contact When a user attempts to log in using Telnet HTTP or the conso...

Страница 323: ...cify the mgmt access or netlogin keywords the timeout interval applies to both switch management and netlogin RADIUS servers Configuring the Shared Secret Password for RADIUS Servers In addition to sp...

Страница 324: ...network login use the same primary and secondary RADIUS servers for accounting To specify one pair of RADIUS accounting servers for switch management and another pair for network login make sure to s...

Страница 325: ...not specify a keyword RADIUS accounting is disabled on the switch for both management and network login Per Command Authentication Using RADIUS You can use the RADIUS implementation to perform per co...

Страница 326: ...privilege if a Service Type value of 6 is transmitted as part of the Access Accept message from the RADIUS server Other Service Type values or no value result in the switch granting read only access t...

Страница 327: ...ADIUS server problems Cistron RADIUS Cistron RADIUS is a popular server distributed under GPL Cistron RADIUS can be found at http www miquels cistron nl radius When you configure the Cistron server fo...

Страница 328: ...onnections and fill in the desired number of maximum sessions RADIUS Server Configuration Example Merit Many implementations of RADIUS server use the publicly available Merit AAA server application To...

Страница 329: ...exact or partial strings of CLI commands A named profile is linked with a user through the users file A profile with the permit on keywords allows use of only the listed commands A profile with the de...

Страница 330: ...nable disable ipforwarding show switch PROFILE2 enable clear counters show management PROFILE3 deny create vlan configure iproute disable show fdb delete configure rip add TACACS Terminal Access Contr...

Страница 331: ...a TACACS server failure when the timeout has expired the switch makes one authentication attempt before trying the next designated TACACS server or reverting to the local database for authentication I...

Страница 332: ...ry TACACS server Configures the secondary TACACS server Configures the shared secret for the secondary TACACS server Enables TACACS on the switch All other settings use the default settings as describ...

Страница 333: ...er or reverting to the local database for authentication In the event that the switch still has IP connectivity to the TACACS accounting server but a TCP session cannot be established such as a failed...

Страница 334: ...ver Configures the shared secret for the secondary TACACS accounting server Enables TACACS accounting on the switch All other settings use the default settings as described earlier in this section or...

Страница 335: ...system via an SSH2 session The ExtremeWare XOS SSH2 switch application also works with SSH2 client version 2 x or later from SSH Communication Security and with version 2 5 or later from OpenSSH The S...

Страница 336: ...switch To get such key you can use the command show configuration exsshd to display the key on the console Copy the key to a text editor and remove the carriage return line feeds from the key Finally...

Страница 337: ...y directly on the switch Use the tftp command to transfer a policy that you created using a text editor on another system to the switch For more information about creating and implementing ACLs and po...

Страница 338: ...e or IP address ExtremeWare XOS only allows SCP2 to transfer to the switch files named as follows cfg ExtremeWare XOS configuration files pol ExtremeWare XOS policy files In the following examples you...

Страница 339: ...P2 use the following command scp2 cipher 3des blowfish port portnum debug debug_level user hostname ipaddress remote_file local_file vr vr_name For example to copy the configuration file test cfg on h...

Страница 340: ...data encryption RC4 DES and 3DES Message Authentication Code MAC algorithms MD5 and SHA The Converged Network Analyzer CNA Agent requires SSL to encrypt communication between the CNA Agent and the CN...

Страница 341: ...th is approximately 2 kb and the private key length is approximately 3 kb Downloading a Certificate Key from a TFTP Server You can download a certificate key from files stored in a TFTP server If the...

Страница 342: ...s and Keys on page 342 for more information Downloaded certificates and keys are not saved across switch reboots unless you save your current switch configuration Once you issue the save command the d...

Страница 343: ...et Layer ExtremeWare XOS 11 3 Concepts Guide 343 Displaying SSL Information Use the following command to display whether the switch has a valid private and public key pair and the state of HTTPS acces...

Страница 344: ...Security ExtremeWare XOS 11 3 Concepts Guide 344...

Страница 345: ...tion types and modes of operation can be used in any combination When web based network login is enabled on a switch port that port is placed into a non forwarding state until authentication takes pla...

Страница 346: ...r the only connection that exists is to the authenticator As a result the authenticator must be furnished with a temporary DHCP server to distribute the IP address The switch responds to DHCP requests...

Страница 347: ...rt is available only on newer operating systems such as Windows XP 802 1x requires an EAP capable RADIUS Server Most current RADIUS servers support EAP so this is not a major disadvantage Transport La...

Страница 348: ...VLAN remain constant Before the supplicant is authenticated the port is in an unauthenticated state After authentication the port forwards packets You do not explicitly configure the mode of operatio...

Страница 349: ...ved images and configurations from the primary to the backup using the synchronize command 3 Initiate failover using the run msm failover command For more detailed information about verifying the stat...

Страница 350: ...tch to authenticate the client in the original VLAN or deny authentication even if the user name and password are correct For example this may occur if a destination VLAN does not exist To configure t...

Страница 351: ...based MAC based and 802 1x netlogin support RADIUS authentication Only web based and MAC based netlogin support local database authentication This section describes the following topics in greater det...

Страница 352: ...ccessful authentication must already exist on switch Extreme Netlogin VLAN ID 209 Integer Access Accept ID of destination VLAN after successful authentication must already exist on switch Extreme Netl...

Страница 353: ...VLAN The following describes the guidelines for VSA 211 For tagged VLAN movement with 802 1x netlogin you must use VSA 211 For untagged VLAN movement with 802 1x netlogin you can use all current Extre...

Страница 354: ...eme Netlogin VLAN Name The following describes the guidelines for VSA 203 For untagged VLAN movement with 802 1x netlogin you can use all current Extreme Networks VLAN VSAs VSA 203 VSA 209 and VSA 211...

Страница 355: ...a value of 1 enabled To specify that a user can authenticate via other methods use a value of 0 disabled VSA 206 Example See the examples described in the section Creating User Accounts on the RADIUS...

Страница 356: ...s If you use RADIUS for authentication Extreme Networks recommends that you use the same user name and password for both local authentication and RADIUS authentication If you attempt to create a user...

Страница 357: ...user name Creates a password associated with the local netlogin user name Adds the VLAN test1 as the destination VLAN The following is a sample display from this command create netlogin local user meg...

Страница 358: ...pt enter the new password and press Enter The switch then prompts you to reenter the password Passwords are case sensitive Passwords must have a minimum of 0 characters and a maximum of 32 characters...

Страница 359: ...e of the currently available protocols although TTLS is advertised to be as strong as TLS Both TLS and TTLS are certificate based and require a Public Key Infrastructure PKI that can issue renew and r...

Страница 360: ...IUS server Types of authentication methods supported on RADIUS as mentioned previously Need to support VSAs Parameters such as Extreme Netlogin Vlan Name destination vlan for port movement after authe...

Страница 361: ...dius netlogin primary server 10 0 1 2 1812 client ip 10 10 20 30 vr VR Mgmt configure radius netlogin primary shared secret purple enable radius The following example is for the FreeRADIUS server the...

Страница 362: ...1x enabled clients However when the visitors attempt to log into the network they are granted limited network access because they do not have 802 1x enabled clients The visitors might be able to reac...

Страница 363: ...ot running the current approved anti virus software or the client has not installed the appropriate software updates If this occurs the client is authenticated but has limited network access until the...

Страница 364: ...owing command configure netlogin base url url Where url is the DNS name of the switch For example configure netlogin base url network access net makes the switch send DNS responses back to the netlogi...

Страница 365: ...thenticated network login clients Unauthenticated ports belong to the VLAN temp This kind of configuration provides better security as unauthenticated clients do not connect to the corporate subnet an...

Страница 366: ...hcp options wins server 10 0 1 85 configure netlogin vlan temp enable netlogin web based enable netlogin ports 1 10 1 14 4 1 4 4 web based configure netlogin base url network access net Default config...

Страница 367: ...every logout and before login again as the port moves back and forth between the temporary and permanent VLANs At this point the client will have its temporary IP address In this example the client s...

Страница 368: ...its configured parameters timeout retries and so on or the local database The credentials used for this are the supplicants MAC address in ASCII representation and a locally configured password on the...

Страница 369: ...and authenticate a client with a specific MAC address Only MAC addresses that have a match for the specific ports are sent for authentication For example if you associate a MAC address with one or mor...

Страница 370: ...s this is the supplicants MAC address with the configured mask applied Note that the commands are VR aware and therefore one MAC list table exists per VR Secure MAC Configuration Example The following...

Страница 371: ...netlogin ports 4 1 4 4 mac configure netlogin add mac list default password RADIUS Configuration configure radius netlogin primary server 10 0 1 2 1812 client ip 10 10 20 30 vr VR Mgmt configure radi...

Страница 372: ...login MAC Based VLANs Rules and Restrictions This section summarizes the rules and restrictions for configuring netlogin MAC based VLANs You must configure and enable netlogin on the switch and before...

Страница 373: ...ased virtual port VLAN combination n Indicates the FDB entry was added by network login VLAN and Port Information To view the VLANs that netlogin adds temporarily in MAC based mode use the following c...

