Configuration Guide
Table Of Contents
- Table of Contents
- 1. Overview
- 2. SPB Terminology
- 3. SPB Support Topologies
- 4. UNI Types
- 5. Summary of SPB Features and ProductRelease Matrix
- 6. SPB Feature and License Matrix
- 7. Scaling
- 8. Migration & Upgrades
- 9. Field Introduction & Support Specifications
- 10. VSP 7000 – Fabric Interconnect
- 11. ISIS Metrics - Optional
- 12. ISIS Accept Policy
- 13. ISIS External Metric
- 14. SPB over L2/L3 networks
- 15. Fabric Attach
- 16. SPB SMLT BEB Design Best Practices
- 17. SPB NNI SMLT – migrating existing SMLT network to SPB
- 18. IS-IS TLV
- 19. SPB Best Practices
- 20. SPB Configuration
- 20.1 SPB Configuration
- 20.1.1 ERS 8800 – Converting from CLI to ACLI
- 20.1.2 SPB and IS-IS Core Configuration
- 20.1.3 SPB NNI Interface Configuration
- 20.1.4 CFM Configuration
- 20.1.5 VSP 7000 – Fabric Interconnect Mesh
- 20.1.6 SMLT – Normal IST
- 20.1.7 SMLT - Virtual IST (vIST)
- 20.1.8 L2VSN Configuration
- 20.1.9 SwitchedUNI Configuration
- 20.1.10 Flex UNI Switched Configuration
- 20.1.11 Transparent UNI Configuration
- 20.1.12 Private VLAN (ETREE) Configuration
- 20.1.13 L3VSN Configuration
- 20.1.14 L3VSN – leaking routes between VRF’s
- 20.1.15 IP Shortcuts
- 20.1.16 IP Shortcut– Suppress IST Network
- 20.1.17 IP Shortcuts – leaking routes between GRT and VRF
- 20.1.18 IP Shortcuts – redistribution of ISIS and OSPF
- 20.1.19 Inter-VSN Routing
- 20.1.20 IPv6 Shortcuts
- 20.1.21 SPB Multicast Configuration
- 20.1.22 Multicast 239.255.255/24 – UPnP Filtering
- 20.1.23 Connectivity Fault Management (CFM) Configuration
- 20.1.24 CFM Configuration Example – 7.1.1.x or higher
- 20.1.25 Fabric Extend Configuration
- 20.1.26 ONA: Assigning a Static IP address to the Open Network Adapter
- 20.1.27 Fabric Extend over Routed Infrastructure using VRF to interconnect to routed network
- 20.1.28 Fabric Extend over Routed Infrastructure using GRT to interconnect to routed network
- 20.1.29 Fabric Extend over E-LAN/VPLS (L2) network using Layer 3 over Layer 2 tunneling using VSP 4000
- 20.1.30 Fabric Extend over E-LAN/VPLS (L2) network using Layer 3 over Layer 2 tunneling with VSP8000 orVSP7200
- 20.1.31 Fabric Extend over E-LAN/VPLS (L2) network using VLAN Tunnels
- 20.1.32 Fabric Attach Configuration
- 20.1.33 Identity Engines – Attribute Details
- 20.1.34 Fabric Attach Base Configuration – Adding a FA Proxy and FA Server
- 20.1.34.1 Fabric Attach – Adding a Platform VLAN on FA Server forManagement VLAN
- 20.1.34.2 Fabric Attach – Adding a L2VSN Service
- 20.1.34.3 Fabric Attach – Adding a L3VSN Service
- 20.1.34.4 Fabric Attach - Adding a WLAN 9100 FA Client with EAPDevice authentication via Identity Engines
- 20.1.34.5 Fabric Attach – Changing the FA authentication key
- 20.1.35 Fabric Attach Proxy Standalone
- 20.2 Using EDM
- 20.1 SPB Configuration
- 21. VLAN and ISID Restrictions using TACACS+via Identity Engines
- 22. Configuration Examples
- 22.1 SPB – Core Setup
- 22.1.1 Configuration
- 22.1.1.1 Configuration Mode
- 22.1.1.2 Auto Save
- 22.1.1.3 VSP 7000 – Rear Port Mode
- 22.1.1.4 Option: Change Spanning Tree mode to MSTP
- 22.1.1.5 System Name
- 22.1.1.6 Option – Configure out-of-band management interface
- 22.1.1.7 Enable VLACP Globally
- 22.1.1.8 IST Configuration – SMLT Cluster switch 4001 & 4002, 9001 & 9002 and 8005 & 8006
- 22.1.1.9 IS-IS and SPB Global Configuration
- 22.1.1.10 IS-IS SPB Interface Configuration
- 22.1.1.11 Remove default VLAN from all SPB ports
- 22.1.1.12 Other best practice items – VLACP and discard untagged frames
- 22.1.1.13 IST Configuration – SMLT Cluster switch 7001 & 7002
- 22.1.1.14 ISIS L1-metric – Optional
- 22.1.1.15 Connectivity Fault Management (CFM) Configuration
- 22.1.1.16 QoS
- 22.1.2 Configuration using EDM – Using 8005 as an example
- 22.1.3 Verify Operations
- 22.1.1 Configuration
- 22.2 SMLT Configuration
- 22.3 SPB L2 VSN Configuration
- 22.4 VSP 7000 & ERS 4800 – In-band Management via L2VSN
- 22.5 Multicast over L2VSN
- 22.6 Inter VSN Routing
- 22.7 Inter-ISID Configuration
- 22.7.1 VRF configuration
- 22.7.2 Verification
- 22.8 SPB L3 VSN – SMLT
- 22.9 Extending L3VSN to the VSP 7000 Cluster via L2VSN
- 22.10 Multicast over L3VSN
- 22.11 SPB IP Shortcuts
- 22.12 Multicast over IP Shortcuts
- 22.1 SPB – Core Setup
- 23. Restrictions and Limitations
- 24. Reference Documentation
©2021 Extreme Networks, Inc. All rights reserved
October 2021
223
21. VLAN and ISID Restrictions using TACACS+
via Identity Engines
For security concerns, customers may wish to restrict users from only entering specific VLAN and ISID
combinations. For example, for building x, an administrator wishes to only allow a local user to add VLANs
2000-2399 and only use I-SIDs 2002000-2002399. Regular expressions via Identity Engines TACACS+
Device Command Sets can be used to restrict specific ranges.
On a VSP 7000, ERS 5900, and ERS 4800 supports up 15 different TACACS+ levels are supported. For
each level, we can restrict what commands are allowed and or denied and also allow regular expressions
to restrict a command to a specific range. Please see the Management Access Security TCG, publication
number NN48500-594 for more details on how to configure TACACS+ and setting up IDE.
The VSP 4000/7200/8200 and VSP 9000 support up to 6 levels as per the table below. Please see the
Management Access Security TCG, publication number NN48500-650 for more details on how to configure
TACACS+ and setting up IDE.
VSP 4000/7200/8000/9000 TACACS+ Access Levels
Access Level Privilege Level
None 0 and 7 to 14
Read only
1
Layer 1 read write
2
Layer 2 read write
3
Layer 3 read write
4
Read write
5
Read write all
6
Read write all 15
VSP 4000/7200/8000 Enhanced Security TACACS+ Attributes
Access Level VSA Attribute 26 – Vendor Identifier 1584 Type 192 value
None-Access 0, 4, 5, 7 to 14
Auditor
1
Security
2
Operator
3
Privilege N/A – Not allowed by TACACS+
Admin
6
Admin 15