Страница 374: ...SecretPassword Expanding upon the previous example you can also utilize the local database for authentication rather than the RADIUS server create netlogin local user 000000000012 vlan vsa untagged de...

Страница 375: ...l the ratio of two counters or even the ratio of the changes of two counters over an interval For example you can monitor the ratio between TCP SYN and TCP packets An abnormally large ratio may indica...

Страница 376: ...of CLEAR Flow rules use the following command show clear flow To display the CLEAR Flow rules and configuration use the following command show clear flow port port vlan vlanname any rule rulename det...

Страница 377: ...riggered and when the match conditions later become false NOTE When you create an ACL policy file that contains CLEAR Flow rules the CLEAR Flow rules do not have any precedence unlike the ACL entries...

Страница 378: ...were only evaluated for that particular interface that the CLEAR Flow rule was applied to Beginning with the ExtremeWare XOS 11 2 release you can specify the global rule statement so that counters are...

Страница 379: ...counter referred to by an ACL rule entry and the countThreshold is the value compared with the counter The REL_OPER is selected from the relational operators for greater than great than or equal to l...

Страница 380: ...delta counter1 100 hysteresis 10 will only be true after the delta of the counter reaches at least 100 At the time it becomes true the hysteresis value is subtracted from the threshold setting the thr...

Страница 381: ...ubtracted from the threshold for or the hysteresis value is added to the threshold For example the following ratio expression ratio counter1 counter2 5 min value 100 hysteresis 1 will only be true aft...

Страница 382: ...counter is less than the minimum value the expression evaluates to false If not specified the minimum value is 1 The hysteresis hysteresis statement is optional and sets a hysteresis value for the th...

Страница 383: ...n rule true count ruleName REL_OPER countThreshold The rule true count statement specifies how to compare how many times a CLEAR Flow rule is true with the expression threshold The ruleName is the nam...

Страница 384: ...the different rule actions Permit Deny This action modifies an existing ACL rule to permit or block traffic that matches that rule To change an ACL to permit use the following syntax permit ACLRuleNam...

Страница 385: ...and CRIT The message is sent periodically with interval period seconds If period is zero or if this optional parameter is not present the message is sent only once when the rule is triggered The inter...

Страница 386: ...CLEAR Flow rule name counterName Replace with counter value for the indicated counter name ruleValue Replace with the current expression value ruleThreshold Replace with the expression threshold valu...

Страница 387: ...cted by the IP re assembly algorithm for whatever reason timed out errors etc Note that this is not necessarily a count of discarded IP fragments since some algorithms notably the algorithm in RFC 815...

Страница 388: ...toUnreachs The number of incoming ICMP packets addressed to a not in use unreachable invalid protocol This message is in the general category of ICMP destination unreachable error messages sys_IcmpInB...

Страница 389: ...ntry acl_rule1 if destination address 192 168 16 0 24 destination port 2049 protocol tcp then count counter1 entry cflow_count_rule_example if count counter1 1000000 period 10 then snmptrap 123 Traffi...

Страница 390: ...rate limit qosprofile acl_rule1 QP1 cli configure qosprofile qp3 maxbw 100 ports all Ratio Expression Example In this example every 2 seconds the CLEAR Flow agent will request the counter1 and counte...

Страница 391: ...eWare XOS 11 3 Concepts Guide 391 protocol tcp then count counter2 entry cflow_ratio_rule_example if ratio counter1 counter2 5 period 2 min value 1000 then syslog Rule ruleName threshold ratio ruleVal...

Страница 392: ...d deny all SYN traffic on the interface No period value for the syslog message is given so the message will be logged once when the expression first becomes true When the expression transitions from t...

Страница 393: ...2 Using Switching and Routing Protocols...

Страница 394: ......

Страница 395: ...cense To use the complete EAPS functionality including running two or more EAPS rings having a switch belonging to multiple EAPS rings or configuring shared ports that allow multiple EAPS domains to s...

Страница 396: ...signated the master node see Figure 18 while all other nodes are designated as transit nodes Figure 17 Gigabit Ethernet fiber EAPS MAN ring One port of the master node is designated the master node s...

Страница 397: ...nvergence for the entire switch not by EAPS domain Fault Detection and Recovery EAPS fault detection on a ring is based on a single control VLAN per EAPS domain This EAPS domain provides protection to...

Страница 398: ...low through the master s secondary port The master node also flushes its FDB and sends a message on the control VLAN to all of its associated transit nodes to flush their forwarding databases as well...

Страница 399: ...ored the master receives its health check packet back on its secondary port and once again declares the ring to be complete Again the master node logically Blocks the protected VLANs on its secondary...

Страница 400: ...ld span two rings interconnected by a common switch a figure eight topology In this example there is an EAPS domain with its own control VLAN running on ring 1 and another EAPS domain with its own con...

Страница 401: ...node Each EAPS domain will protect its own set of protected VLANS In a spatial reuse configuration do not add the same protected VLAN to both EAPS domains You can also use spatial reuse with EAPS shar...

Страница 402: ...common link you may experience a loop situation across both rings To solve this problem you can configure EAPS shared ports NOTE You must have a core or an advanced core license to use the EAPS share...

Страница 403: ...ent in this software release you can use the existing solution of configuring EAPS plus STP Configuring EAPS on a Switch To configure and enable an EAPS domain complete the following steps 1 Create EA...

Страница 404: ...the identifying keyword as well as the actual name If you do not use the keyword the system may return an error message The following command example creates an EAPS domain named eaps_1 create eaps e...

Страница 405: ...failtimer expires The seconds parameter must be greater than the configured value for hellotime The default value is 3 seconds To configure the action taken if there is a break in the ring use the fol...

Страница 406: ...messages NOTE A control VLAN cannot belong to more than one EAPS domain If the domain is active you cannot delete the domain or modify the configuration of the control VLAN To configure the EAPS cont...

Страница 407: ...As long as the ring is complete the master node blocks the protected VLANs on its secondary port The following command example adds the protected VLAN orchid to the EAPS domain eaps_1 configure eaps...

Страница 408: ...eaps_1 primary port Displaying EAPS Status Information To display EAPS status information use the following command show eaps This example displays summary EAPS information EAPS Enabled Yes EAPS Fast...

Страница 409: ...ode The display from the show eaps detail command shows all the information shown in the show eaps eapsDomain command but displays information for all configured EAPS domains Table 57 explains the fie...

Страница 410: ...n is completed Pre Complete The EAPS domain has started operation for Complete state and has sent a request to lower hardware layers to block the secondary port It is in transient state waiting for ac...

Страница 411: ...rt assigned to it but the port is untagged in the control VLAN Undetermined Either a VLAN has not been added as the control VLAN to this EAPS domain or this port has not been added to the control VLAN...

Страница 412: ...the master nodes of their respective EAPS domains S3 S4 S6 S7 S9 and S10 are the transit nodes of their respective EAPS domains S1 and S2 are running EAPSv2 S1 is the controller S2 is the partner P1 i...

Страница 413: ...ed ports This is particularly useful when planning your EAPS configuration The benefit of sorting ports in ascending order is evident if a common link fails The port with the lowest port number among...

Страница 414: ...se the following command delete eaps shared port ports Defining the Mode of the Shared Port The shared port on one end of the common link must be configured to be the controller This is the end respon...

Страница 415: ...er is set to 3 seconds Unconfiguring an EAPS Shared Port To unconfigure a link ID on a shared port use the following command unconfigure eaps shared port ports link id To unconfigure the mode on a sha...

Страница 416: ...roller or partner The mode is configured by the user Link ID The link ID is the unique common link identifier configured by the user Up Displays one of the following states Yes Indicates that the link...

Страница 417: ...he detail keyword None Indicates that there is no Active Open port on the VLAN Port Indicates the port that is Active Open and is in a forwarding state Segment Timer expiry action Segment down Specifi...

Страница 418: ...state Link Id The neighbor on this port is a controller in the Blocking state with a link ID of Link Id Segment RB Id available with the detail keyword or by specifying a shared port None The neighbor...

Страница 419: ...port configurations Basic Configuration This example shown in Figure 26 is the most basic configuration two EAPS domains with a single common link between them Figure 26 EAPS shared port basic config...

Страница 420: ...e 28 EAPS shared port right angle configuration Combined Basic Core and Right Angle Configuration Figure 29 shows a combination Basic Core and Right Angle configuration EW_096 S4 S3 S2 S1 Partner EAPS...

Страница 421: ...EW_098 S7 S3 S4 S2 S1 EAPS5 EAPS2 EAPS1 S8 S12 S11 S5 Controller S14 S15 S13 S9 S10 Common link Partner S6 Common link Common link EAPS3 EAPS4 Controller Partner Partner Controller Master node S P li...

Страница 422: ...Right Angle configuration Figure 31 Advanced configuration EW_101 S2 S1 S8 S9 S11 S10 Controller S14 S3 S13 S12 S7 S4 S5 Common link Common link Common link Common link S6 EAPS3 EAPS6 EAPS4 EAPS2 EAP...

Страница 423: ...STP in terms used by the IEEE 802 1D specification the switch will be referred to as a bridge Overview of the Spanning Tree Protocol STP is a bridge based mechanism for providing fault tolerance on n...

Страница 424: ...ports that belong to the STPD and the 802 1Q tag used to transport EMISTP or PVST encapsulated BPDUs see Encapsulation Modes on page 425 for more information about encapsulating STP BPDUs Only one ca...

Страница 425: ...ee RSTP When configured in this mode all rapid configuration mechanisms are enabled The benefit of this mode is available on point to point links only and when the peer is likewise configured in 802 1...

Страница 426: ...s It is possible for the physical port to run in different modes for different domains to which it belongs To configure the BPDU encapsulation mode for one or more STP ports use the following command...

Страница 427: ...to an STPD are manually and automatically By default ports are manually added to an STPD NOTE The default VLAN and STPD S0 are already on the switch Manually Binding Ports To manually bind ports use o...

Страница 428: ...PD S0 When you issue this command any port or list of ports that you add to the carrier VLAN are automatically added to the STPD with autobind enabled In addition any port or list of ports that you re...

Страница 429: ...kDiamond chassis one MSM assumes the role of primary and the other MSM assumes the role of backup The primary executes the switch s management functions and the backup acts in a standby role Hitless f...

Страница 430: ...ultiple STPDs on a single port which uses EMISTP A VLAN that spans multiple STPDs Basic STP Configuration This section describes a basic 802 1D STP configuration Figure 32 illustrates a network that u...

Страница 431: ...loops are prevented The protected VLAN Marketing which has been assigned to both STPD1 and STPD2 communicates using all five switches The topology has no loops because STP has already blocked the port...

Страница 432: ...ed in an STP topology All VLANs in each switch are members of the same STPD STP can block traffic between switch 1 and switch 3 by disabling the trunk ports for that connection on each switch Switch 2...

Страница 433: ...and S2 still correspond to VLANs A and B respectively you can fine tune STP parameters to make the left link active in S1 and blocking in S2 while the right link is active in S2 and blocking in S1 Onc...

Страница 434: ...local to other VLANs Figure 35 VLAN spanning multiple STPDs In addition the configuration in Figure 35 has these features Each site can be administered by a different organization or department withi...

Страница 435: ...Figure 37 VLAN red the only VLAN in the figure spans STPDs 1 2 and 3 Inside each domain STP produces a loop free topology However VLAN red is still looped because the three domains form a ring among...

Страница 436: ...on the physical port Third party PVST devices send VLAN 1 packets in a special manner ExtremeWare XOS does not support PVST for VLAN 1 Therefore when the switch receives a packet for VLAN 1 the packet...

Страница 437: ...of a port in an STPD RSTP tries to rapidly move designated point to point links into the forwarding state when a network topology change or failure occurs For rapid convergence to occur the port must...

Страница 438: ...than relying on additional timer configurations Table 61 describes the user configurable timers and Table 62 describes the timers that are derived from other timers and not user configurable Table 60...

Страница 439: ...fication TCN timer when it detects a change in the network topology The TCN timer stops when the topology change timer expires or upon receipt of a topology change acknowledgement The default value is...

Страница 440: ...following is true The port Has been in either a root or designated port role long enough that the spanning tree information supporting this role assignment has reached all of the bridges in the networ...

Страница 441: ...ing state RSTP requires that the recent root timer stop on the previous root port before the new root port can enter the forwarding state Designated Port Rapid Behavior When a port becomes a new desig...

Страница 442: ...e communicated through the network In an RSTP environment only non edge ports entering the forwarding state cause a topology change A loss of network connectivity is not considered a topology change h...

Страница 443: ...er the configuration update bridge F Considers itself the new root bridge Sends a BPDU message on its designated port to bridge E Figure 40 Down link detected 2 Bridge E believes that bridge A is the...

Страница 444: ...uration update from bridge E bridge F Decides that the receiving port is the root port Determines that bridge E is the root bridge Figure 42 Communicating new root bridge status to neighbors 4 Bridge...

Страница 445: ...opose message to confirm a port role 5 Upon receiving the proposal bridge E as shown in Figure 44 Performs a configuration update Changes its receiving port to a root port The existing designated port...

Страница 446: ...legacy STP bridges Each RSTP bridge contains a port protocol migration state machine to ensure that the ports in the STPD operate in the correct configured mode The state machine is a protocol entity...

Страница 447: ...ose of the connected devices The 802 1D ports must be untagged and the EMISTP PVST ports must be tagged in the carrier VLAN An STPD with multiple VLANs must contain only VLANs that belong to the same...

Страница 448: ...RFC 1493 Bridge MIB RSTP 03 and Extreme Networks STP MIB Parameters of the s0 default STPD support RFC 1493 and RSTP 03 Parameters of any other STPD support the Extreme Networks STP MIB NOTE If an ST...

Страница 449: ...apsulation dot1d enable stpd backbone_st auto bind vlan engineering configure stpd backbone_st tag 150 enable stpd backbone_st By default the port encapsulation mode for user defined STPDs is emistp I...

Страница 450: ...s1 create stpd s2 configure stpd s2 add yellow ports all configure stpd s2 tag 300 configure stpd s2 add red ports 1 3 1 4 emistp enable stpd s2 RSTP 802 1w Configuration Example Figure 48 is an examp...

Страница 451: ...are XOS 11 3 Concepts Guide 451 Figure 48 RSTP example Sales Personnel Marketing STPD 1 STPD 2 Manufacturing Engineering Marketing Sales Personnel Manufacturing Engineering Marketing Switch A Switch Y...

Страница 452: ...nfigure vlan marketing add ports 1 1 2 1 tagged configure stpd stpd1 add vlan sales ports all configure stpd stpd1 add vlan personnel ports all configure stpd stpd1 add vlan marketing ports all config...

Страница 453: ...on Configured port link type Operational port link type If you have a VLAN that spans multiple STPDs use the show vlan vlan_name stpd command to display the STP configuration of the ports assigned to...

Страница 454: ...Spanning Tree Protocol ExtremeWare XOS 11 3 Concepts Guide 454...

Страница 455: ...RP cache entries in client workstations do not need to be refreshed or aged out ESRP is available only on Extreme Networks switches In addition to providing Layer 3 routing redundancy for IP and IPX E...

Страница 456: ...RP on page 476 For more information about standalone ELRP see Using Standalone ELRP to Perform Loop Tests on page 620 Reasons to Use ESRP You can use ESRP to achieve edge level or aggregation level re...

Страница 457: ...vity broadcast storms or other unpredictable behavior may occur If you have an untagged master VLAN you must specify an ESRP domain ID The domain ID must be identical on all switches participating in...

Страница 458: ...ESRP aware you must create an ESRP domain on the aware switch add a master VLAN to that ESRP domain and configure a domain ID if necessary To participate as an ESRP aware switch the following must be...

Страница 459: ...e requesting switch For example if a slave switch wants to become the master it enters the pre master state notifies the neighbor switch and forces the neighbor to acknowledge the change The neighbor...

Страница 460: ...uto toggle feature Depending on the mode of operation configured on the neighbor switch the mode of operation at this end will toggle to the same mode of operation as the neighbor For example if you u...

Страница 461: ...links may contain a router to router VLAN along with other VLANs participating in an ESRP domain If multiple VLANs are used on the direct links use 802 1Q tagging The direct links may be aggregated i...

Страница 462: ...witch providing Layer 3 routing and or Layer 2 switching services for a VLAN using the following default factors Stickiness The switch with the higher sticky value has higher priority When an ESRP dom...

Страница 463: ...is in slave mode it exchanges ESRP packets with other switches on that same VLAN When a switch is in slave mode it does not perform Layer 3 routing or Layer 2 switching services for the VLAN From a La...

Страница 464: ...tors ESRP hello timer setting ESRP neighbor timer setting The routing protocol being used for interrouter connectivity if Layer 3 redundancy is used OSPF failover time is faster than RIP failover time...

Страница 465: ...ain should consider election factors in the following order Active ports tracking information ESRP priority MAC address NOTE This is the default election algorithm for standard mode priority mac Speci...

Страница 466: ...g VLANs see Chapter 5 Virtual LANs For more information about ESRP master and member VLANs see Adding VLANs to an ESRP Domain on page 468 You can also configure other ESRP domain parameters including...

Страница 467: ...ed NOTE If you use the same name across categories for example STPD and ESRP names Extreme Networks recommends that you specify the appropriate keyword as well as the actual name If you do not specify...

Страница 468: ...ster sales To delete a master VLAN you must first disable the ESRP domain before removing the master VLAN using the disable esrp esrpDomain command To delete a master VLAN from an ESRP domain use the...

Страница 469: ...n is used to track various forms of connectivity from the ESRP switch to the outside world This section describes the following ESRP tracking options ESRP Environment Tracking on page 470 ESRP VLAN Tr...

Страница 470: ...status and remains in slave mode You can track a maximum of one VLAN To add or delete the tracked VLAN use one of the following commands configure esrp esrpDomain add track vlan vlan_name configure e...

Страница 471: ...of tracked devices use the following command show esrp name ESRP Tracking Example Figure 50 is an example of ESRP tracking Figure 50 ESRP tracking To configure VLAN tracking use the following command...

Страница 472: ...disconnection of these ports causes downstream devices to remove the ports from their FDB tables This feature allows you to use ESRP in networks that include equipment from other vendors After 2 secon...

Страница 473: ...net Automatic Protection Switching EAPS or VRRP A broadcast storm may occur To configure a port to be a host port use the following command configure esrp ports ports mode host normal ESRP Port Weight...

Страница 474: ...le ESRP groups is when two or more sets of ESRP switches are providing fast failover protection within a subnet A maximum of seven distinct ESRP groups can be supported on a single ESRP switch and a m...

Страница 475: ...gure ESRP refer to the ExtremeWare XOS Command Reference Guide Using ELRP with ESRP Extreme Loop Recovery Protocol ELRP is a feature of ExtremeWare XOS that allows you to prevent detect and recover fr...

Страница 476: ...its ESRP domain ports If the master switch receives an ELRP PDU that it sent the master transitions to the slave While in the slave state the switch transitions to the pre master rate and periodically...

Страница 477: ...P in the master state use the following command configure esrp esrpDomain elrp master poll disable Configuring Ports You can configure one or more ports of an ESRP domain where ELRP packet transmissio...

Страница 478: ...hing for ESRP domain esrp1 and VLAN Sales The edge switches are dual homed to the BlackDiamond 10K switches The BlackDiamond 10K switches perform Layer 2 switching between the edge switches and Layer...

Страница 479: ...tches sense when a master slave transition occurs and flush FDB entries associated with the uplinks to the ESRP enabled BlackDiamond 10K switches The following commands are used to configure both Blac...

Страница 480: ...mode of operation use the configure esrp mode extended standard command The commands used to configure the BlackDiamond 10K switches are as follows create vlan sales configure vlan sales add ports 1...

Страница 481: ...he first BlackDiamond 10K switch uses 802 1Q tagging to carry traffic from both VLANs traffic on one link The BlackDiamond switch counts the link active for each VLAN The second BlackDiamond switch ha...

Страница 482: ...d master sales configure esrp esrp1 priority 5 enable esrp esrp1 create esrp esrp2 configure esrp esrp2 domain id 4097 configure esrp esrp2 add master engineering enable esrp esrp2 Configuration comma...

Страница 483: ...nd a VLAN but you must do so on separate devices You should be careful to maintain ESRP connectivity between ESRP master and slave switches when you design a network that uses ESRP and STP ESRP and VR...

Страница 484: ...Extreme Standby Router Protocol ExtremeWare XOS 11 3 Concepts Guide 484...

Страница 485: ...sers VRRP is used to eliminate the single point of failure associated with manually configuring a default gateway address on each host in a network Without using VRRP if the configured default gateway...

Страница 486: ...lover If any of the configured routes are not available within the route table the router automatically relinquishes master status and remains in INIT mode To add or delete a tracked route use one of...

Страница 487: ...the IP routing table When the route is no longer available the switch implements a VRRP failover to the backup To configure ping tracking as shown in Figure 55 use the following command configure vrrp...

Страница 488: ...all backup routers This signals the backup routers that they do not need to wait for the master down interval to expire and the master election process for a new master can begin immediately The maste...

Страница 489: ...ckup router The master router is responsible for forwarding packets sent to the virtual router When the VRRP network becomes active the master router broadcasts an ARP request that contains the virtua...

Страница 490: ...Fully redundant VRRP configuration In Figure 57 switch A is configured as follows IP address 192 168 1 3 Master router for VRID 1 Backup router for VRID 2 MAC address 00 00 5E 00 01 01 Switch B is con...

Страница 491: ...p_address This is the IP address associated with this virtual router You can associate one or more IP addresses to a virtual router This parameter has no default value advertisement_interval This is t...

Страница 492: ...ch A are as follows configure vlan vlan1 ipaddress 192 168 1 3 24 create vrrp vlan vlan1 vrid 1 configure vrrp vlan vlan1 vrid 1 prioirty 255 configure vrrp vlan vlan1 vrid 1 add 192 168 1 3 enable vr...

Страница 493: ...vlan vlan1 vrid 1 add 192 168 1 3 create vrrp vlan vlan1 vrid 2 configure vrrp vlan vlan1 vrid 2 add 192 168 1 5 enable vrrp The configuration commands for switch B are as follows configure vlan vlan...

Страница 494: ...onfigured with IP addresses 1 1 1 1 24 and 2 2 2 2 24 the following configurations are allowed VRRP VR on VLAN v1 with VRID 99 with virtual IP addresses 1 1 1 2 and 1 1 1 3 VRRP VR on VLAN v1 with VRI...

Страница 495: ...rview of IPv4 Unicast Routing The switch provides full Layer 3 IPv4 unicast routing It exchanges routing information with other routers on the network using either the Routing Information Protocol RIP...

Страница 496: ...signed to Finance all ports on slots 2 and 4 are assigned to Personnel Finance belongs to the IP network 192 207 35 0 the router interface for Finance is assigned the IP address 192 207 35 1 Personnel...

Страница 497: ...for security reasons to control which routes you want advertised by the router You configure if you want all static routes to be advertised using one of the following commands enable rip export bgp d...

Страница 498: ...lative route priorities Relative Route Priorities Table 65 lists the relative priorities assigned to routes depending on the learned source of the route NOTE Although these priorities can be changed d...

Страница 499: ...d to achieve router redundancy and to simplify IP client configuration The switch supports proxy ARP for this type of network configuration The section describes some example of using proxy ARP with t...

Страница 500: ...address 100 101 45 67 using its own MAC address All subsequent data packets from 100 101 102 103 are sent to the switch and the switch routes the packets to 100 101 45 67 Configuring IPv4 Unicast Rout...

Страница 501: ...ned Additional verification commands include show iparp Displays the IP ARP table of the system show ipconfig Displays configuration information for one or more VLANs Routing Configuration Example Fig...

Страница 502: ...Personnel All other traffic NetBIOS is part of the VLAN MyCompany The example in Figure 61 is configured as follows create vlan Finance create vlan Personnel create vlan MyCompany configure Finance pr...

Страница 503: ...tation that required separate VLANs for each IP network The implementation introduced in ExtremeWare XOS 11 0 is simpler to configure does not require that you create a dummy multinetting protocol and...

Страница 504: ...e Transfer Protocol TFTP Secure Shell 2 SSH2 and others to the switch from a host residing in either the primary or the secondary subnet of the VLAN Other host functions such as traceroute are also su...

Страница 505: ...gured on per VLAN basis There is no way to configure a routing protocol on an individual primary or secondary interface Configuring a protocol parameter on a VLAN automatically configures the paramete...

Страница 506: ...n be exported into the BGP domain by enabling export of direct routes IGMP Snooping and IGMP Internet Group Management Protocol IGMP snooping and IGMP treat the VLAN as an interface Only control packe...

Страница 507: ...ging to the primary subnet To add a host on secondary subnet you must manually configure the IP address information on that host DHCP Relay When the switch is configured as a DHCP relay agent it will...

Страница 508: ...2 2 3 and 2 2 2 4 VRRP VR on v1 with VRID of 99 with virtual IP addresses of 1 1 1 98 and 1 1 1 99 VRRP VR on v1 with VRID of 100 with virtual IP addresses of 2 2 2 98 and 2 2 2 99 Given the same VLAN...

Страница 509: ...ess 192 168 35 1 configure multinet add secondary ipaddress 192 168 37 1 configure multinet add port 5 5 configure default delete port 1 8 2 9 3 10 create vlan multinet_2 configure multinet_2 ipaddres...

Страница 510: ...HCP relay agent option use the following command after configuring the DHCP BOOTP relay function configure bootprelay dhcp agent information option To disable the DHCP relay agent option use the follo...

Страница 511: ...owever if the previous bootprelay functions are adequate you may continue to use them NOTE UDP forwarding only works across a layer 3 boundary and currently UDP forwarding can be applied to IPv4 packe...

Страница 512: ...ight entries in a UDP forwarding profile The UDP forwarding module will process those entries even if the entries do not contain any attributes for UDP forwarding Having more than eight entries will d...

Страница 513: ...ho packets to measure the transit time for data between the transmitting and receiving end To enable UDP echo server support use the following command enable udp echo server vr vrid udp port port To d...

Страница 514: ...IPv4 Unicast Routing ExtremeWare XOS 11 3 Concepts Guide 514...

Страница 515: ...n with other routers on the network using either the IPv6 version of Routing Information Protocol RIPng or the IPv6 version of Open Shortest Path First OSPFv3 protocol The switch dynamically builds an...

Страница 516: ...in IPv4 tunnels known as configured tunnels or 6in4 tunnels and IPv6 to IPv4 tunnels known as 6to4 tunnels To create or delete a tunnel use the following commands create tunnel tunnel_name 6to4 source...

Страница 517: ...is a duplicate it cannot use the address Until the Duplicate Address Detection DAD process completes the new address is considered tentative and will be shown as such in any display output If the add...

Страница 518: ...rst hop MAC Address Resolution In IPv4 MAC address resolution is done by ARP For IPv6 this functionality is handled by the Neighbor Discovery Protocol The router maintains a cache of IPv6 addresses an...

Страница 519: ...e of the Prefix Autonomous Flag To enable router discovery on a VLAN use the following command enable router discovery ipv6 vlan vlan_name To configure the prefixes advertised by router discovery use...

Страница 520: ...f the following commands enable ripng export direct ospfv3 ospfv3 extern1 ospfv3 extern2 ospfv3 inter ospfv3 intra static cost number tag number policy policy name or disable ripng export direct ospfv...

Страница 521: ...ative Route Priorities Table 66 lists the relative priorities assigned to routes depending on the learned source of the route NOTE Although these priorities can be changed do not attempt any manipulat...

Страница 522: ...e vr vr_name 5 Configure the routing protocol if required For a simple network using RIPng the default configuration may be acceptable 6 Turn on RIPng or OSPFv3 using one of the following commands ena...

Страница 523: ...tions connected to slots 1 and 3 have access to the router by way of the VLAN Finance Ports on slots 2 and 4 reach the router by way of the VLAN Personnel All other traffic NetBIOS is part of the VLAN...

Страница 524: ...IPv4 region is one hop even if multiple IPv4 routers are traversed during transport A 6in4 tunnel connects one IPv6 region to one other IPv6 region Multiple 6in4 tunnels can be configured on a single...

Страница 525: ...B Hosts A and B are configured to use IPv6 addresses 2001 db8 1 101 and 2001 db8 2 101 respectively In order for traffic to move from one region to the other there must be a route In this example a st...

Страница 526: ...vlan private ipv6 ipaddress 2001 db8 1 1 64 enable ipforwarding ipv6 private ipv6 configure iproute add 2001 db8 2 64 2001 db8 a 2 Router B configure vlan default delete port all create vlan public i...

Страница 527: ...4 source address of the endpoint in hexadecimal colon separated form For example for a tunnel endpoint located at IPv4 address 10 20 30 40 the tunnel address would be 2002 0a14 1e28 16 In hex 10 is 0a...

Страница 528: ...2 48 enable ipforwarding ipv6 private ipv6 Router 2 configure vlan default delete port all create vlan public ipv4 configure vlan public ipv4 add port 1 untagged configure vlan public ipv4 ipaddress...

Страница 529: ...00 04 96 1F A4 32 IP address 2002 0a00 0001 0001 0204 96ff fe1f a432 64 Static route destination 2002 16 gateway 2002 0a00 0001 0001 1 Host 3 MAC address 00 01 30 00 C2 00 IP address 2002 0a00 0001 00...

Страница 530: ...IPv6 Unicast Routing ExtremeWare XOS 11 3 Concepts Guide 530...

Страница 531: ...r many years and is widely deployed and understood OSPF is a link state protocol based on the Dijkstra link state algorithm OSPF is a newer IGP and solves a number of problems associated with using RI...

Страница 532: ...ained later in this chapter Overview of RIP RIP is an IGP first used in computer routing in the Advanced Research Projects Agency Network ARPAnet as early as 1969 It is primarily intended for use in h...

Страница 533: ...ertisement of VLANs Virtual LANs VLANs that are configured with an IP address but are configured to not route IP or are not configured to run RIP do not have their subnets advertised by RIP RIP advert...

Страница 534: ...he routes to export from RIP to OSPF Likewise for any other combinations of protocols you must separately configure each to export routes to the other Redistributing Routes into RIP Enable or disable...

Страница 535: ...d switch that has three VLANs defined as follows Finance Protocol sensitive VLAN using the IP protocol All ports on slots 1 and 3 have been assigned IP address 192 207 35 1 Personnel Protocol sensitiv...

Страница 536: ...ce and Personnel VLANs but this example shows how to exclude that traffic To allow the NetBIOS traffic or other type of traffic along with the IP traffic remove the configure finance protocol ip and c...

Страница 537: ...RIP Configuration Example ExtremeWare XOS 11 3 Concepts Guide 537 enable ipforwarding configure rip add vlan all enable rip...

Страница 538: ...RIP ExtremeWare XOS 11 3 Concepts Guide 538...

Страница 539: ...n the Bellman Ford or distance vector algorithm The distance vector algorithm has been in use for many years and is widely deployed and understood The other common IGP for IPv6 is OSPFv3 a link state...

Страница 540: ...ng is primarily intended for use in homogeneous networks of moderate size To determine the best path to a distant network a router using RIPng always selects the path that has the least number of hops...

Страница 541: ...o run RIP do not have their subnets advertised by RIP RIP advertises only those VLANs that are configured with an IP address are configured to route IP and run RIP Route Redistribution More than one r...

Страница 542: ...48 Personnel All ports on slots 2 and 4 have been assigned IP address 2001 db8 36 1 48 MyCompany Port based VLAN All ports on slots 1 through 4 have been assigned The stations connected to the system...

Страница 543: ...also known as an autonomous system AS In a link state routing protocol each router maintains a database describing the topology of the AS Each participating router has an identical database maintaine...

Страница 544: ...the exact same LSDB Table 67 describes LSA type numbers Database Overflow The OSPF database overflow feature allows you to limit the size of the LSDB and to maintain a consistent LSDB across all the r...

Страница 545: ...ic correctly The first condition is that forwarding can continue while the control function is restarted Most modern router system designs separate the forwarding function from the control function so...

Страница 546: ...a area identifier virtual link router identifier area identifier restart helper none planned unplanned both The graceful restart period sent out to helper routers can be configured with the following...

Страница 547: ...area is connected to only one other area The area that connects to a stub area can be the backbone area External route information is not distributed into stub areas Stub areas are used to reduce mem...

Страница 548: ...h between the ABR of the disconnected area and the ABR of the normal area that connects to the backbone A virtual link must be established between two ABRs that have a common area with one ABR connect...

Страница 549: ...ype This is the default setting Broadcast Any Routers must elect a designated router DR and a backup designated router BDR during synchronization Ethernet is an example of a broadcast link Point to po...

Страница 550: ...from that protocol to the first one are discreet configuration functions For example to run OSPF and RIP simultaneously you must first configure both protocols and then verify the independent operatio...

Страница 551: ...exported routes can also be filtered using policies Verify the configuration using the command show ospf OSPF Timers and Authentication Configuring OSPF timers and authentication on a per area basis...

Страница 552: ...n LSA packet over the interface The transit delay must be greater than 0 Hello interval The interval at which routers send hello packets Shorter times allow routers to discover each other more quickly...

Страница 553: ...and ABR2 Network number 10 0 x x Two identified VLANs HQ_10_0_2 and HQ_10_0_3 Area 5 is connected to the backbone area by way of ABR1 and ABR2 It is located in Chicago and has the following characteri...

Страница 554: ...1 255 255 255 0 configure vlan HQ_10_0_3 ipaddress 10 0 3 1 255 255 255 0 configure vlan LA_161_48_2 ipaddress 161 48 2 2 255 255 255 0 configure vlan Chi_160_26_26 ipaddress 160 26 26 1 255 255 255 0...

Страница 555: ...can specify multiple search criteria and only those results matching all of the criteria are displayed This allows you to control the displayed entries in large routing tables To display the current l...

Страница 556: ...OSPF ExtremeWare XOS 11 3 Concepts Guide 556...

Страница 557: ...at used to support IPv4 OSPFv3 has retained the use of the four byte dotted decimal numbers for router IDs LSA IDs and area IDs OSPFv3 is an interior gateway protocol IGP as is the other common IGP fo...

Страница 558: ...areas in an AS must be connected to the backbone When designing networks you should start with area 0 0 0 0 and then expand into other areas NOTE Area 0 0 0 0 exists by default and cannot be deleted o...

Страница 559: ...s Not so stubby areas NSSAs are not supported currently in the ExtremeWare XOS implementation of OSPFv3 Normal Area A normal area is an area that is not Area 0 Stub area NSSA Virtual links can be conf...

Страница 560: ...n continue to communicate with the backbone using the virtual link Figure 73 Virtual link providing redundancy Link Type Support You can manually configure the OSPFv3 link type for a VLAN Table 70 des...

Страница 561: ...otocol can be enabled simultaneously on the switch Route redistribution allows the switch to exchange routes including static routes between the routing protocols Figure 74 is an example of route redi...

Страница 562: ...for any other combinations of protocols you must separately configure each to export routes to the other Redistributing Routes into OSPFv3 Enable or disable the exporting of RIPng static and direct in...

Страница 563: ...command the policy is applied on every exported route The exported routes can also be filtered using policies Verify the configuration using the command show ospfv3 domain domainName OSPFv3 Timers Co...

Страница 564: ...g all the configurations Router 1 will establish OSPFv3 adjacency with Router 2 and Router 3 They will also exchange the various link state databases Configuration for Router 1 The router labeled Rout...

Страница 565: ...re vlan to r1 ipaddress 2001 db8 4444 6666 2 64 configure vlan to r1 add port 1 1 enable ipforwarding ipv6 configure ospfv3 routerid 0 0 0 2 configure ospfv3 add vlan to r1 area 0 0 0 0 enable ospfv3...

Страница 566: ...OSPFv3 ExtremeWare XOS 11 3 Concepts Guide 566...

Страница 567: ...rotection of BGP Sessions via the TCP MD5 Signature Option RFC 2439 BGP Route Flap Damping RFC 2796 BGP Route Reflection An Alternative to Full Mesh IBGP RFC 2842 Capabilities Advertisement with BGP 4...

Страница 568: ...IGP Exterior Gateway Protocol EGP and incomplete AS_Path The list of ASs that are traversed for this route Next_hop The IP address of the next hop BGP router to reach the destination listed in the NLR...

Страница 569: ...ter is formed by the route reflector and its client routers Peer routers that are not part of the cluster must be fully meshed according to the rules of BGP A BGP cluster including the route reflector...

Страница 570: ...onfigure vlan to_c1 add port 1 2 configure vlan to_c1 ipaddress 20 0 0 2 24 enable ipforwarding vlan to_c1 create vlan to_c2 configure vlan to_c2 add port 1 2 configure vlan to_c2 ipaddress 30 0 0 2 2...

Страница 571: ...h sub AS must be fully meshed The confederation is advertised to other networks as a single AS Route Confederation Example Figure 77 shows an example of a confederation Figure 77 Routing confederation...

Страница 572: ...To configure router B use the following commands create vlan ba configure vlan ba add port 1 configure vlan ba ipaddress 192 1 1 5 30 enable ipforwarding vlan ba configure ospf add vlan ba area 0 0 0...

Страница 573: ...ure router D use the following commands create vlan db configure vlan db add port 1 configure vlan db ipaddress 192 1 1 10 30 enable ipforwarding vlan db configure ospf add vlan db area 0 0 0 0 create...

Страница 574: ...command configure bgp add aggregate address address family ipv4 unicast ipv4 multicast ipaddress as match as set summary only advertise policy policy attribute policy policy Using the Loopback Interfa...

Страница 575: ...o remove a neighbor from a peer group use the peer group none option When you remove a neighbor from a peer group the neighbor retains the parameter settings of the group The parameter values are not...

Страница 576: ...sion for a BGP peer group or for a set of routes To enable route flap dampening over BGP peer sessions use the following command configure bgp neighbor all remoteaddr address family ipv4 unicast ipv4...

Страница 577: ...S numbers in the range 64512 through 65534 You can remove private AS numbers from the AS path attribute in updates that are sent to external BGP EBGP neighbors Possible reasons for using private AS nu...

Страница 578: ...pf inter ospf intra rip static address family ipv4 unicast ipv4 multicast export policy policy name disable bgp export direct ospf ospf extern1 ospf extern2 ospf inter ospf intra rip static address fa...

Страница 579: ...s a function that allows a single IP host to send a packet to a group of IP hosts This group of hosts can include devices that reside on or outside the local network and within or across a routing dom...

Страница 580: ...col which allows you to prune and graft multicast routes PIM DM routers perform reverse path multicasting RPM However instead of exchanging its own unicast route tables for the RPM algorithm PIM DM us...

Страница 581: ...e switch and beginning with release 11 2 ExtremeWare XOS supports IGMPv3 However the switch can be configured to disable the generation of periodic IGMP query packets IGMP should be enabled when the s...

Страница 582: ...ic IGMP is only available with IGMPv2 Use the following command to emulate a host on a port configure igmp snooping vlan vlanname ports portlist add static group ip address To emulate a multicast rout...

Страница 583: ...ticast routing on the interface using the following command enable ipmcforwarding vlan name 3 Enable PIM on all IP multicast routing interfaces using the following command configure pim add vlan vlan_...

Страница 584: ...M Figure 78 IP multicast routing using PIM DM configuration example Area 0 10 0 1 1 10 0 3 2 10 0 3 1 160 26 25 1 161 48 2 2 161 48 2 1 10 0 2 1 H Q _ 1 0 _ 0 _ 2 C h i _ 1 6 0 _ 2 6 _ 2 6 H Q _ 1 0 _...

Страница 585: ...ABR1 is configured for IP multicast routing using PIM SM Figure 79 IP multicast routing using PIM SM configuration example The router labeled ABR1 has the following configuration configure vlan HQ_10...

Страница 586: ...pim crp HQ_10_0_3 rp_list 30 configure pim cbsr HQ_10_0_3 30 The policy file rp_list pol contains the list of multicast group addresses serviced by this RP This set of group addresses are advertised...

Страница 587: ...he current release of ExtremeWare XOS 11 3 IPv6 multicast packets are flooded to VLANs that receive the traffic MLD Overview MLD is a protocol used by an IPv6 host to register its IP multicast group m...

Страница 588: ...MLD report then the traffic is forwarded to that host In some situations you would like multicast traffic to be forwarded to a port where a multicast enabled host is not available for example when yo...

Страница 589: ...3 Appendixes...

Страница 590: ......

Страница 591: ...oftware running on your system Modular software packages enhance the functionality of the ExtremeWare XOS core image currently running on your switch Modular software packages are not preinstalled at...

Страница 592: ...tput is structured as follows show version ExtremeWare XOS Version major minor patch build For example ExtremeWare XOS version 10 1 2 16 show switch major minor patch build For example 10 1 2 16 Table...

Страница 593: ...you are using TFTP Loading the new image onto an external compact flash memory card if you are using the external compact flash slot This method is available only on modular switches Use a PC with app...

Страница 594: ...as follows bd10K 11 2 0 18 ssh xmod can run only with the core image named bd10K 11 2 0 18 xos You can install a modular software package on the active partition or on the inactive partition You woul...

Страница 595: ...xtreme Networks introduces a new core software image a new modular software package is also available If you have a software module installed and upgrade to a new core image you need to upgrade to the...

Страница 596: ...age to an external compact flash memory card see Downloading a New Image on page 591 for more information The first example uses the terminate process and start process commands to terminate and resta...

Страница 597: ...e show switch command to see the scheduled time Understanding Hitless Upgrade BlackDiamond 10K Switch Only ExtremeWare XOS 11 1 introduced the concept of hitless upgrade Hitless upgrade is a mechanism...

Страница 598: ...system complete the following tasks 1 Determine your selected and booted image partitions 2 Select the partition to download the image to and the partition to boot from after installing the image 3 Do...

Страница 599: ...install the image at a later time use the following command to install the software install image fname partition msm slotid reboot 3 Initiate failover from the primary MSM to the backup MSM using the...

Страница 600: ...rforming a Hitless Upgrade Hitless Upgrade Examples Using the assumptions described below the following examples perform a hitless upgrade for a core software image on the BlackDiamond 10K switch You...

Страница 601: ...reboot the switch you must save the configuration to nonvolatile storage The switch can store multiple user defined configuration files each with its own filename By default the switch has two prename...

Страница 602: ...he switch boots to factory default settings if the previously saved configuration file is overwritten The configuration that is not in the process of being saved is unaffected Viewing a Configuration...

Страница 603: ...name of the TFTP server ip_address Is the IP address of the TFTP server p Puts the specified file from the local host and copies it to the TFTP server l local_file Specifies the name of the configurat...

Страница 604: ...itch used when it originally booted an asterisk appears before the command line prompt when using the CLI Synchronizing MSMs Modular Switches Only On a dual MSM system you can take the primary MSM con...

Страница 605: ...eraction with the Bootloader is required only under special circumstances and should be done only under the direction of Extreme Networks Customer Support The necessity of using these functions implie...

Страница 606: ...OM from a TFTP server on the network or an external compact flash memory card installed in the compact flash slot of the MSM after the switch has booted Upgrade the BootROM only when asked to do so by...

Страница 607: ...You can configure the switch to automatically upgrade the firmware when a different image is detected or you can have the switch prompt you to confirm the upgrade process To configure the switch s be...

Страница 608: ...ions ExtremeWare XOS 11 3 Concepts Guide 608 Power over Ethernet PoE firmware is always automatically upgraded or downgraded to match the operational ExtremeWare XOS code image This configuration is n...

Страница 609: ...n page 633 Untagged Frames on the 10 Gbps Module BlackDiamond 10K Switch Only on page 633 Running MSM Diagnostics from the Bootloader BlackDiamond 10K Switch Only on page 633 Contacting Extreme Networ...

Страница 610: ...uding the VLAN tag ports in the VLAN and whether or not the ports are tagged Use the show vlan detail command to display detailed information for each VLAN configured on the switch For additional VLAN...

Страница 611: ...w neighbor discovery cache ipv6 command to display the contents of the ND cache IP routing protocol statistics for the CPU of the switch Only statistics of the packets handled by the CPU are displayed...

Страница 612: ...se the show rip interface detail command to display RIP specific statistics for all VLANs Your RIP next generation RIPng configuration including RIPng poison reverse split horizon triggered updates tr...

Страница 613: ...play the expected input voltage Also refer to the section Power Management Guidelines on page 80 for more detailed information about power management ERR LED on the Management Switch Fabric Module MSM...

Страница 614: ...hes Only on page 616 Command Prompt on page 616 Port Configuration on page 617 VLANs on page 618 STP on page 618 ESRP on page 619 VRRP on page 620 General Tips and Recommendations The initial welcome...

Страница 615: ...led check the connections and network cabling at the port The port through which you are trying to access the device is in a correctly configured Virtual LAN VLAN The community strings configured for...

Страница 616: ...only user privileges are available This is true regardless of the privileges configured on the primary MSM If you enter an administrator level command on the backup MSM the switch displays a message s...

Страница 617: ...between devices This is NOT a problem with the Extreme Networks switch Always verify that the Extreme Networks switch and the network device match in configuration for speed and duplex No link light...

Страница 618: ...st cost metric STP You have connected an endstation directly to the switch and the endstation fails to boot correctly The switch has the Spanning Tree Protocol STP enabled and the endstation is bootin...

Страница 619: ...cannot enable an ESRP domain Before you enable a specific ESRP domain it must have a domain ID A domain ID is either a user configured number or the 802 1Q tag VLANid of the tagged master VLAN The do...

Страница 620: ...tomatic Protection Switching EAPS requires that a network have a ring topology to operate In this case you can use ELRP to ensure that the network has a ring topology ELRP is used to detect network lo...

Страница 621: ...cutive transmissions A message is printed to the console and logged into the system log file indicating detection of network loop when ELRP packets are received back or no packets are received within...

Страница 622: ...log file and or sending a trap to the SNMP manager To disable a pending one shot or periodic ELRP request for a specified VLAN use the following command unconfigure elrp client vlan_name Displaying S...

Страница 623: ...7 minutes to complete To install additional modular software packages BootROM images BlackDiamond 10K switch only and configuration files see Appendix A Software Upgrade and Boot Options for more info...

Страница 624: ...Technical Support Obtaining the Rescue Image from an External Compact Flash Memory Card BlackDiamond 8800 Family of Switches Only In addition to recovering the switch using the internal compact flash...

Страница 625: ...sage press enter to reboot Press Enter to reboot the switch The switch reboots and displays the login prompt You have successfully completed the setup from the external compact flash memory card 4 Rem...

Страница 626: ...el to troubleshoot the switch This section describes the following topics Enabling the Switch to Send Debug Information on page 627 Copying Debug Information on page 627 Managing Files on the External...

Страница 627: ...e hardware such as a compact flash reader writer and follow the manufacturer s instructions to access the compact flash card and read the data Managing Files on the External Memory Card Modular Switch...

Страница 628: ...y making a copy you can easily go back to the original file if needed To copy an existing configuration or policy file on your card use the following command cp memorycard old name memorycard new name...

Страница 629: ...ng and Statistics Overview of the System Health Checker There are two modes of health checking available on the switch polling and backplane diagnostic packets These methods are briefly described for...

Страница 630: ...system health checker tests the data link every 5 seconds for the specified slot NOTE Enabling backplane diagnostic packets increases CPU utilization and competes with network traffic for resources To...

Страница 631: ...itch you have additional or different odometer information may be displayed The following is sample output from a BlackDiamond 10K switch Service First Recorded Field Replaceable Units Days Start Date...

Страница 632: ...t X450 switch if the switch runs outside the expected range the switch logs an error message generates a trap and continues running No components are shutdown To verify the state of the switch use eit...

Страница 633: ...ne power budget for the slot is reduced Untagged Frames on the 10 Gbps Module BlackDiamond 10K Switch Only On the BlackDiamond 10K switch the 10 Gbps module must have the serial number 804405 00 09 or...

Страница 634: ...tes diagnostics for the primary image 4 Diagnostics for image 2 initiates diagnostics for the secondary image For example to run diagnostics on the primary image use the following command boot 3 When...

Страница 635: ...oftware Module on page 636 Running the Tests on page 636 Configuring the CNA Agent on page 637 Overview The CNA Agent accepts requests from the CNA Server to run tests for measuring and verifying netw...

Страница 636: ...are module that contains SSL NOTE You must download the SSH module prior to downloading the CNA module If you attempt to download the CNA software module and you have not already downloaded the SSH so...

Страница 637: ...cna testplug Once you enable the CNA Agent you register the CNA Agent with the CNA Server and the CNA Agent performs the requested network tests and reports the results To disable the CNA Agent use t...

Страница 638: ...This command clears the CNA Agent counters on the Extreme Networks devices and resets those counters to zero You can also issue the clear counters command which clears all the counters on the device...

Страница 639: ...101549 0 Tcpconnect 36455 0 Merge 50 0 NOTE Adaptive Networking Software ANS runs on the CNA Server Troubleshooting If the CNA Agent is not able to register with the CNA Server check the following it...

Страница 640: ...CNA Agent ExtremeWare XOS 11 3 Concepts Guide 640...

Страница 641: ...vision 2 RFC 951 Bootstrap Protocol RFC 1542 Clarifications and Extensions for the Bootstrap Protocol RFC 2131 Dynamic Host Configuration Protocol RFC 1122 Requirements for Internet Hosts Communicatio...

Страница 642: ...on Protocol for IPv6 RIPng RFC 2080 RIPng for IPv6 Open Shortest Path First OSPF RFC 2328 OSPF Version 2 RFC 1587 The OSPF NSSA Option RFC 1765 OSPF Database Overflow RFC 2370 The OSPF Opaque LSA Opti...

Страница 643: ...nt Framework RFC 2571 An Architecture for Describing Simple Network Management Protocol SNMP Management Frameworks RFC 1757 Remote Network Monitoring Management Information Base RFC 2021 Remote Networ...

Страница 644: ...v4 and OSI Security Routing protocol authentication RFC 1492 An Access Control Protocol Sometimes Called TACACS Secure Shell SSHv2 Secure Copy SCPv2 with encryption authentication Secure Socket Layer...

Страница 645: ...d network and forward and receive the radio signals that transmit wireless data area In OSPF an area is a logical set of segments connected by routers The topology within an area is hidden from the re...

Страница 646: ...each multiaccess network has a BDR The BDR is adjacent to all routers on the network and becomes the DR when the previous DR fails The period of disruption in transit traffic lasts only as long as it...

Страница 647: ...roadcast domains VLANs In wireless technology bridging refers to forwarding and receiving data between radio interfaces on APs or between clients on the same radio So bridged traffic can be forwarded...

Страница 648: ...ummit X450 switch certain ports can be used as either copper or fiber ports common link In EAPS the common link is the physical link between the controller and partner nodes in a network where multipl...

Страница 649: ...iscovery DHCP Dynamic Host Configuration Protocol DHCP allows network administrators to centrally manage and automate the assignment of IP addresses on the corporate network DHCP sends a new IP addres...

Страница 650: ...systems in other ASs EBGP works between different ASs ECMP Equal Cost Multi Paths In OSPF this routing algorithm distributes network traffic across multiple high bandwidth links to increase performanc...

Страница 651: ...T in compatibility with third party switches running this version of STP EPICenter EPICenter is an Extreme Networks proprietary graphical user interface GUI network management system ESRP Extreme Stan...

Страница 652: ...e frame was received and an identifier for the VLAN to which the device belongs Frames destined for devices that are not currently in the FDB are flooded to all members of the VLAN For some types of e...

Страница 653: ...l that allows generation of error messages test packets and operating messages For example the ping command allows you to send ICMP echo messages to a remote IP device to test for connectivity ICMP al...

Страница 654: ...idea of unique addresses for each computer on the network IP is a connectionless best effort protocol TCP reassembles the data after transmission IP specifies the format and addressing scheme for eac...

Страница 655: ...es L LACP Link Aggregation Control Protocol LACP is part of the IEEE 802 3ad and automatically configures multiple aggregated links between switches LAG Link aggregation group A LAG is the logical hig...

Страница 656: ...FS Link Fault Signal LFS which conforms to IEEE standard 802 3ae 2002 monitors 10 Gbps ports and indicates either remote faults or local faults loop detection In ELRP loop detection is the process use...

Страница 657: ...traffic the metering function interacts with other components to either re mark or drop the traffic for that flow In the Extreme Networks implementation you use ACLs to enforce metering member VLAN In...

Страница 658: ...hat specifically join the multicast group the addresses are specified in the destination address field In other words multicast point to multipoint is a communication pattern in which a source host se...

Страница 659: ...useful for system redundancy NSSA Not so stubby area In OSPF NSSA is a stub area which is connected to only one other area with additional capabilities External routes originating from an ASBR connec...

Страница 660: ...routing and load balancing Although OSPF requires CPU power and memory space it results in smaller less frequent router table updates throughout the network This protocol is more efficient and scalabl...

Страница 661: ...d to rewrite and modify routing advertisements port mirroring Port mirroring configures the switch to copy all traffic associated with one or more ports to a designated monitor port A packet bound for...

Страница 662: ...te with a central server to authenticate dial in users and authorize their access to the requested system or service RADIUS allows a company to maintain user profiles in a central database that all re...

Страница 663: ...etwork that does not have a root port root port In STP the root port provides the shortest path to the root bridge All bridges except the root bridge contain one root port route aggregation In BGP you...

Страница 664: ...ou can have many 6in4 tunnels per VR 6to4 tunnels The 6to4 tunnels are one way to send IPv6 packets over IPv4 networks This transition mechanism provides a way to connect IPv6 end site networks by aut...

Страница 665: ...llows a network to have a topology that contains physical loops it operates in bridges and switches STP opens certain paths to create a tree topology thereby preventing packets from looping endlessly...

Страница 666: ...of the IEEE 802 1Q field of the header Using this 12 bit field you can configure up to 4096 individual VLAN addresses usually some are reserved for system VLANs such as management and default VLANs t...

Страница 667: ...VRRP the virtual router is identified by a virtual router VRID and an IP address A router running VRRP can participate in one or more virtual routers The VRRP virtual router spans more than one physi...

Страница 668: ...ned the same VRID VR Mgmt This virtual router is part of the embedded system in Extreme Networks BlackDiamond 10K switches The VR Mgmt enables remove management stations to access the switch through T...

Страница 669: ...ExtremeWare XOS 11 3 Concepts Guide 669 X XENPAK Pluggable optics that contain a 10 Gigabit Ethernet module The XENPAKs conform to the IEEE 802 3ae standard...

Страница 670: ...Glossary ExtremeWare XOS 11 3 Concepts Guide 670...

Страница 671: ...re eaps hellotime 405 configure eaps mode 404 configure eaps primary port 406 configure eaps secondary port 406 configure eaps shared port domain 414 configure eaps shared port mode 414 configure eaps...

Страница 672: ...ip 323 configure radius shared secret 323 324 configure radius timeout 323 configure radius accounting 324 333 configure radius accounting timeout 324 configure rip import policy 260 284 configure ri...

Страница 673: ...8 create protocol 226 create stpd 424 447 create virtual router 244 create vlan 45 246 D delete account 45 49 delete bgp peer group 574 delete eaps 404 delete eaps shared port 414 415 delete esrp 467...

Страница 674: ...ng 583 enable jumbo frame ports 117 enable license 46 enable log debug mode 209 626 enable log target 198 enable log target console 207 enable log target session 207 enable netlogin 350 enable netlogi...

Страница 675: ...group 582 show inline power 169 171 172 174 show inline power configuration ports 171 173 177 show inline power info ports 167 178 show inline power slot 170 176 show inline power stats ports 179 sho...

Страница 676: ...cess 104 tftp 67 69 102 258 337 603 top 629 traceroute 53 54 55 U unconfigure access list 259 272 unconfigure eaps primary port 408 unconfigure eaps secondary port 408 unconfigure eaps shared port lin...

Страница 677: ...rs 273 description 261 editing 258 examples 273 274 file syntax 262 metering 271 refreshing 259 rule entry 262 rules 270 transferring to the switch 258 troubleshooting 257 action modifiers ACL 264 act...

Страница 678: ...574 using 574 route confederations 571 route flap dampening configuring 576 description 575 viewing 576 route reflectors 569 route selection 577 static networks 578 bi directional rate shaping config...

Страница 679: ...ng 99 628 deleting 101 629 description 601 displaying 100 628 downloading 603 managing 98 overview 102 relaying from primary to backup 72 renaming 98 628 saving changes 601 selecting 602 uploading 603...

Страница 680: ...99 405 failtimer 399 405 Fast Convergence 397 407 FDB 398 hardware layer 398 health check packet 399 405 hellotime 405 licensing 395 link down message 398 master node 396 404 multiple domains per swit...

Страница 681: ...RP 484 489 494 auto toggle 456 460 basic topology 457 description 455 direct link 461 displaying data 476 domain ID 461 domains description 460 don t count 474 election algorithms 465 environment trac...

Страница 682: ...d QoS 291 file syntax ACL 262 policy 279 file system administration 97 filename requirements 98 628 filenames troubleshooting 98 628 files copying 99 628 deleting 101 629 displaying 100 628 renaming 9...

Страница 683: ...scription 579 example 583 IGMP description 581 snooping 581 587 snooping filters 582 PIM mode interoperation 581 PIM multicast border router PMBR 581 PIM DM 580 PIM SM 580 IP multinetting and ESRP 484...

Страница 684: ...SSH2 36 verifying 35 limit sFlow maximum CPU sample limit 212 limiting entries FDB 253 line editing keys 43 link aggregation See also load sharing adding or deleting ports 124 and control protocols 11...

Страница 685: ...rning FDB 253 MAC based authentication advantages 347 configuration example 371 configuration secure MAC 370 description 368 disabling 369 disadvantages 347 enabling 369 MAC based security 253 315 MAC...

Страница 686: ...multiple supplicants 347 port enabling 350 RADIUS attributes 352 RADIUS authentication 351 redirect page 364 secure MAC 369 session refresh 365 settings displaying 350 user netlogin only disabled 351...

Страница 687: ...ng 50 path MTU discovery 117 peer groups 574 Per VLAN Spanning Tree See PVST permanent entries FDB 251 permit established 274 PIM and IP multinetting 506 mode interoperation 581 multicast border route...

Страница 688: ...48 port restart ESRP 473 port weight ESRP 459 port based load sharing 120 121 port based VLANs 220 223 port mirroring and protocol analyzers 131 description 130 displaying 133 examples 132 guidelines...

Страница 689: ...sification priorities 295 committed rates 294 database applications 291 default QoS profiles 294 295 description 289 DiffServ changing mapping to QoS profile 301 configuring 300 default mapping to QoS...

Страница 690: ...LAN 228 rendezvous point 580 rescue image 623 resilience 396 responding to ARP requests 499 restart graceful 545 returning to factory defaults 602 RFCs 641 BGP 567 bridge 448 IPv4 multicast routing 57...

Страница 691: ...n propagating 442 rule entry ACL 262 policy 279 rule types 378 S safe defaults mode 46 safe defaults script 46 sampling rate sFlow 212 saving configuration changes 601 scoped IPv6 addresses 517 SCP2 3...

Страница 692: ...3 software image See image software licensing 33 software module xmod file 594 activating 594 description 594 downloading 593 overview 29 591 uninstalling 594 software signature 592 software controlle...

Страница 693: ...apid root failover 429 rules and restrictions 447 StpdID 426 448 troubleshooting 447 618 StpdID 426 strings community 84 stub area OSPF 547 stub area OSPFv3 559 subcomponents EMS 201 Subnetwork Access...

Страница 694: ...playing status 68 re enabling 68 sample ACL policies 67 server 63 session establishing 63 maximum number of 63 opening 63 terminating 68 viewing 69 TCP port number 64 using 62 telnet MSM 53 temperatur...

Страница 695: ...0 171 port configuration 617 port mirroring 130 131 power fluctuation on PoE module 633 QoS 292 298 300 303 304 rescue image 623 software 33 software controlled redundant ports 137 SSH2 336 SSL 48 SSL...

Страница 696: ...nd tagged 225 names 41 228 port based 220 223 precedence 227 protocol filters customizing 226 deleting 227 predefined 226 protocol based 225 QoS profile 231 renaming 228 tagged 223 troubleshooting 221...

Страница 697: ...ple 355 guidelines 354 VSA 205 example 355 guidelines 355 VSA 206 examples 352 guidelines 355 VSA 209 example 354 guidelines 354 VSA 211 examples 353 guidelines 353 W web browsing applications and QoS...

Страница 698: ...Index ExtremeWare XOS 11 3 Concepts Guide 698...

Отзывы:

Нет отзывов

Похожие инструкции для ExtremeWare XOS 11.3

WJ-ND300 Administrator Console

Бренд: Panasonic Страницы: 27

Бренд: Generic Media Страницы: 17

DREAMWEAVER 8-EXTENDING DREAMWEAVER

Бренд: MACROMEDIA Страницы: 504

Venture IP Telephone System

Бренд: Aastra Страницы: 12

SyncMaster S23A950D

Бренд: Samsung Страницы: 90

SyncMaster T23A750

Бренд: Samsung Страницы: 292

Бренд: Seagate Страницы: 1

D-NE329SP - Atrac Cd Walkman Portable Player

Бренд: Sony Страницы: 2

D-NE20 - Atrac Cd Walkman

Бренд: Sony Страницы: 2

D-NE326CK - Atrac Cd Walkman Portable Player

Бренд: Sony Страницы: 2

D-NE329SP - Atrac Cd Walkman Portable Player

Бренд: Sony Страницы: 32

D-NE1 - Portable Cd Player

Бренд: Sony Страницы: 34

D-NE326CK - Atrac Cd Walkman Portable Player

Бренд: Sony Страницы: 35

D-NE1 - Portable Cd Player

Бренд: Sony Страницы: 116

Spectra nTier500

Бренд: Spectra Logic Страницы: 112

one-X Deskphone Edition

Бренд: Avaya Страницы: 74

9 INTERNET SECURITY - REVISED 6-2010

Бренд: AVG Страницы: 209

Active Management Technology v4.0

Бренд: Intel Страницы: 143

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды