ExtremeWare XOS Concepts Guide Software Version 11.0 Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 http://www.extremenetworks.
Alpine, Altitude, BlackDiamond, EPICenter, Ethernet Everywhere, Extreme Ethernet Everywhere, Extreme Networks, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, GlobalPx Content Director, the Go Purple Extreme Solution Partners Logo, ServiceWatch, Summit, the Summit7i Logo, and the Color Purple, among others, are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and other countries.
Contents Preface Part 1 Chapter 1 Introduction 15 Conventions 16 Related Publications 16 Using ExtremeWare XOS ExtremeWare XOS Overview Platform 19 Summary of Features Virtual Routers Software Modules SSH Virtual LANs Spanning Tree Protocol EAPS Quality of Service Load Sharing sFlow Unicast Routing ESRP IP Multinetting VRRP IP Multicast Routing 19 21 21 21 21 22 22 22 22 23 23 23 23 24 24 Software Factory Defaults 24 ExtremeWare XOS 11.
Contents Chapter 2 Chapter 3 4 Accessing the Switch Understanding the Command Syntax Syntax Helper Command Shortcuts Modular Switch Numerical Ranges Names Symbols Limits 27 28 28 29 29 30 30 Line-Editing Keys 30 Command History 31 Common Commands 31 Configuring Management Access User Account Administrator Account Default Accounts Creating a Management Account Failsafe Account 33 33 33 34 35 35 Domain Name Service Client Services 36 Checking Basic Connectivity Ping Traceroute 37 37 38 Manag
Contents Chapter 4 System Redundancy Node Election Replicating Data Between Nodes Viewing Node Status 47 48 49 51 Power Management Initial System Boot-Up Removing a Power Supply Installing or Replacing a Power Supply Displaying Power Supply Data 51 52 52 52 53 Using the Simple Network Management Protocol Enabling and Disabling SNMPv1/v2c and SNMPv3 Accessing Switch Agents Supported MIBs Configuring SNMPv1/v2c Settings Displaying SNMP Settings SNMPv3 Message Processing SNMPv3 Security SNMPv3 MIB Access
Contents Load-Sharing Examples Verifying the Load-Sharing Configuration Chapter 5 Chapter 6 Switch Port Mirroring Switch Port-Mirroring Rules and Restrictions Switch Port-Mirroring Examples Verifying the Switch Port-Mirroring Configuration 77 78 79 79 Extreme Discovery Protocol 79 Virtual LANs Overview of Virtual LANs Benefits Virtual Routers and VLANs 81 81 82 Types of VLANs Port-Based VLANs Tagged VLANs Protocol-Based VLANs Precedence of Tagged Packets Over Protocol Filters 82 82 84 87 89 VLAN
Contents Chapter 7 Chapter 8 Chapter 9 Forwarding Database Overview of the FDB FDB Contents How FDB Entries Get Added FDB Entry Types Disabling MAC Address Learning 103 103 103 104 105 FDB Configuration Examples 105 MAC-Based Security 106 Displaying FDB Entries 106 Quality of Service Overview of Policy-Based Quality of Service 107 Applications and Types of QoS Voice Applications Video Applications Critical Database Applications Web Browsing Applications File Server Applications 108 108 108 10
Contents Chapter 10 8 System Health Checking Enabling and Disabling Backplane Diagnostic Packets on the Switch Configuring Backplane Diagnostic Packets on the Switch System Health Check Example 129 130 130 130 Setting the System Recovery Level 131 Event Management System/Logging Sending Event Messages to Log Targets Filtering Events Sent to Targets Displaying Real-Time Log Messages Displaying Event Logs Uploading Event Logs Displaying Counts of Event Occurrences Displaying Debug Information 131 132
Contents Part 2 Chapter 11 Chapter 12 Using Switching and Routing Protocols Ethernet Automatic Protection Switching Overview of the EAPS Protocol Fast Convergence EAPS Terms 175 177 177 Fault Detection and Recovery Link Down Message Sent by a Transit Node Ring Port Down Event Sent by Hardware Layer Polling Restoration Operations 178 178 179 179 179 Multiple EAPS Domains EAPS Data VLAN Spanning Two Rings Connected by One Switch Multiple EAPS Domains per Ring—Spatial Reuse Multiple EAPS Rings Sharing a
Contents Chapter 13 10 STP Configurations Basic STP Configuration Multiple STPDs on a Port VLAN Spanning Multiple STPDs EMISTP Deployment Constraints 203 203 206 206 207 Per VLAN Spanning Tree STPD VLAN Mapping Native VLAN 209 209 209 Rapid Spanning Tree Protocol RSTP Terms RSTP Concepts RSTP Operation 209 210 210 213 STP Rules and Restrictions 220 Configuring STP on the Switch 220 STP Configuration Examples Basic 802.1D Configuration Example EMISTP Configuration Example RSTP 802.
Contents ESRP Host Attach ESRP Groups Chapter 14 Chapter 15 242 243 Displaying ESRP Information 244 ESRP Examples Single Domain Using Layer 2 and Layer 3 Redundancy Multiple Domains Using Layer 2 and Layer 3 Redundancy 244 244 247 ESRP Cautions Configuring ESRP and IP Multinetting ESRP and STP ESRP Groups and Host Attach 248 248 249 249 Virtual Router Redundancy Protocol Overview 251 Determining the VRRP Master VRRP Tracking Electing the Master Router 252 252 253 Additional VRRP Highlights 2
Contents Configuring IP Multinetting IP Multinetting Examples Configuring DHCP/BOOTP Relay Verifying the DHCP/BOOTP Relay Configuration UDP Echo Server Chapter 16 Chapter 17 12 273 273 274 274 274 Interior Gateway Protocols Overview RIP Versus OSPF Advantages of RIP and OSPF 276 276 276 Overview of RIP Routing Table Split Horizon Poison Reverse Triggered Updates Route Advertisement of VLANs RIP Version 1 Versus RIP Version 2 277 277 277 277 277 277 278 Overview of OSPF Link State Database Areas Po
Contents Using the Loopback Interface BGP Peer Groups BGP Route Flap Dampening BGP Route Selection Stripping Out Private AS Numbers from Route Updates Route Redistribution BGP Static Network Chapter 18 Part 3 Appendix A 298 298 299 301 301 301 302 IP Multicast Routing Overview PIM Overview IGMP Overview 303 304 305 Configuring IP Multicasting Routing 306 Configuration Examples PIM-DM Configuration Example PIM-SM Configuration Example 306 306 308 Appendixes Software Upgrade and Boot Options Downlo
Contents Appendix B Appendix C Troubleshooting LEDs 321 Using the Command Line Interface Port Configuration VLANs STP ESRP 322 324 325 326 326 Debug Mode 327 TOP Command 327 System Health Check Enabling and Disabling Backplane Diagnostic Packets on the Switch Configuring Backplane Diagnostic Packets on the Switch 328 328 328 System Odometer 329 Temperature Operating Range 329 Running MSM Diagnostics from the Bootloader 329 Contacting Extreme Technical Support 330 Supported Protocols, MI
Preface This preface provides an overview of this guide, describes guide conventions, and lists other publications that might be useful. Introduction This guide provides the required information to configure ExtremeWare® XOS software version 11.0 running on modular switches from Extreme Networks. This software runs on the BlackDiamond® 10K chassis. The guide is intended for use by network administrators who are responsible for installing and setting up network equipment.
Preface Conventions Table 1 and Table 2 list conventions that are used throughout this guide. Table 1: Notice icons Icon Notice Type Alerts you to... Note Important features or instructions. Caution Risk of personal injury, system damage, or loss of data. Warning Risk of severe personal injury. Table 2: Text conventions Convention Description Screen displays This typeface indicates command syntax, or represents information as it appears on the screen.
Part 1 Using ExtremeWare XOS
1 ExtremeWare XOS Overview This chapter covers the following topics: • Platform on page 19 • Summary of Features on page 19 • Software Factory Defaults on page 24 This chapter provides an overview of the ExtremeWare XOS version 11.0 software. Platform ExtremeWare XOS is the full-featured software operating system that is designed to run on the Extreme Networks BlackDiamond 10800 family of switches. NOTE ExtremeWare XOS 11.0 supports only Extreme Networks BlackDiamond 10800 family products.
ExtremeWare XOS Overview • Ethernet Automatic Protection Switching (EAPS) • Virtual Router Redundancy Protocol (VRRP) • Routing Information Protocol (RIP) version 1 and RIP version 2 • Open Shortest Path First (OSPF) routing protocol • Border Gateway Protocol (BGP) version 4 • Wire-speed IP multicast routing support • DiffServ support • Access-policy support for routing protocols • Access list support for packet filtering • IGMP snooping to control IP multicast traffic • Protocol Independent Multicast-Dens
Summary of Features • VRRP on page 24 • IP Multicast Routing on page 24 Virtual Routers ExtremeWare XOS supports virtual routers. This capability allows a single physical switch to be split into multiple virtual routers. This feature separates the traffic forwarded by a virtual router from the traffic on a different virtual router. Each virtual router maintains a separate logical forwarding table, which allows the virtual routers to have overlapping address spaces.
ExtremeWare XOS Overview Implementing VLANs on your network has the following three advantages: • Helps to control broadcast traffic. If a device in VLAN Marketing transmits a broadcast frame, only VLAN Marketing devices receive the frame. • Provides extra security. Devices in VLAN Marketing can communicate only with devices on VLAN Sales using routing services. • Eases the change and movement of devices on networks. For more information on VLANs, see Chapter 5.
Summary of Features sFlow sFlow is a technology for monitoring traffic in data networks containing switches and routers. The technology relies on statistical sampling of packets from high-speed networks, plus periodic gathering of the statistics. A UDP datagram format is defined to send the information to an external entity for analysis. sFlow consists of a Management Information Base (MIB) and a specification of the packet format for forwarding information to a remote agent.
ExtremeWare XOS Overview VRRP Similar to ESRP, the Virtual Router Redundancy Protocol (VRRP) allows switches to provide redundant routing services. With software version 11.0, ExtremeWare XOS supports VRRP. If a manually configured default gateway fails and you are not using VRRP, you must reconfigure each host on the network to use a different router. If the default gateway fails when running VRRP, the backup router assumes forwarding responsibilities.
Software Factory Defaults Table 3: ExtremeWare XOS version 11.0 global factory defaults (continued) Item Default Setting QoS—DiffServ examination Disabled Autonegotiation • 10 G modules—autonegotiation OFF, speed 10000 Mbps, full-duplex • 1 G modules—autonegotiation ON • 10 G modules—ON • 1 G fiber and copper—ON 802.3x flow control Virtual LANs Two VLANs are predefined; the VLAN named default contains all ports and belongs to the Spanning Tree Protocol Domain (STPD) named s0.
ExtremeWare XOS Overview 26 ExtremeWare XOS 11.
2 Accessing the Switch This chapter covers the following topics: • Understanding the Command Syntax on page 27 • Line-Editing Keys on page 30 • Command History on page 31 • Common Commands on page 31 • Configuring Management Access on page 33 • Domain Name Service Client Services on page 36 • Checking Basic Connectivity on page 37 Understanding the Command Syntax This section describes the steps to take when entering a command.
Accessing the Switch 2 If the command includes a parameter, enter the parameter name and values. The value part of the command specifies how you want the parameter to be set. Values include numerics, strings, or addresses, depending on the parameter. 3 After entering the complete command, press [Return]. NOTE If an asterisk (*) appears in front of the command line prompt, it indicates that you have outstanding configuration changes that have not been saved.
Understanding the Command Syntax you could enter the following shortcut: configure engineering delete port 1:3,4:6 Although it is helpful to have unique names for system components, this is not a requirement. If ExtremeWare XOS encounters any ambiguity in the components within your command, it generates a message requesting that you clarify the object you specified.
Accessing the Switch Symbols You may see a variety of symbols shown as part of the command syntax. These symbols explain how to enter the command, and you do not type them as part of the command itself. Table 4 summarizes command syntax symbols. Table 4: Command syntax symbols Symbol Description angle brackets < > Enclose a variable or value. You must specify the variable or value.
Command History Table 5: Line-editing keys (continued) Key(s) Description Delete or [Ctrl] + D Deletes character under cursor and shifts remainder of line to left. [Ctrl] + K Deletes characters from under cursor to end of line. Insert Toggles on and off. When toggled on, inserts text and shifts previous text to right. Left Arrow Moves cursor to left. Right Arrow Moves cursor to right. Home or [Ctrl] + A Moves cursor to first character in line.
Accessing the Switch Table 6: Common commands (continued) Command Description configure slot module Configures a slot for a particular I/O module card. configure ssh2 key {pregenerated} Generates the SSH2 host key. You must install the SSH software module in addition to the base image to run SSH. configure sys-recovery-level [all | none] Configures a recovery option for instances where an exception occurs in ExtremeWare XOS.
Configuring Management Access Table 6: Common commands (continued) Command Description enable idletimeout Enables a timer that disconnects all sessions (both Telnet and console) after 20 minutes of inactivity. The default setting is enabled. enable ssh2 {port } {vr [ | all | default]} Enables SSH2 sessions. By default, SSH2 is disabled. Once enabled, SSH uses TCP port number 22. You must install the SSH software module in addition to the base image to run SSH.
Accessing the Switch The administrator can disconnect a management session that has been established by way of a Telnet connection. If this happens, the user logged on by way of the Telnet connection is notified that the session has been terminated. If you have logged on with administrator capabilities, the command line prompt ends with a (#) sign. For example: BD-1.18 # Prompt Text You must have an administrator-level account to change the text of the prompt.
Configuring Management Access To add a password to the default user account: 1 Log in to the switch using the name user. 2 At the password prompt, press [Return], or enter the password that you have configured for the admin account. 3 Add a default user password by blue entering the following command: configure account user blue NOTE If you forget your password while logged out of the CLI, contact your local technical support representative, who will advise on your next course of action.
Accessing the Switch You will be prompted for the failsafe account name and prompted twice to specify the password for the account. For example: BD-10808.1 # configure failsafe-account enter failsafe user name: blue5green enter failsafe password: enter password again: BD-10808.2 The failsafe account is immediately saved to NVRAM. NOTE The information that you use to configure the failsafe account cannot be recovered by Extreme Networks.
Checking Basic Connectivity In addition, the nslookup utility can be used to return the IP address of a hostname. You can specify up to eight DNS servers for use by the DNS client using the following command: configure dns-client add You can specify a default domain for use when a host name is used without a domain. Use the following command: configure dns-client default-domain For example, if you specify the domain xyz-inc.
Accessing the Switch Table 8: Ping command parameters (continued) Parameter Description host Specifies a IPv4 host to ping. from Uses the specified source address. If not specified, the address of the transmitting interface is used. with record-route Sets the traceroute information. If a ping request fails, the switch continues to send ping messages until interrupted. Press [Ctrl] + C to interrupt a ping request. The statistics are tabulated after the ping is interrupted.
3 Managing the Switch This chapter covers the following topics: • Overview on page 39 • Understanding the ExtremeWare XOS Shell on page 40 • Configuration File Management on page 40 • Using the Console Interface on page 41 • Using the 10/100 Ethernet Management Port on page 42 • Using Telnet on page 42 • Using Trivial File Transfer Protocol on page 46 • Using Secure Shell 2 on page 47 • System Redundancy on page 47 • Power Management on page 51 • Using the Simple Network Management Protocol on page 53 • A
Managing the Switch • Download software updates and upgrades. For more information, see Appendix A, “Software Upgrade and Boot Options.” The switch supports up to the following number of concurrent user sessions: • One console session — Two console sessions are available if two management modules are installed.
Using the Console Interface Table 9: Configuration file management Task Behavior Configuration file database ExtremeWare XOS supports saving a configuration file into any named file and supports more than two saved configurations. For example, you can download a configuration file from a network TFTP server and save that file as primary, secondary, or with a user-defined name. You also select where to save the configuration: primary or secondary partition, or another space.
Managing the Switch Using the 10/100 Ethernet Management Port The Management Switch Fabric Module (MSM) provides a dedicated 10/100 mbps Ethernet management port. This port provides dedicated remote access to the switch using TCP/IP. It supports the following management methods: • Telnet using the CLI interface • SNMP access using EPICenter or another SNMP manager The management port on the MSM is a DTE port and is not capable of supporting switching or routing functions.
Using Telnet The same is true if you use the switch to connect to another host. From the CLI, you must specify the IP address or host name of the device that you want to connect to. If the host is accessible and you are allowed access, you may log in. For more information about using the Telnet client on the switch, see “Connecting to Another Host Using Telnet” on page 43.
Managing the Switch You can disable BOOTP or DHCP per VLAN by using the following commands: disable bootp vlan [ | all] disable dhcp vlan [ | all] To view the current state of the BOOTP or DHCP client, use the following command: show dhcp-client state If you configure the switch to use BOOTP, the switch IP address is not retained through a power cycle, even if the configuration has been saved.
Using Telnet — If you have been assigned a user name and password with administrator privileges, enter them at the login prompt. 4 At the password prompt, enter the password and press [Return]. When you have successfully logged in to the switch, the command line prompt displays the name of the switch. 5 Assign an IP address and subnetwork mask for the default VLAN by using the following command: configure vlan ipaddress {} For example: configure vlan default ipaddress 123.
Managing the Switch To change the default TCP port number, use the following command: configure telnet port [ | default] The range for the port number is 1 through 65535.
Using Secure Shell 2 Connecting to Another Host Using TFTP You can TFTP from the current CLI session to another host using the following command: tftp [ | ] {-v } [-g | -p] [{-l } {-r } | {-r } {-l }] The TFTP session defaults to port 69. For example, to connect to a remote TFTP server with an IP address of 10.123.45.67 and “get” or retrieve an ExtremeWare XOS configuration file named XOS1.
Managing the Switch Table 10: System redundancy terms (continued) Term Description Master The master MSM provides all of the switch management functions including bringing up and programming the I/O modules, running the bridging and routing protocols, and configuring the switch. Node A node runs the XOS management applications on the switch. Each MSM installed in the chassis is a node. Node election The process of electing the master and backup nodes is called node election.
System Redundancy Relinquishing Master Status You can cause the master to failover to the backup, thereby relinquishing its master status. To cause the failover, complete the following steps: 1 Use the show switch {detail} command to confirm that the nodes are synchronized and have identical software and switch configurations before failover. The output displays the status of the MSMs, with the master MSM showing MASTER and the backup MSM showing BACKUP (InSync).
Managing the Switch Relaying Configuration Information To facilitate a failover from the master MSM to the backup MSM, the master transfers its active configuration to the backup. Relaying configuration information is the first level of checkpointing. During the initial switch boot-up, the master’s configuration takes effect. During the initialization of a standby or backup MSM, the master’s saved configuration is copied to local flash.
Power Management This command is also helpful in debugging synchronization problems that occur at run time. This command displays, in percentages, the amount of copying completed by each process and the traffic statistics between the process on both the master and the backup MSMs. Viewing Node Status ExtremeWare XOS allows you to view node statistical information. Each node installed in your system is self-sufficient and runs the ExtremeWare XOS management applications.
Managing the Switch The BlackDiamond 10808 switch includes two power supply controllers that collect data from the installed power supplies and report the results to the MSM modules. When the BlackDiamond 10808 switch is first powered on, the power supply controllers enable the power supplies by providing 48V power. As part of the power management function, the power controller disables the PSU if an unsafe condition arises.
Using the Simple Network Management Protocol Displaying Power Supply Data To view the distribution of power and available power on the switch, use the following command: show power budget To display the status of the currently installed power supplies, use the following command: show power {} {detail} To display the status of the currently installed power supply controllers, use the following command: show power controller {} Using the Simple Network Management Protocol Any network manager
Managing the Switch To prevent any type of SNMP access, use the following command: disable snmp access To prevent access using SNMPv1/v2c methods and allow access using SNMPv3 methods only, use the following commands: enable snmp access disable snmp access {snmp-v1v2c} There is no way to configure the switch to simultaneously allow SNMPv1/v2c access and prevent SNMPv3 access.
Using the Simple Network Management Protocol • System name—The system name enables you to enter a name that you have assigned to this switch. The default name is the model name of the switch (for example, BD-1.2). • System location (optional)—Using the system location field, you can enter the location of the switch.
Managing the Switch implementing a multilingual agent, so that various versions of SNMP can coexist simultaneously in the same network. The security subsystem features the use of various authentication and privacy protocols with various timeliness checking and engine clock synchronization schemes. SNMPv3 is designed to be secure against: • Modification of information, where an in-transit message is altered. • Masquerades, where an unauthorized entity assumes the identity of an authorized entity.
Using the Simple Network Management Protocol Every SNMPv3 engine necessarily maintains two objects: SNMPEngineBoots, which is the number of reboots the agent has experienced and SNMPEngineTime, which is the local time since the engine reboot. The engine has a local copy of these objects and the latestReceivedEngineTime for every authoritative engine it wants to communicate with.
Managing the Switch Groups. Groups are used to manage access for the MIB. You use groups to define the security model, the security level, and the portion of the MIB that members of the group can read or write.
Using the Simple Network Management Protocol • AuthPriv—Authentication, privacy. This represents the highest level of security and requires every message exchange to pass the authentication and encryption tests. When a user is created, an authentication method is selected, and the authentication and privacy passwords or keys are entered. When MD5 authentication is specified, HMAC-MD5-96 is used to achieve authentication with a 16-octet key, which generates an 128-bit authorization code.
Managing the Switch After the view has been created, you can repeatedly use the configure snmpv3 add mib-view command to include and/or exclude MIB subtree/mask combinations to precisely define the items you want to control access to. In addition to the user-created MIB views, there are three default views. These default views are of storage type permanent and cannot be deleted, but they can be modified. The default views are: defaultUserView, defaultAdminView, and defaultNotifyView.
Using the Simple Network Management Protocol To delete a single target address or all target addresses, use the following command: configure snmpv3 delete target-addr [{[[hex ] | ]} | all] Target Parameters Target parameters specify the MP model, security model, security level, and user name (security name) used for messages sent to the target address. See “Message Processing” on page 56 and “Users, Groups, and Security” on page 57 for more details on these topics.
Managing the Switch To display the filters that belong a filter profile, use the following command: show snmpv3 filter {[[hex ] | ] {{subtree} } To delete a filter or all filters from a filter profile, use the following command: configure snmpv3 delete filter [all | [[hex ] | ] {subtree }]] To remove the association of a filter profile or all filter profiles with a parameter name, use the following comma
Authenticating Users Authenticating Users ExtremeWare XOS provides three methods to authenticate users who log in to the switch: • RADIUS client • TACACS+ • Local database of accounts and passwords NOTE You cannot configure RADIUS and TACACS+ at the same time. RADIUS Client Remote Authentication Dial In User Service (RADIUS, RFC 2138) is a mechanism for authenticating and centrally administrating access to network nodes.
Managing the Switch Configuring and Using SNTP To use SNTP, follow these steps: 1 Identify the host(s) that are configured as NTP server(s). Additionally, identify the preferred method for obtaining NTP updates. The options are for the NTP server to send out broadcasts or for switches using NTP to query the NTP server(s) directly. A combination of both methods is possible. You must identify the method that should be used for the switch being configured.
Using the Simple Network Time Protocol Table 12: Time zone configuration command options (continued) floating_day Specifies the day, week, and month of the year to begin or end Daylight Savings Time each year.
Managing the Switch 6 You can verify the configuration using the following commands: — show sntp-client This command provides configuration and statistics associated with SNTP and its connectivity to the NTP server. — show switch {detail} This command indicates the GMT offset, the Daylight Savings Time configuration and status, and the current local time. NTP updates are distributed using GMT time.
Process Management Table 13: Greenwich Mean Time offsets (continued) GMT Offset in Hours GMT Offset in Minutes Common Time Zone References +4:00 +240 ZP4 - Russia Zone 3 +5:00 +300 ZP5 - Russia Zone 4 +5:30 +330 IST - India Standard Time +6:00 +360 ZP6 - Russia Zone 5 +7:00 +420 WAST - West Australian Standard +8:00 +480 CCT - China Coast, Russia Zone 7 +9:00 +540 JST - Japan Standard, Russia Zone 8 +10:00 +600 EAST - East Australian Standard Cities Abu Dhabi, UAE; Muscat; Tblisi;
Managing the Switch 68 ExtremeWare XOS 11.
4 Configuring Slots and Ports on a Switch This chapter covers the following topics: • Configuring a Slot on a Modular Switch on page 69 • Configuring Ports on a Switch on page 70 • Jumbo Frames on page 72 • Load Sharing on the Switch on page 74 • Switch Port Mirroring on page 77 • Extreme Discovery Protocol on page 79 Configuring a Slot on a Modular Switch If a slot has not been configured for a particular type of module, then any type of module is accepted in that slot, and a default port and VLAN confi
Configuring Slots and Ports on a Switch If a slot is configured for one type of module, and a different type of module is inserted, the inserted module is put into a mismatch state and is not brought online. To use the new module type in a slot, the slot configuration must be cleared or configured for the new module type.
Configuring Ports on a Switch Enabling and Disabling Switch Ports By default, all ports are enabled. To enable or disable one or more ports on a modular switch, use the following commands: enable port [ | all] disable port [ | all] For example, to disable slot 7, ports 3, 5, and 12 through 15 on a modular switch, use the following command: disable port 7:3,7:5,7:12-7:15 Configuring Switch Port Speed and Duplex Setting ExtremeWare XOS 11.
Configuring Slots and Ports on a Switch The 10 Gbps ports do not autonegotiate; they always run at full duplex and 10 Gbps speed. Table 14 lists the support for autonegotiation, speed, and duplex setting for the various types of ports.
Jumbo Frames Path MTU Discovery Using path MTU discovery, a source host assumes that the path MTU is the MTU of the first hop (which is known). The host sends all datagrams on that path with the “don’t fragment” (DF) bit set, which restricts fragmentation.
Configuring Slots and Ports on a Switch IP Fragmentation within a VLAN ExtremeWare XOS supports IP fragmentation within a VLAN. This feature does not require you to configure the MTU size. To use IP fragmentation within a VLAN: 1 Enable jumbo frames on the incoming port. 2 Add the port to a VLAN. 3 Assign an IP address to the VLAN. 4 Enable IP forwarding on the VLAN.
Load Sharing on the Switch VMAN ports can belong to load-sharing groups. If any port in the load-sharing group is enabled for VMAN, all ports in the group are automatically enabled to handle jumbo size frames. Also, VMAN is automatically enabled on all ports of the untagged load-sharing group. Load-Sharing Algorithms Load-sharing algorithms allow you to select the distribution technique used by the load-sharing group to determine the output port selection.
Configuring Slots and Ports on a Switch To verify your configuration, use the following command: show ports sharing Configuring Switch Load Sharing To set up a switch to load share among ports, you must create a load-sharing group of ports. The first port in the load-sharing group is configured to be the “master” logical port, or the primary port. This is the reference port used in configuration commands. It can be thought of as the logical port representing the entire port group.
Switch Port Mirroring use other ports in the load-sharing group will have those ports deleted from the VLAN when load sharing becomes enabled. Single-Module Load Sharing on a Modular Switch The following example defines a load-sharing group that contains ports 9 through 12 on slot 3 and uses the first port as the master logical port 9: enable sharing 3:9 grouping 3:9-3:12 In this example, logical port 3:9 represents physical ports 3:9 through 3:12.
Configuring Slots and Ports on a Switch NOTE Frames that contain errors are not mirrored. The monitor port transmits tagged or untagged frames, according to the way you configured the monitor port. This feature allows you to mirror multiple ports or VLANs to a monitor port, while preserving the ability of a single protocol analyzer to track and differentiate traffic within a broadcast domain (VLAN) and across broadcast domains (for example, across VLANs when routing).
Extreme Discovery Protocol Switch Port-Mirroring Examples The following example selects slot 7, port 3 as the untagged monitor port, and sends all traffic coming into or out of a modular switch on slot 7, port 1 to the monitor port: enable mirroring to port 7:3 untagged configure mirroring add port 7:1 The following example sends all traffic coming into or out of the system on slot 8, port 1 and the VLAN default to the untagged monitor port, which is slot 7, port 3: enable mirroring to port 7:3 untagged c
Configuring Slots and Ports on a Switch To enable EDP on specified ports, use the following command: enable edp ports [ | all] To view EDP port information on the switch, use the following command: show edp To configure the advertisement interval and the timeout interval, use the following command: configure edp advertisment-interval holddown-interval 80 ExtremeWare XOS 11.
5 Virtual LANs This chapter covers the following topics: • Overview of Virtual LANs on page 81 • Types of VLANs on page 82 • VLAN Names on page 89 • Configuring VLANs on the Switch on page 90 • Displaying VLAN Settings on page 92 • Tunneling (VMANs) on page 93 Setting up Virtual Local Area Networks (VLANs) on the switch eases many time-consuming tasks of network administration while increasing efficiency in network operations.
Virtual LANs • VLANs provide extra security—Devices within each VLAN can communicate only with member devices in the same VLAN. If a device in VLAN Marketing must communicate with devices in VLAN Sales, the traffic must cross a routing device. • VLANs ease the change and movement of devices—With traditional networks, network administrators spend much of their time dealing with moves and changes. If users move to a different subnetwork, the addresses of each endstation must be updated manually.
Types of VLANs Figure 1: Example of a port-based VLAN on an Extreme Networks switch Finance Marketing Sales EX_060 For the members of different IP VLANs to communicate, the traffic must be routed by the switch, even if the VLANs are physically part of the same I/O module. This means that each VLAN must be configured as a router interface with a unique IP address.
Virtual LANs Figure 3 illustrates two VLANs spanning two switches. On system 2, ports 25 through 29 are part of VLAN Accounting; ports 21 through 24 and ports 30 through 32 are part of VLAN Engineering. On system 1, all port on slot 1 are part of VLAN Accounting; all ports on slot 8 are part of VLAN Engineering.
Types of VLANs Uses of Tagged VLANs Tagging is most commonly used to create VLANs that span switches. The switch-to-switch connections are typically called trunks. Using tags, multiple VLANs can span multiple switches using one or more trunks. In a port-based VLAN, each VLAN requires its own pair of trunk ports, as shown in Figure 3. Using tags, multiple VLANs can span two switches with a single trunk. Another benefit of tagged VLANs is the ability to have a port be a member of multiple VLANs.
Virtual LANs Figure 4: Physical diagram of tagged and untagged traffic M = Marketing S = Sales System 1 = Tagged port Marketing & Sales M S S 802.1Q Tagged server M M M S S S S System 2 EX_064 Figure 5 is a logical diagram of the same network.
Types of VLANs • The server connected to port 25 on system 1 is a member of both VLAN Marketing and VLAN Sales. • All other stations use untagged traffic. As data passes out of the switch, the switch determines if the destination port requires the frames to be tagged or untagged. All traffic coming from and going to the server is tagged. Traffic coming from and going to the trunk ports is tagged. The traffic that comes from and goes to the other stations on this network is not tagged.
Virtual LANs Figure 6: Protocol-based VLANs 1 2 3 4 A 192.207.35.1 B 5 6 7 8 192.207.36.1 My Company 192.207.35.0 Finance 1 2 192.207.36.
VLAN Names 2 Configure the protocol using the following command: configure protocol add [etype | llc | snap] {[etype | llc | snap] } ... Supported protocol types include: — etype—EtherType. The values for etype are four-digit hexadecimal numbers taken from a list maintained by the IEEE. This list can be found at the following URL: http://standards.ieee.org/regauth/ethertype/index.html — llc—LLC Service Advertising Protocol (SAP).
Virtual LANs VLAN names must begin with an alphabetical letter. The names can be no longer than 32 characters and must begin with an alphabetic character. The remainder of the name can be alphanumeric or contain underscore (_) characters. VLAN names cannot be keywords. NOTE If you use the same name across categories (for example, STPD and EAPS names), Extreme Networks recommends that you specify the identifying keyword as well as the actual name.
Configuring VLANs on the Switch NOTE Each IP address and mask assigned to a VLAN must represent a unique IP subnet. You cannot configure the same IP subnet on different VLANs. NOTE If you plan to use this VLAN as a control VLAN for an EAPS domain, do NOT assign an IP address to the VLAN. 3 Assign a VLANid, if any ports in this VLAN will use a tag. 4 Assign one or more ports to the VLAN. As you add each port to the VLAN, decide if the port will use an 802.1Q tag.
Virtual LANs configure ipsales protocol ip configure ipsales add port 5:6-5:8,6:1,6:3-6:6 The following modular switch example defines a protocol filter, myprotocol and applies it to the VLAN named myvlan. This is an example only, and has no real-world application.
Tunneling (VMANs) You can display statistics for multiple VLANs by entering the name of each VLAN on the command line. Displaying Protocol Information To display protocol information, use the following command: show protocol {} This show command displays protocol information, which includes: • Protocol name • Type • Value Tunneling (VMANs) You can “tunnel” any number of 802.1Q and/or Cisco ISL VLANs into a single VLAN that can be switched through an Extreme Ethernet infrastructure.
Virtual LANs NOTE All ports added to a specified VMAN must be in the same virtual router. For more information on displaying, configuring, and using virtual routers, see Chapter 6. The system adds a 4-byte VMAN header on all packets, both originally tagged and untagged packets arriving at the VMAN port. When you add ports to the VMAN, the system automatically enables the specified ports for jumbo frames.
Tunneling (VMANs) VMAN Example The follow example shows the steps to configure VMAN 1 on the Black Diamond 10808 switch shown in Figure 7.
Virtual LANs 96 ExtremeWare XOS 11.
6 Virtual Routers This chapter describes the following topics: • Virtual Routers Overview on page 97 • Using Virtual Routers on page 99 • Virtual Router Configuration Example on page 102 Virtual Routers Overview ExtremeWare XOS supports virtual routers. This capability allows a single physical switch to be split into multiple virtual routers. This feature separates the traffic forwarded by a virtual router from the traffic on a different virtual router.
Virtual Routers configuration domain is introduced in ExtremeWare XOS 11.0. Under a virtual router configuration domain, any virtual router commands are applied only to that virtual router. The virtual router commands consist of all the BGP, OSPF, PIM and RIP commands, and the commands listed in Table 15.
Using Virtual Routers (previous to release 11.0 these virtual routers were named VR-0, VR-1, and VR-2, respectively). The following describes each system virtual router: • VR-Mgmt This virtual router is called VR-0 in ExtremeWare XOS releases prior to 11.0. VR-Mgmt enables remote management stations to access the switch through Telnet, SSH, and SNMP sessions; and it owns the management port. No other ports can be added to this VR-Mgmt, and the management port cannot be removed from it.
Virtual Routers Creating Virtual Routers To create a user virtual router, issue the following command: create virtual-router A virtual router name cannot be the same as a VLAN name. You cannot name a user virtual router with the names VR-Mgmt, VR-Control, or VR-Default because these are the existing default system virtual routers.
Using Virtual Routers To remove a protocol from a virtual router, use the following command: configure vr delete protocol Displaying Ports and Protocols You display the ports, protocols, and the name of the protocol processes for a virtual router by using the following command: show virtual-router {} Configuring the Routing Protocols and VLANs Once the virtual router is created, the ports are added, and support for any needed routing protocols is added, you can configur
Virtual Routers Virtual Router Configuration Example In the following example: • The user virtual router helix is created • Ports are removed from the VLAN Default and the virtual router VR-Default • Ports are added to the virtual router helix • OSPF is added to the virtual router helix • The configuration domain is set to helix, so that subsequent virtual router commands affect the virtual router helix • The VLAN helix-accounting is created • Ports that belong to the virtual router helix are added to the
7 Forwarding Database This chapter describes the following topics: • Overview of the FDB on page 103 • MAC-Based Security on page 106 • Displaying FDB Entries on page 106 Overview of the FDB The switch maintains a database of all MAC addresses received on all of its ports. It uses the information in this database to decide whether a frame should be forwarded or filtered.
Forwarding Database FDB Entry Types FDB entries may be dynamic or static, and the entries may be permanent or non-permanent. The following describes the types of entries that can exist in the FDB: • Dynamic entries—A dynamic entry is learned by the switch by examining packets to determine the source MAC address, VLAN, and port information. The switch then creates or updates an FDB entry for that MAC address.
FDB Configuration Examples • Permanent entries—Permanent entries are retained in the database if the switch is reset or a power off/on cycle occurs. Permanent entries must be created by the system administrator through the CLI. A permanent entry can either be a unicast or multicast MAC address. Permanent entries may be static, meaning they do not age or get updated, or they may be dynamic, meaning that they do age and can be updated via learning.
Forwarding Database MAC-Based Security MAC-based security allows you to control the way the FDB is learned and populated. By managing entries in the FDB, you can block, assign priority (queues), and control packet flows on a per-address basis. MAC-based security allows you to limit the number of dynamically-learned MAC addresses allowed per virtual port.
8 Quality of Service This chapter covers the following topics: • Overview of Policy-Based Quality of Service on page 107 • Applications and Types of QoS on page 108 • Configuring QoS on page 109 • QoS Profiles on page 110 • Traffic Groupings on page 111 • Verifying Configuration and Performance on page 120 • Guidelines for Configuring QoS on page 121 • Bi-Directional Rate Shaping on page 121 Policy-based Quality of Service (QoS) is a feature of ExtremeWare XOS and the Extreme Networks switch architecture
Quality of Service NOTE Policy-based QoS has no impact on switch performance. Using even the most complex traffic groupings has no cost in terms of switch performance. Applications and Types of QoS Different applications have different QoS requirements.
Configuring QoS Web Browsing Applications QoS needs for Web browsing applications cannot be generalized into a single category. For example, ERP applications that use a browser front-end may be more important than retrieving daily news information. Traffic groupings can typically be distinguished from each other by their server source and destinations.
Quality of Service 1 Configure the QoS profile. QoS profile—A class of service that is defined through minimum and maximum bandwidth parameters and prioritization settings. The bandwidth and level of service that a particular type of traffic or traffic grouping receives is determined by assigning it to a QoS profile. The names of the QoS profiles are QP1 through QP8; these names are not configurable. 2 Create traffic groupings.
Traffic Groupings The default QoS profiles cannot be deleted. Also by default, a QoS profile maps directly to a specific hardware queue across all physical ports. The settings for the default QoS parameters are summarized in Table 17.
Quality of Service NOTE The source port and VLAN QoS apply only to untagged packets, and 802.1P QoS applies only to tagged packets. ACL-Based Traffic Groupings ACL-based traffic groupings are based on any combination of the following items: • IP source or destination address • IP protocol • TCP flag • TCP/UDP or other Layer 4 protocol • TCP/UDP port information • MAC source or destination address • Ethertype ACL-based traffic groupings are defined using access lists.
Traffic Groupings field is located directly following the 802.1Q type field and preceding the 802.1Q VLAN ID, as shown in Figure 8. Figure 8: Ethernet packet encapsulation 802.1Q type 802.1p priority 802.1Q VLAN ID 8100 Destination address Source address IP packet CRC EW_024 Observing 802.1p information. When ingress traffic that contains 802.1p prioritization information is detected by the switch, that traffic is mapped to various hardware queues on the egress port of the switch.
Quality of Service However, the switch is capable of inserting and/or overwriting 802.1p priority information when it transmits an 802.1Q tagged frame. If 802.1p replacement is enabled, the 802.1p priority information that is transmitted is determined by the hardware queue that is used when transmitting the packet. The 802.1p replacement configuration is based on the ingress port. To replace 802.
Traffic Groupings Figure 9: IP packet header encapsulation 0 1 2 3 4 5 6 7 DiffServ code point 0 bits Version 31 IHL Type-of-service Identification Time-to-live Total length Flags Protocol Fragment offset Header checksum Source address Destination address Options (+ padding) Data (variable) EW_023 Observing DiffServ code points as a traffic grouping mechanism for defining QoS policies and overwriting the Diffserv code point fields are supported. Observing DiffServ information.
Quality of Service Changing the default DiffServ code point mapping . You can change the QoS profile assignment for each of the 64 code points using the following command: configure diffserv examination code-point [qosprofile ] Once assigned, the rest of the switches in the network prioritize the packet using the characteristics specified by the QoS profile. Replacing DiffServ code points.
Traffic Groupings By doing so, the hardware queue used to transmit a packet determines the DiffServ value replaced in the IP packet. To view currently configured DiffServ information, use the following command: show diffserv [examination | replacement] The following shows sample output of the show diffserv replacement command: QOSProfile->CodePoint mapping: QP1->00 QP2->08 QP3->16 QP4->24 QP5->32 QP6->40 QP7->48 QP8->56 DiffServ example.
Quality of Service Source port A source port traffic grouping implies that any traffic sourced from this physical port uses the indicated QoS profile when the traffic is transmitted out to any other port. To configure a source port traffic grouping, use the following command: configure ports [] [qosprofile ] In the following modular switch example, all traffic sourced from slot 5 port 7 uses the QoS profile named QP3 when being transmitted.
Traffic Groupings Protocol: Trunking: Load sharing is not enabled.
Quality of Service lbDetect: Unsupported Learning: Enabled Flooding: Enabled Jumbo: Disabled BG QoS monitor: Unsupported QoS Profile: None configured Queue: Qp1 MinBw=0% MaxBw=100% Pri=1 Qp2 MinBw=0% MaxBw=100% Pri=2 Qp3 MinBw=0% MaxBw=100% Pri=3 Qp4 MinBw=0% MaxBw=100% Pri=4 Qp5 MinBw=0% MaxBw=100% Pri=5 Qp6 MinBw=0% MaxBw=100% Pri=6 Qp7 MinBw=0% MaxBw=100% Pri=7 Qp8 MinBw=0% MaxBw=100% Pri=8 Ingress Rate Shaping : support IQP1-2 IQP1 MinBw= 0% MaxBw=100% Pri=1 IQP2 MinBw= 0% MaxBw=100% Pri=2 Ingress IPTO
Guidelines for Configuring QoS Displayed information includes: • QoS profile name • Minimum bandwidth • Maximum bandwidth • Priority • Additionally, egress QoS information can be displayed from the traffic grouping perspective by using the command, which displays the QoS profile assignments to the port: show ports {} information {detail}.
Quality of Service Table 23: Ingress queue mapping for I/O modules (continued) I/O module Ingress queues Priority value 10 Gbps module IQP1 1 IQP2 2 IQP3 3 IQP4 4 IQP5 5 IQP6 6 IQP7 7 IQP8 8 Using bi-directional rate shaping, excess traffic is discarded at the I/O module and does not traverse to the backplane. You view statistics on the discarded traffic using the show ports qosmonitor or show ports information command. The 802.1p value is mapped to the ingress queue.
Bi-Directional Rate Shaping Please note that these maximum committed rates vary with the number of active ports on each I/O module. The rates shown in Table 24 are what you can expect when you all running all ports at traffic level. If you are using fewer ports, you will have higher committed rates available for each port. And, the maximum committed rate is reached when you are running traffic on only one port. NOTE Keep the sum of the minimum bandwidth values for the applied ingress queues less than 90%.
Quality of Service NOTE You must specify ingress to view ingress rate shaping performance. 124 ExtremeWare XOS 11.
9 Status Monitoring and Statistics This chapter describes the following topics: • Status Monitoring on page 125 • Slot Diagnostics on page 126 • Port Statistics on page 126 • Port Errors on page 127 • Port Monitoring Display Keys on page 128 • System Temperature on page 128 • System Health Checking on page 129 • Setting the System Recovery Level on page 131 • Event Management System/Logging on page 131 • Using sFlow on page 143 Viewing statistics on a regular basis allows you to see how well your network
Status Monitoring and Statistics Slot Diagnostics The BlackDiamond switch provides a facility for running normal or extended diagnostics on an Input/Output (I/O) module or a Management Switch Fabric Module (MSM) without affecting the operation of the rest of the system. If you run the diagnostic routine on an I/O module, that module is taken offline while the diagnostic test is performed. Traffic to and from the ports on that I/O module is temporarily unavailable.
Port Errors • Transmitted Byte Count (Tx Byte Count)—The total number of data bytes successfully transmitted by the port. • Received Packet Count (Rx Pkt Count)—The total number of good packets that have been received by the port. • Received Byte Count (RX Byte Count)—The total number of bytes that were received by the port, including bad or lost frames. This number includes bytes contained in the Frame Check Sequence (FCS), but excludes bytes in the preamble.
Status Monitoring and Statistics • Receive Fragmented Frames (RX Frag)—The total number of frames received by the port that were of incorrect length and contained a bad FCS value. • Receive Jabber Frames (RX Jab)—The total number of frames received by the port that were greater than the support maximum length and had a Cyclic Redundancy Check (CRC) error. • Receive Alignment Errors (RX Align)—The total number of frames received by the port with a CRC error and not containing an integral number of octets.
System Health Checking Slot-7 Slot-8 MSM-A MSM-B PSUCTRL-1 PSUCTRL-2 : G60X : : MSM-1XL : MSM-1XL : : 34.31 Normal 31.37 29.75 Normal Normal 29.00 Normal Temp Range: -10.00 (Min), 0.00-50.00 (Normal), 60.00 (Max) To view the current temperature and status of the power supplies, use the following command: show power {} {detail} The following sample output displays the temperature information: PowerSupply 1 information: ... Temperature: 30.1 deg C ...
Status Monitoring and Statistics • Polling is always enabled on the system and occurs every 60 seconds by default. The system health checker polls and tracks the ASIC counters that collect correctable and uncorrectable packet memory errors, check sum errors, and parity errors on a per ASIC basis. By reading and processing the registers, the system health check detects and associates faults to specific system ASICs. • Backplane diagnostic packets are disabled by default.
Setting the System Recovery Level 1 Enable backplane diagnostic packets on slot 3 using the following command: enable sys-health-check slot 3 When you enable backplane diagnostic packets on slot 3, the polling timer changes from its current default value of 60 seconds to 6 seconds; 6 seconds is the default for sending backplane diagnostic packets.
Status Monitoring and Statistics • Filter events per target, by: — Component, subcomponent, or specific condition (for example, BGP messages, IGMP.Snooping messages, or the IP.Forwarding.SlowPathDrop condition) — Match expression (for example, any messages containing the string “user5”) — Matching parameters (for example, only messages with source IP addresses in the 10.1.2.
Event Management System/Logging NOTE Refer to your UNIX documentation for more information about the syslog host facility. Dual MSM Systems A system with dual MSMs keeps the two MSMs synchronized by executing the same commands on both. However, the full data between the EMS servers is not synchronized. The reason for this design decision is to make sure that the control channel will not be overloaded when a high number of log messages are generated.
Status Monitoring and Statistics Severity Messages are issued with one of the severity levels specified by the standard Berkeley Software Distribution (BSD) syslog values (RFC 3164)—critical, error, warning, notice, and info—plus three severity levels for extended debugging—debug-summary, debug-verbose, and debug-data. Note that RFC 3164 syslog values emergency and alert are not needed because critical is the most severe event in the system.
Event Management System/Logging When you specify a severity level as you associate a filter with a target, you further restrict the messages reaching that target. The filter may allow only certain categories of messages to pass. Only the messages that pass the filter and then pass the specified severity level reach the target. Finally, you can specify the severity levels of messages that reach the target by associating a filter with a target. The filter can specify exactly which message it will pass.
Status Monitoring and Statistics STP STP STP InBPDU InBPDU InBPDU Trace Ign Mismatch Debug-Verbose Debug-Summary Warning 2 total 2 total 2 total The display above lists the five conditions contained in the STP.InBPDU component, the severity of the condition, and the number of parameters in the event message. In this example, the severities of the events in the STP.InBPDU subcomponent range from error to debug-summary.
Event Management System/Logging For example, if you create the filter myFilter from scratch, then issue the following command to include events: configure log filter myFilter add events stp All STP component events of at least the default threshold severity passes myFilter (for the STP component, the default severity threshold is error). You can further modify this filter by specifying additional conditions.
Status Monitoring and Statistics including events from the STP.InBPDU component, one excluding the event STP.CreatPortMsgFail, and the next including the remaining events from the STP component. The severity value is shown as “*”, indicating that the component’s default severity threshold controls which messages are passed. The Parameter(s) heading is empty for this filter because no match is configured for this filter. Matches are described in “Matching Expressions” next.
Event Management System/Logging Matching Parameters Rather than using a text match, EMS allows you to filter more efficiently based on the parameter values of the message. In addition to event components and conditions and severity levels, each filter item can also use parameter values to further limit which messages are passed or blocked.
Status Monitoring and Statistics Formatting Event Messages Event messages are made up of a number of items. The individual items can be formatted; however, EMS does not allow you to vary the order of the items. To format the messages for a particular target, use the following command: configure log target [console | memory-buffer | nvram | session | syslog [all | [local0 ...
Event Management System/Logging Displaying Event Logs The log stored in the memory buffer and the NVRAM can be displayed on the current session (either the console display or telnet).
Status Monitoring and Statistics further processing. Both counters reflect totals accumulated since reboot or since the counters were cleared using the clear log counters or clear counters command. The show log counters command also displays an included count (the column titled In in the output). The included count is the number of enabled targets receiving notifications of this event without regard to matching parameters.
Using sFlow Using sFlow sFlow® is a technology for monitoring traffic in data networks containing switches and routers. It relies on statistical sampling of packets from high-speed networks, plus periodic gathering of the statistics. A User Datagram Protocol (UDP) datagram format is defined to send the information to an external entity for analysis. sFlow consists of a Management Information Base (MIB) and a specification of the packet format for forwarding information to a remote agent.
Status Monitoring and Statistics Configuring the Local Agent The local agent is responsible for collecting the data from the samplers and sending that data to the remote collector as a series of UDP datagrams. By default, the agent uses the management port IP address as the source IP address for these datagrams.
Using sFlow Additional sFlow Configuration Options There are three global options that you can configure to different values from the defaults. These affect how frequently the sFlow data is sent to the remote collector, how frequently packets are sampled, and the maximum number of sFlow samples sent to the CPU per second. You can also configure how frequently packets are sampled per port. Polling Interval. Each sFlow counter is periodically polled to gather the statistics to send to the collector.
Status Monitoring and Statistics Displaying sFlow Information To display the current configuration of sFlow, use the following command: show sflow {configuration} To display the sFlow statistics, use the following command: show sflow statistics 146 ExtremeWare XOS 11.
10 Security This chapter describes the following topics: • Security Overview on page 147 • Network Access Security on page 147 • IP Access Control Lists on page 147 • Switch Protection on page 157 • Management Access Security on page 167 • Authenticating Users Using RADIUS or TACACS+ on page 167 • Secure Shell 2 on page 170 Security Overview Extreme Networks products incorporate a number of features designed to enhance the security of your network.
Security ACLs are typically applied to traffic that crosses Layer 3 router boundaries, but it is possible to use access lists within a Layer 2 virtual LAN (VLAN). ACLs in ExtremeWare XOS apply to all traffic. This is somewhat different from the behavior in ExtremeWare. For example, if you deny all the traffic to a port, no traffic, including control packets, such as OSPF or RIP, will reach the switch and the adjacency will be dropped. You must explicitly allow those type of packets (if desired).
IP Access Control Lists When the policy is refreshed, the new policy file is read, processed, and stored in the server database. Any clients that use the policy will also be updated. Use the following command to refresh the policy: refresh policy In the case of ACLs, during the time that an ACL policy is refreshed, packets on the interface are blackholed. This is to protect the switch during the short time that the policy is being applied.
Security • If the packet does not match all the match conditions, the next rule entry in the ACL is evaluated. • This process continues until either the packet matches all the match conditions in one of the subsequent rule entries or there are no more entries. • If a packet passes through all the rule entries in the ACL without matching any of them, it is permitted. Often an ACL will have a rule entry at the end of the ACL with no match conditions.
IP Access Control Lists Table 28: ACL match conditions (continued) Match Conditions Description Applicable IP Protocols first-fragments Non-IP fragmented packet or first fragmented packet. FO==0. All IP Source-port { | } TCP or UDP source port. In place of the numeric value, you can specify one of the text synonyms listed under destination port. TCP, UDP Destination-port { | } TCP or UDP destination port.
Security Table 28: ACL match conditions (continued) Match Conditions Description ICMP-code ICMP code field. This value or keyword provides more specific information than the icmp-type. Because the value's meaning depends upon the associated icmp-type, you must specify the icmp-type along with the icmp-code.
IP Access Control Lists ACL Evaluation Precedence This section discusses the precedence for evaluation among ACL rules. Precedence within an ACL. An ACL is a policy file that contains one or more rules. In ExtremeWare XOS, each rule can be one of following types: • L2 rule—a rule containing only Layer 2 (L2) matching conditions, such as Ethernet MAC address and Ethernet type. • L3 rule—a rule containing only Layer 3 (L3) matching conditions, such as source or destination IP address and protocol.
Security Policy file syntax checker. The fragments keyword cannot be used in a rule with L4 information. The syntax checker will reject such policy files. Packet processing flow. With no keyword specified, processing proceeds as follows: • An L3-only rule that does not contain either the fragments or first-fragments keyword matches any IP packets. • An L4 rule that does not contain either the fragments or first-fragments keyword matches non-fragmented or initial-fragment packets.
IP Access Control Lists The following example denies ICMP echo request packets from the 10.203.134.0/24 subnet, and increments the counter icmpcnt: entry if icmp { { source-address 10.203.134.
Security Displaying and Clearing ACL Counters To display the ACL counters, use the following command: show access-list counter {} [any | ports | vlan ] {ingress} To clear the access list counters, use the following command: clear access-list counter {} [any | ports | vlan ] {ingress} DHCP Server Dynamic Host Configuration Protocol (DHCP) support was introduced into ExtremeWare XOS in release 11.0.
Switch Protection You can clear the DHCP address allocation table selected entries, or all entries. You would use this command to troubleshoot IP address allocation on the VLAN.
Security The following sections apply to creating and using policies: • Creating Policies on page 158 • Policy File Syntax on page 158 • Policy Examples on page 163 • Using Policies on page 166 • Refreshing Policies on page 166 Creating Policies Prior to release 11.0, all policies were created by writing a text file on a separate machine and then downloading that file to the switch. Once on the switch, the file was then loaded into a policy database to be applied where configured. With release 11.
Switch Protection nlri 10.203.134.0/24; nlri 10.204.134.0/24; } then { next-hop 192.168.174.92; origin egp; } } Policy entries are evaluated in order, from the beginning of the file to the end, as follows: • If a match occurs, the action in the then statement is taken: — if the action contains an explicit permit or deny, the evaluation process terminates. — if the action does not contain an explicit permit or deny, then the action is an implicit permit, and the evaluation process terminates.
Security Table 30: Policy match conditions (continued) Match Condition Description nlri [ | any]/ {exact}; nlri [ | any] mask {exact}; Where and are in dotted decimal format, is an integer in the range [0 - 32], and keyword any matches any IP address with a given (or larger) mask/mask-length. origin [igp | egp | incomplete]; Where igp, egp and incomplete are the Border Gateway Protocol (BGP) route origin values.
Switch Protection Table 32: Policy regular expression examples Attribute Regular Expression Example Matches AS path is 1234 “1234” 1234 Zero or more occurrences of AS number 1234 “1234*” 1234 1234 1234 Start of As path set “10 12 { 34” 10 12 34 { 99 33 10 12 { 34 37 End of As path set “12 } 34” 12 } 34 56 Path that starts with 99 followed by 34 “^99 34 “ 99 34 45 Path that ends with 99 “99 $” 45 66 99 Path of any length that “4 5 6 .
Security Policy action statements. Table 33 lists the possible action statements. These are the actions taken when the policy match conditions are met in a policy entry. Table 33: Policy actions Action Description as-path " { …. }"; Prepends the entire list of as-numbers to the as-path of the route. community [no-advertise | no-export | no-export-subconfed | { ….
Switch Protection Policy Examples The following sections contain examples of policies. The examples are: • Translating an access profile to a policy on page 163 • Translating a route map to a policy on page 164 Translating an access profile to a policy. You may be more familiar with using access profiles on other Extreme Networks switches. This example shows the policy equivalent to an ExtremeWare access profile.
Security } } entry if entry-25 { { nlri 22.44.66.0/23 exact; } then { deny; } } The policy above can be optimized by combining some of the if into a single expression. The compact form of the policy will look like this: entry permit_entry { If match any { nlri 22.16.0.0/14; nlri 192.168.0.0/18 exact ; nlri 10.10.0.0/18; } then { permit; } } entry deny_entry { if match any { nlri any/8; nlri 22.44.66.0/23 } then { deny; } } exact; Translating a route map to a policy.
Switch Protection set weight 2 Entry : 50 Action : permit match origin incomplete match community 19661200 set dampening half-life 20 reuse-limit 1000 suppress-limit 3000 max-suppress 40 Entry : 60 Action : permit match next-hop 192.168.1.5 set community add 949616660 Here is the equivalent policy: entry If entry-10 { { origin incomplete; } then { permit; } } entry if entry-20 { community { 6553800; } then { deny; } } entry if entry-30 { med 30; { } then { next-hop 10.201.23.
Security if { origin incomplete; community 19661200; } then { dampening half-life 20 reuse-limit 1000 suppress-limit 3000 max-suppress 40 permit; } } entry if entry-60 { { next-hop 192.168.1.5; } then { community permit; } add 949616660; } entry if deny_rest { { } then { deny; } } Using Policies After the policy file has been transferred to the switch, the file can be checked to see if it is syntactically correct.
Management Access Security When the policy is refreshed, the new policy file is read, processed, and stored in the server database. Any clients that use the policy will also be updated. Use the following command to refresh the policy: refresh policy Management Access Security Management access security features control access to the management functions available on the switch. These features help insure that any configuration changes to the switch can be done only by authorized users.
Security Configuring the Shared Secret Password In addition to specifying the RADIUS server IP information, RADIUS also contains a means to verify communication between network devices and the server. The shared secret is a password configured on the network device and RADIUS server, used by each to verify communication.
Authenticating Users Using RADIUS or TACACS+ Per Command Authentication Using RADIUS You can use the RADIUS implementation to perform per command authentication. Per command authentication allows you to define several levels of user capabilities by controlling the permitted command sets based on the RADIUS user name and password. You do not need to configure any additional switch parameters to take advantage of this capability.
Security NOTE You cannot use RADIUS and TACACS+ at the same time. You can configure two TACACS+ servers, specifying the primary server address, secondary server address, and TCP port number to be used for TACACS+ sessions. Secure Shell 2 Secure Shell 2 (SSH2) is a feature of ExtremeWare XOS that allows you to encrypt Telnet session data between a network administrator using SSH2 client software and the switch, or to send encrypted data from the switch to an SSH2 client on a remote system.
Secure Shell 2 The key generation process generates the SSH2 private host key. The SSH2 public host key is derived from the private host key and is automatically transmitted to the SSH2 client at the beginning of an SSH2 session. To enable SSH2, use the following command: enable ssh2 {port } {vr [ | all | default]} You can also specify a TCP port number to be used for SSH2 communication. By default the TCP port number is 22.
Security 172 ExtremeWare XOS 11.
Part 2 Using Switching and Routing Protocols
11 Ethernet Automatic Protection Switching This chapter covers the following topics: • Overview of the EAPS Protocol on page 175 • Fault Detection and Recovery on page 178 • Multiple EAPS Domains on page 180 • Configuring EAPS on a Switch on page 182 • Configuring EAPS with STP on page 190 Overview of the EAPS Protocol The Ethernet Automatic Protection Switching (EAPSTM) protocol provides fast protection switching to Layer 2 switches interconnected in an Ethernet ring topology, such as a Metropolitan Area
Ethernet Automatic Protection Switching Figure 10: Gigabit Ethernet fiber EAPS MAN ring Transit node Transit node Gigabit Ethernet Fiber EAPS MAN ring Transit node Transit node Master node EW_070 One port of the master node is designated the master node’s primary port (P) to the ring; another port is designated as the master node’s secondary port (S) to the ring.
Overview of the EAPS Protocol Figure 11: EAPS operation S4 S3 S5 S2 S6 P S S1 Direction of health-check message Secondary port is logically blocked Master node EW_071 If the ring is complete, the master node logically blocks all data traffic in the transmit and receive directions on the secondary port to prevent a loop. If the master node detects a break in the ring, it unblocks its secondary port and allows data traffic to be transmitted and received through it.
Ethernet Automatic Protection Switching Table 34: EAPS terms (continued) Term Description primary port A port on the master node that is designated the primary port to the ring. The transit node ignores the primary port distinction as long as the node is configured as a transit node. secondary port A port on the master node that is designated the secondary port to the ring. The transit node ignores the secondary port distinction as long as the node is configured as a transit node.
Fault Detection and Recovery Figure 12: EAPS fault detection and protection switching Break in ring S4 sends "link down" message to master node S4 S3 S5 S2 S6 S3 sends "link down" message to master node P S S1 Master node opens secondary port to allow traffic to pass Master node EW_072 Ring Port Down Event Sent by Hardware Layer When a ring port goes down on a master node switch, it is notified by the lower hardware layer and immediately goes into a “failed” state.
Ethernet Automatic Protection Switching When the broken link is restored, the master receives its health check packet back on its secondary port and once again declares the ring to be complete. Again, the master node logically: • Blocks the protected VLANs on its secondary port. • Flushes its FDB. • Sends a “flush FDB” message to its associated transit nodes.
Multiple EAPS Domains Figure 13: EAPS data VLAN spanning two rings interconnected by one switch S4 S6 S7 S3 Ring 1 S2 P S5 Ring 2 S S P S1 S 8 Master node S9 Master node EW_073 Multiple EAPS Domains per Ring—Spatial Reuse To take advantage of the spatial reuse technology and broaden the use of the ring’s bandwidth, EAPS supports multiple EAPS domains running on the ring at the same time(Figure 14).
Ethernet Automatic Protection Switching Figure 15: Multiple EAPS domains sharing common link S5 (STP root) S4 4 S3 5 S7 1 2 3 LHS ring S2 S6 RHS ring 1 2 3 S P 4 S1 5 S 10 Master node S P S8 S9 Master node EW_091 You add the VLANs carrying the STP BPDUs to the EAPS master node as a protected VLAN. When everything is normal and the common link is up, the STP BPDUs are blocked by the EAPS master nodes. The STP domains on both the core switches have their ports in the forwarding state.
Configuring EAPS on a Switch 10 Enable EAPS for the entire switch. 11 If desired, enable Fast Convergence*. 12 Enable EAPS for the specified domain. Although you can enable EAPS prior to configuring these steps, the EAPS domain(s) will not run until you configure these parameters. (The steps with * can be configured at any time, even after the EAPS domains are running.) Creating and Deleting an EAPS Domain Each EAPS domain is identified by a unique domain name.
Ethernet Automatic Protection Switching The following command example identifies this switch as a transit node for the EAPS domain named eaps_1.
Configuring EAPS on a Switch The following command examples configure the hellotime value for the EAPS domain “eaps_1” to 2 seconds, the failtimer value to 15 seconds, and the failtimer expiry-action to open the secondary port if the failtimer expires: configure eaps eaps_1 hellotime 2 configure eaps eaps_1 failtime 15 configure eaps eaps_1 failtimer expiry-action open-secondary-port Configuring the Primary and Secondary Ports Each node on the ring connects to the ring through two ring ports.
Ethernet Automatic Protection Switching messages reach their intended destinations. For example, if the control VLAN is not assigned the highest priority and a broadcast storm occurs in the network, the control VLAN messages might be dropped at intermediate points. Assigning the control VLAN the highest priority prevents dropped control VLAN messages.
Configuring EAPS on a Switch To disable a specific EAPS domain, use the following command: disable eaps {} Enabling and Disabling EAPS on the Switch To enable the EAPS function for the entire switch, use the following command: enable eaps To disable the EAPS function for the entire switch, use the following command: disable eaps Unconfiguring an EAPS Ring Port Unconfiguring an EAPS port sets its internal configuration state to INVALID, which causes the port to appear in the Idle state with a port
Ethernet Automatic Protection Switching Hello timer interval: 1 sec Fail timer interval: 3 sec Fail Timer expiry action: Send alert Last update: From Master Id 00:01:30:f9:9c:b0, at Wed Jun EAPS Domain has following Controller Vlan: Vlan Name VID c1 1000 EAPS Domain has following Protected Vlan(s): Vlan Name VID p_1 1 p_2 2 p_3 3 p_4 4 p_5 5 p_6 6 p_7 7 p_8 8 p_9 9 p_10 10 p_11 11 p_12 12 p_13 13 p_14 14 p_15 15 p_16 16 p_17 17 p_18 18 p_19 19 p_20 20 p_21 21 p_22 22 p_23 23 p_24 24 p_25 25 p_26 26 p_27 27
Configuring EAPS on a Switch Table 35: show eaps display fields Field Description EAPS Enabled Current state of EAPS on this switch: • Yes—EAPS is enabled on the switch. • No—EAPS is not enabled. EAPS Fast Convergence Displays only when Fast Convergence is on. Number of EAPS instances Number of EAPS domains created. The maximum number of EAPS domains per switch is 128. Name The configured name for this EAPS domain.
Ethernet Automatic Protection Switching Table 35: show eaps display fields (continued) Field Description Port status Indicates port status as one of the following states: Tag status • Unknown—This EAPS domain is not running, so the port status has not yet been determined. • Up—The port is up and is forwarding data. • Down—The port is down. • Blocked—The port is up, but data is blocked from being forwarded.
Configuring EAPS with STP NOTE Choose EMITP encapsulation with tagged STP Carrier VLAN and 802.1D encapsulation with untagged STP Carrier VLAN. In this documentation, the VLAN carrying the STP BPDUs is named the STP Carrier VLAN. (Refer to Chapter 12 for more information on STP.) EAPS with STP Guidelines Figure 16 shows multiple EAPS domains sharing a common link. This figure illustrates two EAPS domains with S5 and S10 as common links. You must use STP in this configuration to prevent looping.
Ethernet Automatic Protection Switching Configuring EAPS with STP in EMISTP Encapsulation Mode This section discusses how to configure STP with EMISTP encapsulation in this situation. You use the EMISTP encapsulation mode when you are running tagged STP Carrier VLAN.
Configuring EAPS with STP 6 Configure the STPD and add all protected VLANs to STPD using the following command: configure stpd add vlan ports all 7 Enable STPD using the following command: enable stpd Configuring EAPS Master Node with STP Disabled You add the STP Carrier VLAN you created to the EAPS Domain only on the EAPS master node, as a protected VLAN. Use the following command: configure eaps add protect vlan Configuring EAPS with STP in 802.
Ethernet Automatic Protection Switching 3 Configure STP Forward Delay to 4 seconds using the following command: configure stpd forwarddelay 4 4 Configure STP MaxAge Time to 11 seconds using the following command: configure stpd maxage 11 5 Configure STPD and add each protected VLANs to STPD using the following command: configure stpd add vlan ports all 6 Enable STP using the following command: enable stpd Configuring EAPS Master Node with STP
12 Spanning Tree Protocol This chapter covers the following topics: • Overview of the Spanning Tree Protocol on page 195 • Spanning Tree Domains on page 197 • STP Configurations on page 203 • Per VLAN Spanning Tree on page 209 • Rapid Spanning Tree Protocol on page 209 • STP Rules and Restrictions on page 220 • Configuring STP on the Switch on page 220 • Displaying STP Settings on page 225 Using the Spanning Tree Protocol (STP) functionality of the switch makes your network more fault tolerant.
Spanning Tree Protocol Table 36 describes the terms associated with the Extreme Networks implementation of STP. Table 36: STP terms Term Description Autobind If enabled, autobind automatically adds or removes ports from the Spanning Tree Domain (STPD). If ports are added to the carrier VLAN, the member ports of the VLAN are automatically added to the STPD. If ports are removed from the carrier VLAN, those ports are also removed from the STPD.
Spanning Tree Domains Table 36: STP terms (continued) Term Description STPD mode The mode of operation for the STPD. The two modes of operation are: • 802.1D—Compatible with legacy STP and other devices using the IEEE 802.1D standard • 802.1W—Compatible with Rapid Spanning Tree (RSTP) For more information about how to configure STPD modes, see “STPD Modes” on page 198. Spanning Tree Domains The switch can be partitioned into multiple virtual bridges.
Spanning Tree Protocol The StpdID must be identical to the VLANid of the carrier VLAN in that STPD. See the section “Specifying the Carrier VLAN” on page 198, for an example. Protected VLAN Protected VLANs are all other VLANs that are members of the STPD. These VLANs “piggyback” on the carrier VLAN. Protected VLANs do not transmit or receive STP BPDUs, but they are affected by STP state changes and inherit the state of the carrier VLAN.
Spanning Tree Domains By default, the: • STPD operates in 802.1D mode. • Default device configuration contains a single STPD called s0. • Default VLAN is a member of STPD s0 with autobind enabled. To configure the mode of operation of an STPD, use the following command: configure stpd mode [dot1d | dot1w] All STP parameters default to the IEEE 802.1D values, as appropriate. Encapsulation Modes You can configure ports within an STPD to accept specific BPDU encapsulations.
Spanning Tree Protocol STPD Identifier An StpdID is used to identify each STP domain. You assign the StpdID when configuring the domain, and that carrier VLAN of that STPD cannot belong to another STPD. An StpdID must be identical to the VLANid of the carrier VLAN in that STP domain. NOTE If an STPD contains at least one port not in 802.1D mode, you must configure the STPD with an StpdID.
Spanning Tree Domains The first command adds all ports or a list of ports within the specified VLAN to an STPD provided the carrier VLAN already exists on the same set of ports. The second command adds all ports or a list of ports to the specified VLAN and STPD at the same time. If the ports are added to the VLAN but not to the STPD, the ports remain in the VLAN. If the specified VLAN is not the carrier VLAN and the specified ports are not bound to the carrier VLAN, the system displays an error message.
Spanning Tree Protocol • Protected VLAN named v2 • v2 contains ports 3:1-3:4 Since v1 contains ports 3:1-3:2, v2 is aware only of the STP changes for ports 3:1 and 3:2, respectively. Ports 3:3 and 3:4 are not part of the STPD, which is why v2 is not aware of any STP changes for those ports. In addition, enabling autobind on a protected VLAN causes ports to be automatically added or removed as the carrier VLAN changes.
STP Configurations To support hitless failover, the primary MSM replicates STP BPDUs to the backup, which allows the MSMs to run STP in parallel. Although both MSMs receive STP BPDUs, only the primary transmits STP BPDUs to neighboring switches and participates in STP. To initiate hitless failover on a network that utilizes STP: 1 Confirm that the MSMs are synchronized and have identical software and switch configurations using the show switch {detail} command.
Spanning Tree Protocol • Manufacturing is a protected VLAN on STPD2. • Engineering is the carrier VLAN on STPD2. • Marketing is a member of both STPD1 and STPD2 and is a protected VLAN.
STP Configurations Figure 18: Incorrect tag-based STPD configuration Marketing & Sales Marketing, Sales & Engineering Switch 1 Switch 3 Switch 2 Sales & Engineering EX_049 The tag-based network in Figure 18 has the following configuration: • Switch 1 contains VLAN Marketing and VLAN Sales. • Switch 2 contains VLAN Engineering and VLAN Sales. • Switch 3 contains VLAN Marketing, VLAN Engineering, and VLAN Sales.
Spanning Tree Protocol Multiple STPDs on a Port Traditional 802.1D STP has some inherent limitations when addressing networks that have multiple VLANs and multiple STPDs. For example, consider the sample depicted in Figure 19. Figure 19: Limitations of traditional STPD A A B S1 S2 A B S1 B S2 A B EX_050 The two switches are connected by a pair of parallel links. Both switches run two VLANs, A and B.
STP Configurations Alternatively, the same VLAN may span multiple large geographical areas (because they belong to the same enterprise) and may traverse a great many nodes. In this case, it is desirable to have multiple STP domains operating in a single VLAN, one for each looped area. The justifications include the following: • The complexity of the STP algorithm increases, and performance drops, with the size and complexity of the network. The 802.
Spanning Tree Protocol Figure 21: VLANs traverse domains inside switches S1 S1 S2 S2 Correct Wrong EX_052 • The VLAN partition feature is deployed under the premise that the overall interdomain topology for that VLAN is loop-free. Consider the case in Figure 22, VLAN red (the only VLAN in the figure) spans STPDs 1, 2, and 3. Inside each domain, STP produces a loop-free topology. However, VLAN red is still looped, because the three domains form a ring among themselves.
Per VLAN Spanning Tree Per VLAN Spanning Tree Switching products that implement Per VLAN Spanning Tree (PVST) have been in existence for many years and are widely deployed. To support STP configurations that use PVST, ExtremeWare XOS has an operational mode called PVST+. NOTE In this document, PVST and PVST+ are used interchangeably. PVST+ is an enhanced version of PVST that is interoperable with 802.1Q STP. The following discussions are in regard to PVST+, if not specifically mentioned.
Spanning Tree Protocol RSTP Terms Table 37 describes the terms associated with RSTP. Table 37: RSTP terms Term Description Root port Provides the shortest path to the root bridge. All bridges except the root bridge, contain one root port. For more information about the root port, see “Port Roles” on page 210. Designated port Provides the shortest path connection to the root bridge for the attached LAN segment. Each LAN segment has only one designated port.
Rapid Spanning Tree Protocol Table 38: RSTP port roles (continued) Port Role Description Backup Supports the designated port on the same attached LAN segment. Backup ports exist only when the bridge is connected as a self-loop or to a shared-media segment. When RSTP stabilizes, all: • Root ports and designated ports are in the forwarding state. • Alternate ports and backup ports are in the blocking state.
Spanning Tree Protocol To change the existing configuration of a port in an STPD, and return the port to factory defaults, use the following command: unconfigure stpd ports link-type To display detailed information about the ports in an STPD, use the following command: show stpd ports {[detail | {detail}]} RSTP Timers For RSTP to rapidly recover network connectivity, RSTP requires timer expiration.
Rapid Spanning Tree Protocol Table 41: Derived timers (continued) Timer Description Recent root The timer starts when a port leaves the root port role. When this timer is running, another port cannot become a root port unless the associated port is put into the blocking state. The default value is the same as the forward delay time. The protocol migration timer is neither user-configurable nor derived; it has a set value of 3 seconds. The timer starts when a port transitions from STP (802.
Spanning Tree Protocol The following sections provide more information about RSTP behavior. Root Port Rapid Behavior In Figure 23, the diagram on the left displays the initial network topology with a single bridge having the following: • Two ports are connected to a shared LAN segment. • One port is the designated port. • One port is the backup port. The diagram on the right displays a new bridge that: • Is connected to the LAN segment. • Has a superior STP bridge priority.
Rapid Spanning Tree Protocol Designated Port Rapid Behavior When a port becomes a new designated port, or the STP priority changes on an existing designated port, the port becomes an unsynced designated port. In order for an unsynced designated port to rapidly move into the forwarding state, the port must propose a confirmation of its role on the attached LAN segment (unless the port is an edge port). Upon receiving an “agree” message, the port immediately enters the forwarding state.
Spanning Tree Protocol • All other ports in the network are in the forwarding state. Figure 24: Initial network configuration A B C A,0 A,1 A,2 F E D A,1 A,2 A,3 Designated port Root port Blocked port EX_055a The following steps describe how the network reconverges. 1 If the link between bridge A and bridge F goes down, bridge F detects the root port is down. At this point, bridge F: • Immediately disables that port from the STP. • Performs a configuration update.
Rapid Spanning Tree Protocol 2 Bridge E believes that bridge A is the root bridge. When bridge E receives the BPDU on its root port from bridge F, bridge E: • Determines that it received an inferior BPDU. • Immediately begins the max age timer on its root port. • Performs a configuration update. As shown in Figure 26, after the configuration update, bridge E: • Regards itself as the new root bridge. • Sends BPDU messages on both of its designated ports to bridges F and D, respectively.
Spanning Tree Protocol 4 Bridge D believes that bridge A is the root bridge. When bridge D receives the BPDU from bridge E on its alternate port, bridge D: • Immediately begins the max age timer on its alternate port. • Performs a configuration update. As shown in Figure 28, after the configuration update, bridge D: • Moves the alternate port to a designated port. • Sends a “propose” message to bridge E to solicit confirmation of its designated role and to rapidly move the port into the designated state.
Rapid Spanning Tree Protocol 6 To complete the topology change (as shown in Figure 30): • Bridge D moves the port that received the “agree” message into the forwarding state. • Bridge F confirms that its receiving port (the port that received the “propose” message) is the root port, and immediately replies with an “agree” message to bridge E to unblock the proposing port.
Spanning Tree Protocol STP Rules and Restrictions This section summarizes the rules and restrictions for configuring STP as follows: • The carrier VLAN must span all ports of the STPD. • The StpdID must be the VLANid of the carrier VLAN; the carrier VLAN cannot be partitioned. • A default VLAN cannot be partitioned. If a VLAN traverses multiple STPDs, the VLAN must be tagged. • An STPD can carry, at most, one VLAN running in PVST+ mode, and its StpdID must be identical with that VLANid.
Configuring STP on the Switch The following parameters can be configured on each STPD: • Hello time • Forward delay • Max age • Bridge priority • StpdID The following parameters can be configured on each port: • Path cost • Port priority • Port mode NOTE The device supports the RFC 1493 Bridge MIB, RSTP-03, and Extreme Networks STP MIB. Parameters of the s0 default STPD support RFC 1493 and RSTP-03. Parameters of any other STPD support the Extreme Networks STP MIB.
Spanning Tree Protocol STP Configuration Examples This section provides three configuration examples: • Basic 802.1D STP • EMISTP • RSTP 802.1W Basic 802.1D Configuration Example The following example: • Removes ports from the VLAN Default that will be added to VLAN Engineering. • Creates the VLAN Engineering. • Configures the VLANid. • Adds ports to the VLAN Engineering. • Creates an STPD named Backbone_st. • Configures the default encapsulation mode of dot1d for all ports added to STPD Backbone_st.
STP Configuration Examples EMISTP Configuration Example Figure 32 is an example of EMISTP. Figure 32: EMISTP configuration example VLAN red S1 S2 VLAN green VLAN yellow VLAN red VLAN red VLAN brown S4 VLAN red S3 VLAN blue EX_051 NOTE By default, all ports added to a user-defined STPD are in emistp mode, unless otherwise specified.
Spanning Tree Protocol RSTP 802.1W Configuration Example Figure 33 is an example of a network with multiple STPDs that can benefit from RSTP. For RSTP to work, you need to do the following: • Create an STPD. • Configure the mode of operation for the STPD. • Create the VLANs and assign the VLANid and the VLAN ports. • Assign the carrier VLAN. • Add the protected VLANs to the STPD. • Configure the port link types. • Enable STP.
Displaying STP Settings configure vlan sales add ports 1:1,2:1 tagged configure vlan personnel add ports 1:1,2:1 tagged configure vlan marketing add ports 1:1,2:1 tagged configure stpd stpd1 add vlan sales ports all configure stpd stpd1 add vlan personnel ports all configure stpd stpd1 add vlan marketing ports all configure stpd stpd1 ports link-type point-to-point 1:1,2:1 configure stpd stpd1 tag 100 enable stpd stpd1 Displaying STP Settings To display STP settings, use the following command: show stpd {
Spanning Tree Protocol • Configured port link type • Operational port link type If you have a VLAN that spans multiple STPDs, use the show vlan stpd command to display the STP configuration of the ports assigned to that specific VLAN.
13 Extreme Standby Router Protocol This chapter covers the following topics: • Overview of ESRP on page 227 • ESRP Concepts on page 230 • Determining the ESRP Master on page 234 • Advanced ESRP Features on page 238 • Displaying ESRP Information on page 244 • ESRP Examples on page 244 • ESRP Cautions on page 248 Overview of ESRP The Extreme Standby Router Protocol (ESRP) is a feature of ExtremeWare XOS that allows multiple switches to provide redundant routing services to users.
Extreme Standby Router Protocol Networks that contain switches running ExtremeWare with both ESRP and Extreme Loop Recovery Protocol (ELRP) enabled and switches running ExtremeWare XOS 11.0 with ESRP enabled have been extensively tested. ExtremeWare XOS does not implement ELRP but is compatible with the ELRP mechanisms available in ExtremeWare. Reasons to Use ESRP You can use ESRP to achieve edge-level or aggregation-level redundancy.
Overview of ESRP Table 42: ESRP terms (continued) Term Description master state/switch The master switch is the device with the highest priority based on the election algorithm. The master is responsible for responding to clients for Layer 3 routing and Layer 2 switching for the ESRP domain. For more information about the master switch, see “Determining the ESRP Master” on page 234.
Extreme Standby Router Protocol ESRP Concepts You configure ESRP on a per domain basis on each switch. A maximum of two switches can participate in providing redundant Layer 3 or Layer 2 services to a single VLAN. If you configure and use ESRP groups, more than two switches can provide redundant Layer 2 or Layer 3 services to a single VLAN. The switches exchange keep-alive packets for each VLAN independently.
ESRP Concepts To participate in ESRP, the following must be true: • A VLAN can belong to only one ESRP domain. • The IP address for the VLANs participating in an ESRP domain must be identical. • All switches in the ESRP network must use the same election algorithm, otherwise loss of connectivity, broadcast storms, or other unpredictable behavior may occur. • If you have an untagged master VLAN, you must specify an ESRP domain ID.
Extreme Standby Router Protocol standard mode if your network contains both switches running ExtremeWare and switches running ExtremeWare XOS participating in ESRP. Extended mode supports and is compatible with switches running ExtremeWare XOS while participating in ESRP. Use extended mode if your network contains only switches running ExtremeWare XOS.
ESRP Concepts ESRP Domains ESRP domains allow you to configure multiple VLANs under the control of a single instance of the ESRP protocol. By grouping multiple VLANs under one ESRP domain, the ESRP protocol can scale to provide protection to large numbers of VLANs. All VLANs within an ESRP domain simultaneously share the same active and standby router and failover router, as long as one port of each member VLAN belongs to the domain master.
Extreme Standby Router Protocol control from the primary MSM to the backup MSM and maintains the state of ESRP. The ESRP extended version supports hitless failover. For ESRP support of hitless failover, both ESRP switches and the primary and backup MSMs must be running ExtremeWare XOS 11.0 or later operating in ESRP extended mode. NOTE You must run ExtremeWare XOS 11.0 or later for ESRP support of hitless failover. The ESRP domain on the primary MSM is active and participates in the ESRP protocol.
Determining the ESRP Master — Ping—Tracks ICMP ping connectivity to specified devices. — Environment (health checks)—Tracks the environment of the switch, including power supply and chassis temperature. If any of the configured tracking mechanisms fail, the master ESRP switch relinquishes status as master, and remains in slave mode for as long as the tracking mechanism continues to fail. • ESRP priority—This is a user-defined field.
Extreme Standby Router Protocol Electing the Master Switch A new master can be elected in one of the following ways: • A communicated parameter change • Loss of communication between master and slave(s) If a parameter determines the master changes (for example, link loss or priority change), the election of the new master typically occurs within one second. A parameter change triggers a handshake between the routers. As long as both routers agree upon the state transition, new master election is immediate.
Determining the ESRP Master ESRP Election Algorithms You configure the switch to use one of 15 different election algorithms to select the ESRP master. ESRP uses the default election policy for extended mode. If you have an ESRP domain operating in standard mode, the domain ignores the sticky and weight algorithms. To change the election algorithm, you must first disable the ESRP domain and then configure the new election algorithm.
Extreme Standby Router Protocol Table 43: ESRP election algorithms (continued) Election Algorithm Description sticky > priority > ports > track > mac Specifies that this ESRP domain should consider election factors in the following order: Stickiness, ESRP priority, active ports, tracking information, MAC address.
Advanced ESRP Features ESRP Tracking Tracking information is used to track various forms of connectivity from the ESRP switch to the outside world. This section describes the following ESRP tracking options: • ESRP Environment Tracking on page 239 • ESRP VLAN Tracking on page 239 • ESRP Route Table Tracking on page 240 • ESRP Ping Tracking on page 240 • Displaying Tracking Information on page 240 ESRP Environment Tracking You can configure ESRP to track hardware status.
Extreme Standby Router Protocol ESRP Route Table Tracking You can configure ESRP to track specified routes in the route table as criteria for ESRP failover. If all of the configured routes are not available within the route table, the switch automatically relinquishes master status and remains in slave mode. You can track a maximum of eight routes per route table.
Advanced ESRP Features ESRP Tracking Example Figure 35 is an example of ESRP tracking. Figure 35: ESRP tracking ESRP master 200.1.1.1/24 vlan esrp1 (track-vlan) vlan vlan1 Host 2: 200.1.1.14/24 Gateway: 200.1.1.1 Router L2 switch 10.10.10.121 Host 1: 200.1.1.13/24 Gateway: 200.1.1.1 ESRP slave 200.1.1.
Extreme Standby Router Protocol To configure port restart, use the following command: configure esrp ports restart To disable port restart, use the following command: configure esrp ports no-restart If a switch becomes a slave, ESRP takes down (disconnects) the physical links of member ports that have port restart enabled. The disconnection of these ports causes downstream devices to remove the ports from their FDB tables.
Advanced ESRP Features Other applications allow lower-cost redundant routing configurations because hosts can be directly attached to the switch involved with ESRP. HA also requires at least one link between the master and the slave ESRP switch for carrying traffic and to exchange ESRP hello packets. ESRP domains that share ESRP HA ports must be members of different ESRP groups. NOTE Do not use the ESRP HA feature with the following protocols: STP, EAPS, or VRRP. A broadcast storm may occur.
Extreme Standby Router Protocol Displaying ESRP Information To view ESRP information, use the following command: show esrp Output from this command includes: • The operational state of an ESRP domain and the state of its neighbor • ESRP port configurations To view more detailed information about an ESRP domain, use the following command and specify the domain name: show esrp {} Output from this command includes: • The operational state of an ESRP domain • ESRP election policy • ESRP tracking inform
ESRP Examples Figure 38: Single ESRP domain using Layer 2 and Layer 3 redundancy OSPF or RIP Domain - esrp1, VLAN - Sales (master) Domain - esrp1, VLAN - Sales (standby) EX_097 The BlackDiamond 10808 switch, acting as master for ESRP domain esrp1, performs both Layer 2 switching and Layer 3 routing services for VLAN Sales. The BlackDiamond 10808 switch in slave mode for ESRP domain esrp1, performs neither for VLAN Sales, thus preventing bridging loops in the VLAN.
Extreme Standby Router Protocol • Ports added to the VLAN have already been removed from VLAN default. • IP address for the VLANs participating in ESRP must be identical. NOTE If your network has switches running ExtremeWare and ExtremeWare XOS participating in ESRP, Extreme Networks recommends that the ExtremeWare XOS switches operate in ESRP standard mode. To change the mode of operation, use the configure esrp mode [extended | standard] command.
ESRP Examples Multiple Domains Using Layer 2 and Layer 3 Redundancy The example shown in Figure 39 illustrates an ESRP configuration that has multiple domains using Layer 2 and Layer 3 redundancy.
Extreme Standby Router Protocol Configuration commands for the first BlackDiamond switch are as follows: create vlan sales configure vlan sales tag 10 configure vlan sales add ports 1:1-1:2 configure vlan sales add ports 1:3 tagged configure vlan sales ipaddress 10.1.2.3/24 create vlan engineering configure vlan engineering tag 20 configure vlan engineering add ports 1:4 configure vlan engineering add ports 1:3 tagged configure vlan engineering ipaddress 10.4.5.
ESRP Cautions ESRP and STP A switch running ESRP should not simultaneously participate in STP for the same VLAN(s). Other switches in the VLAN being protected by ESRP may run STP; the switch running ESRP forwards, but does not filter, STP BPDUs. Therefore, you can combine ESRP and STP on a network and a VLAN, but you must do so on separate devices. You should be careful to maintain ESRP connectivity between ESRP master and slave switches when you design a network that uses ESRP and STP.
Extreme Standby Router Protocol 250 ExtremeWare XOS 11.
14 Virtual Router Redundancy Protocol This chapter covers the following topics: • Overview on page 251 • Determining the VRRP Master on page 252 • Additional VRRP Highlights on page 254 • VRRP Operation on page 255 • VRRP Configuration Parameters on page 257 • VRRP Examples on page 258 This chapter assumes that you are already familiar with the Virtual Router Redundancy Protocol (VRRP).
Virtual Router Redundancy Protocol VRRP Terms Table 44 describes terms associated with VRRP. Table 44: VRRP terms Term Description Virtual router A VRRP router is a group of one or more physical devices that acts as the default gateway for hosts on the network. The VRRP virtual router is identified by a virtual router identifier (VRID) and an IP address. VRRP router Any router that is running VRRP. A VRRP router can participate in one or more virtual routers.
Determining the VRRP Master VRRP Tracking Example Figure 40 is an example of VRRP tracking. Figure 40: VRRP tracking VRRP master 200.1.1.1/24 (track-vlan) vlan vlan1 Host 2: 200.1.1.14/24 Gateway: 200.1.1.1 Router L2 switch or hub 10.10.10.121 Host 1: 200.1.1.13/24 Gateway: 200.1.1.1 VRRP backup 200.1.1.
Virtual Router Redundancy Protocol If the master router becomes unavailable, the election process provides dynamic failover and the backup router that has the highest priority assumes the role of master. A new master is elected when one of the following things happen: • VRRP is disabled on the master router. • Loss of communication occurs between master and backup router(s). • Another VRRP router is attached to the VLAN, and the new router has the same priority as the current master.
VRRP Operation VRRP Operation This section describes two VRRP network configurations: • A simple VRRP network • A fully redundant VRRP network Simple VRRP Network Configuration Figure 41 shows a simple VRRP network. Figure 41: Simple VRRP network Switch A Switch B Switch A = Master VRID = 1 Virtual router IP address = 192.168.1.3 MAC address = 00-00-5E-00-01-01 Priority = 255 Switch B = Backup VRID = 1 Virtual router IP address = 192.168.1.3 MAC address = 00-00-5E-00-01-01 Priority = 100 192.168.1.
Virtual Router Redundancy Protocol Fully Redundant VRRP Network You can use two or more VRRP-enabled switches to provide a fully redundant VRRP configuration on your network. Figure 42 shows a fully redundant VRRP configuration. Figure 42: Fully redundant VRRP configuration Switch A Switch B Master for virtual IP 192.168.1.3 Master VRID = 1 Backup for virtual IP 192.168.1.5 Backup VRID = 2 MAC address = 00-00-5E-00-01-01 Master for virtual IP 192.168.1.5 Master VRID = 2 Backup for virtual IP 192.168.1.
VRRP Configuration Parameters VRRP Configuration Parameters Table 45 lists the parameters that you configure on a VRRP router. Table 45: VRRP configuration parameters Parameter Description vrid This is the virtual router identifier and is a configured item in the range of 1- to 255. This parameter has no default value. priority This priority value to be used by this VRRP router in the master election process.
Virtual Router Redundancy Protocol VRRP Examples This section provides the configuration syntax for the two VRRP networks discussed in this chapter. Configuring the Simple VRRP Network Figure 43 shows the simple VRRP network described in “Simple VRRP Network Configuration” section. Figure 43: Simple VRRP network Switch A Switch B Switch A = Master VRID = 1 Virtual router IP address = 192.168.1.3 MAC address = 00-00-5E-00-01-01 Priority = 255 Switch B = Backup VRID = 1 Virtual router IP address = 192.
VRRP Examples Configuring the Fully Redundant VRRP Network Figure 44 shows the fully redundant VRRP network configuration described in the “Fully Redundant VRRP Network” section. Figure 44: Fully redundant VRRP configuration Switch A Switch B Master for virtual IP 192.168.1.3 Master VRID = 1 Backup for virtual IP 192.168.1.5 Backup VRID = 2 MAC address = 00-00-5E-00-01-01 Master for virtual IP 192.168.1.5 Master VRID = 2 Backup for virtual IP 192.168.1.
Virtual Router Redundancy Protocol 260 ExtremeWare XOS 11.
15 IP Unicast Routing This chapter describes the following topics: • Overview of IP Unicast Routing on page 261 • Proxy ARP on page 264 • Relative Route Priorities on page 265 • Configuring IP Unicast Routing on page 266 • Verifying the IP Unicast Routing Configuration on page 266 • Routing Configuration Example on page 266 • IP Multinetting on page 268 • Configuring DHCP/BOOTP Relay on page 274 This chapter assumes that you are already familiar with IP unicast routing.
IP Unicast Routing Router Interfaces The routing software and hardware routes IP traffic between router interfaces. A router interface is simply a virtual LAN (VLAN) that has an IP address assigned to it. As you create VLANs with IP addresses belonging to different IP subnets, you can also choose to route between the VLANs. Both the VLAN switching and IP routing function occur within the switch. NOTE Each IP address and mask assigned to a VLAN must represent a unique IP subnet.
Overview of IP Unicast Routing Populating the Routing Table The switch maintains an IP routing table for both network routes and host routes.
IP Unicast Routing Multiple Routes When there are multiple, conflicting choices of a route to a particular destination, the router picks the route with the longest matching network mask. If these are still equal, the router picks the route using the following criteria (in the order specified): • Directly attached network interfaces • ICMP redirects • Static routes • Directly attached network interfaces that are not active.
Relative Route Priorities For example, an IP host is configured with a class B address of 100.101.102.103 and a mask of 255.255.0.0. The switch is configured with the IP address 100.101.102.1 and a mask of 255.255.255.0. The switch is also configured with a proxy ARP entry of IP address 100.101.0.0 and mask 255.255.0.0, without the always parameter. When the IP host tries to communicate with the host at address 100.101.45.
IP Unicast Routing Configuring IP Unicast Routing This section describes the commands associated with configuring IP unicast routing on the switch. To configure routing: 1 Create and configure two or more VLANs. 2 Assign each VLAN that will be using routing an IP address using the following command: configure vlan ipaddress {} Ensure that each VLAN has a unique IP address.
Routing Configuration Example • MyCompany — Port-based VLAN. — All ports on slots 1 through 4 have been assigned. Figure 46: Unicast routing configuration example 1 2 3 4 A 192.207.35.1 B 5 6 7 8 192.207.36.1 MyCompany 192.207.35.0 Finance 1 2 192.207.36.0 Personnel 3 4 IP NetBIOS IP NetBIOS IP NetBIOS IP NetBIOS = IP traffic = NetBIOS traffic EX_047 The stations connected to the system generate a combination of IP traffic and NetBIOS traffic.
IP Unicast Routing configure rip add vlan Finance configure rip add vlan Personnel enable ipforwarding enable rip IP Multinetting IP multinetting refers to having multiple IP networks on the same bridging domain (or VLAN). The hosts connected to the same physical segment can belong to any one of the networks, so multiple subnets can overlap onto the same physical segment. Any routing between the hosts in different networks is done through the interface of the router.
IP Multinetting Figure 47: Multinetted Network Topology Transit network VLAN multi Primary subnet Secondary subnet-1 Host Secondary subnet-2 BD10K EX_102 Figure 47 shows a multinetted VLAN named multi. VLAN multi has three IP subnets so three IP addresses have been configured for the VLAN. One of the subnets is the primary subnet and can be connected to any transit network (for example, the Internet).
IP Unicast Routing Route Manager The Route Manager will install a route corresponding to each of the secondary interfaces. The route origin will be direct, will be treated as a regular IP route, and can be used for IP data traffic forwarding. These routes can also be redistributed into the various routing protocol domains if you configure route redistribution. IRDP There are some functional changes required in Internet Router Discovery Protocol (IRDP) as result of IP multinetting support.
IP Multinetting RIP. This section describes the behavior of the Routing Information Protocol (RIP) in an IP multinetting environment: • RIP does not send any routing information update on the secondary interfaces. However, RIP will advertise networks corresponding to secondary interfaces in its routing information packet to the primary interface. • Any inbound RIP control packets from secondary interfaces are dropped.
IP Unicast Routing • PIM also accepts membership information from hosts on secondary subnets. EAPS, ESRP, and STP Control protocols like Ethernet Automatic Protection Switching (EAPS), Extreme Standby Router Protocol (ESRP), and the Spanning Tree Protocol (STP) treat the VLAN as an interface. If the protocol control packets are exchanged as Layer 3 packets, then the source address in the packet is validated against the IP networks configured on that interface.
IP Multinetting These configurations are not allowed: • VRRP VR on v1 with VRID of 99 with virtual IP addresses of 1.1.1.1 and 2.2.2.2 (the addresses are not on the same subnet) • VRRP VR on v1 with VRID of 99 with virtual IP addresses of 1.1.1.1 and 1.1.1.99 (one address is owned and one address is not owned by the switch) Configuring IP Multinetting You configure IP multinetting by adding a secondary IP address to a vlan.
IP Unicast Routing Configuring DHCP/BOOTP Relay After IP unicast routing has been configured, you can configure the switch to forward Dynamic Host Configuration Protocol (DHCP) or BOOTP requests coming from clients on subnets being serviced by the switch and going to hosts on different subnets. This feature can be used in various applications, including DHCP services between Windows NT servers and clients running Windows 95. To configure the relay function: 1 Configure VLANs and IP unicast routing.
16 Interior Gateway Protocols This chapter describes the following topics: • Overview on page 276 • Overview of RIP on page 277 • Overview of OSPF on page 278 • Route Redistribution on page 283 • RIP Configuration Example on page 285 • Configuring OSPF on page 286 • OSPF Configuration Example on page 288 • Displaying OSPF Settings on page 290 This chapter assumes that you are already familiar with IP unicast routing.
Interior Gateway Protocols Overview The switch supports the use of two interior gateway protocols (IGPs); the Routing Information Protocol (RIP), and the Open Shortest Path First (OSPF) protocol. RIP is a distance-vector protocol, based on the Bellman-Ford (or distance-vector) algorithm. The distance-vector algorithm has been in use for many years and is widely deployed and understood. OSPF is a link-state protocol, based on the Dijkstra link-state algorithm.
Overview of RIP Overview of RIP RIP is an IGP first used in computer routing in the Advanced Research Projects Agency Network (ARPAnet) as early as 1969. It is primarily intended for use in homogeneous networks of moderate size. To determine the best path to a distant network, a router using RIP always selects the path that has the least number of hops. Each router that data must traverse is considered to be one hop.
Interior Gateway Protocols RIP Version 1 Versus RIP Version 2 A new version of RIP, called RIP version 2, expands the functionality of RIP version 1 to include the following: • Variable-length subnet masks (VLSMs). • Support for next-hop addresses, which allows for optimization of routes in certain environments. • Multicasting. RIP version 2 packets can be multicast instead of being broadcast, reducing the load on hosts that do not support routing protocols.
Overview of OSPF Database Overflow The OSPF database overflow feature allows you to limit the size of the LSDB and to maintain a consistent LSDB across all the routers in the domain, which ensures that all routers have a consistent view of the network. Consistency is achieved by: • Limiting the number of external LSAs in the database of each router. • Ensuring that all routers have identical LSAs.
Interior Gateway Protocols • Autonomous system border router (ASBR)—An ASBR acts as a gateway between OSPF and other routing protocols, or other autonomous systems. Backbone Area (Area 0.0.0.0) Any OSPF network that contains more than one area is required to have an area configured as area 0.0.0.0, also called the backbone. All areas in an AS must be connected to the backbone. When designing networks, you should start with area 0.0.0.0 and then expand into other areas. NOTE Area 0.0.0.
Overview of OSPF The translate option determines whether type 7 LSAs are translated into type 5 LSAs. When configuring an OSPF area as an NSSA, the translate should only be used on NSSA border routers, where translation is to be enforced. If translate is not used on any NSSA border router in a NSSA, one of the ABRs for that NSSA is elected to perform translation (as indicated in the NSSA specification). The option should not be used on NSSA internal routers.
Interior Gateway Protocols Virtual links are also used to repair a discontiguous backbone area. For example, in Figure 49, if the connection between ABR1 and the backbone fails, the connection using ABR2 provides redundancy so that the discontiguous area can continue to communicate with the backbone using the virtual link.
Route Redistribution NOTE All routers in the VLAN must have the same OSPF link type. If there is a mismatch, OSPF attempts to operate, but it may not be reliable. Route Redistribution RIP and OSPF can be enabled simultaneously on the switch. Route redistribution allows the switch to exchange routes, including static routes, between the routing protocols. Figure 50 is an example of route redistribution between an OSPF AS and a RIP AS. Figure 50: Route redistribution OSPF AS Backbone Area 0.0.0.
Interior Gateway Protocols Redistributing Routes into OSPF Enable or disable the exporting of BGP, RIP, static, and direct (interface) routes to OSPF using the following commands: enable ospf export [bgp | direct | e-bgp | i-bgp | rip | static] [cost type [ase-type-1 | ase-type-2] {tag } | ] disable ospf export [bgp | direct | e-bgp | i-bgp | rip | static] These commands enable or disable the exporting of RIP, static, and direct routes by way of LSA to other OSPF routers as AS-e
RIP Configuration Example RIP Configuration Example Figure 51 illustrates a BlackDiamond switch that has three VLANs defined as follows: • Finance — Protocol-sensitive VLAN using the IP protocol. — All ports on slots 1 and 3 have been assigned. — IP address 192.207.35.1. • Personnel — Protocol-sensitive VLAN using the IP protocol. — All ports on slots 2 and 4 have been assigned. — IP address 192.207.36.1. • MyCompany — Port-based VLAN. — All ports on slots 1 through 4 have been assigned.
Interior Gateway Protocols In this configuration, all IP traffic from stations connected to slots 1 and 3 have access to the router by way of the VLAN Finance. Ports on slots 2 and 4 reach the router by way of the VLAN Personnel. All other traffic (NetBIOS) is part of the VLAN MyCompany.
Configuring OSPF OSPF Wait Interval Parameters You can configure the following parameters: • Retransmit interval—The length of time that the router waits before retransmitting an LSA that is not acknowledged. If you set an interval that is too short, unnecessary retransmissions result. The default value is 5 seconds. • Transit delay—The length of time it takes to transmit an LSA packet over the interface. The transit delay must be greater than 0.
Interior Gateway Protocols OSPF Configuration Example Figure 52 is an example of an autonomous system using OSPF routers. The details of this network follow. Figure 52: OSPF configuration example Area 0 IR 2 10.0.1.1 IR 1 10.0.1.2 10.0.3.2 Headquarters ABR 2 10.0.3.1 HQ 3 0_ 0_ _1 HQ _1 0_ 0_ 2 10.0.2.2 ABR 1 10.0.2.1 161.48.2.2 Los Angeles LA Ch i_1 60 2 _2 8_ 6_ _4 Virtual link 161.48.2.1 61 26 160.26.26.1 _1 160.26.25.1 160.26.26.2 160.26.25.
OSPF Configuration Example Area 6 is a stub area connected to the backbone by way of ABR1. It is located in Los Angeles and has the following characteristics: • Network number 161.48.x.x • One identified VLAN (LA_161_48_2) • Three internal routers • Uses default routes for inter-area routing Two router configurations for the example in Figure 52 are provided in the following section.
Interior Gateway Protocols Displaying OSPF Settings You can use a number of commands to display settings for OSPF. To show global OSPF information, use the show ospf command with no options. To display information about one or all OSPF areas, use the following command: show ospf area {} The detail option displays information about all OSPF areas in a detail format.
17 Exterior Gateway Routing Protocols This chapter covers the following topics: • Overview on page 292 • BGP Attributes on page 292 • BGP Communities on page 292 • BGP Features on page 293 This chapter describes how to configure the Border Gateway Protocol (BGP), an exterior routing protocol available on the switch.
Exterior Gateway Routing Protocols Overview BGP is an exterior routing protocol that was developed for use in TCP/IP networks. The primary function of BGP is to allow different autonomous systems (ASs) to exchange network reachability information. An AS is a set of routers that are under a single technical administration. This set of routers uses a different routing protocol, for example Open Shortest Path First (OSPF), for intra-AS routing.
BGP Features BGP Features This section describes the following BGP features supported by ExtremeWare XOS: • Route Reflectors on page 293 • Route Confederations on page 295 • Route Aggregation on page 298 • Using the Loopback Interface on page 298 • BGP Peer Groups on page 298 • BGP Route Flap Dampening on page 299 • BGP Route Selection on page 301 • Route Redistribution on page 301 • BGP Static Network on page 302 Route Reflectors Another way to overcome the difficulties of creating a fully meshed AS is t
Exterior Gateway Routing Protocols received from the client 3.3.3.3 by the router 2.2.2.2 are reflected to 4.4.4.4 and vice-versa. Routes received from 1.1.1.1 are reflected to all clients. To configure router 1.1.1.1, use the following commands: create vlan to_rr configure vlan to_rr add port 1:1 configure vlan to_rr ipaddress 10.0.0.1/24 enable ipforwarding vlan to_rr configure bgp router 1.1.1.1 configure bgp as-number 100 create bgp neighbor 10.0.0.
BGP Features To configure router 4.4.4.4, use the following commands: create vlan to_rr configure vlan to_rr add port 1:1 configure vlan to_rr ipaddress 30.0.0.1/24 enable ipforwarding vlan to_rr configure bgp router 4.4.4.4 configure bgp as-number 100 create bgp neighbor 30.0.0.2 remote-as 100 enable bgp neighbor all enable bgp Route Confederations BGP requires networks to use a fully meshed router configuration. This requirement does not scale well, especially when BGP is used as an IGP.
Exterior Gateway Routing Protocols To configure router A, use the following commands: create vlan ab configure vlan ab add port 1 configure vlan ab ipaddress 192.1.1.6/30 enable ipforwarding vlan ab configure ospf add vlan ab area 0.0.0.0 create vlan ac configure vlan ac add port 2 configure vlan ac ipaddress 192.1.1.17/30 enable ipforwarding vlan ac configure ospf add vlan ac area 0.0.0.0 enable ospf configure bgp as-number 65001 configure bgp routerid 192.1.1.
BGP Features To configure router C, use the following commands: create vlan ca configure vlan ca add port 1 configure vlan ca ipaddress 192.1.1.18/30 enable ipforwarding vlan ca configure ospf add vlan ca area 0.0.0.0 create vlan cb configure vlan cb add port 2 configure vlan cb ipaddress 192.1.1.21/30 enable ipforwarding vlan cb configure ospf add vlan cb area 0.0.0.0 enable ospf configure bgp as-number 65001 configure bgp routerid 192.1.1.
Exterior Gateway Routing Protocols configure bgp as-number 65002 configure bgp routerid 192.1.1.13 configure bgp confederation-id 200 enable bgp create bgp neighbor 192.1.1.14 remote-AS-number 65002 enable bgp neighbor 192.1.1.14 Route Aggregation Route aggregation is the process of combining the characteristics of several routes so that they are advertised as a single route. Aggregation reduces the amount of information that a BGP speaker must store and exchange with other BGP speakers.
BGP Features Changes made to the parameters of a peer group are applied to all neighbors in the peer group.
Exterior Gateway Routing Protocols flaps so often that the penalty exceeds a configurable suppress limit, the router stops advertising the route to network 172.25.0.0, regardless of how many times it flaps. Thus, the route is dampened. The penalty placed on network 172.25.0.0 is decayed until the reuse limit is reached, when the route is once again advertised. At half of the reuse limit, the dampening information for the route to network 172.25.0.0 is removed.
BGP Features To view the configured values of the route flap dampening parameters for a BGP peer group, use the following command: show bgp peer-group {detail | {detail}} BGP Route Selection BGP selects routes based on the following precedence (from highest to lowest): • higher weight • higher local preference • shortest length (shortest AS path) • lowest origin code • lowest Multi Exit Discriminator (MED) • route from external peer • lowest cost to next hop • lowest routerID Stripping
Exterior Gateway Routing Protocols Configuring Route Redistribution Exporting routes between any two routing protocols are discrete configuration functions. For example, you must configure the switch to export routes from OSPF to BGP; and, if desired, you must configure the switch to export routes from BGP to OSPF. You must first configure both protocols and then verify the independent operation of each. Then you can configure the routes to export from OSPF to BGP and the routes to export from BGP to OSPF.
18 IP Multicast Routing This chapter covers the following topics: • Overview on page 303 • Configuring IP Multicasting Routing on page 306 • Configuration Examples on page 306 For more information on IP multicasting, refer to the following publications: • RFC 1112—Host Extension for IP Multicasting • RFC 2236—Internet Group Management Protocol, Version 2 • PIM-DM Version 2—draft_ietf_pim_v2_dm_03 • RFC 2362—Protocol-Independent Multicast - Sparse Mode (PIM-SM): Protocol Specification The following URL poin
IP Multicast Routing PIM Overview The switch supports both dense mode and sparse mode operation. You can configure dense mode or sparse mode on a per-interface basis. After they are enabled, some interfaces can run dense mode, while others run sparse mode. PIM Dense Mode Protocol-Independent Multicast - Dense Mode (PIM-DM) is a multicast routing protocol. PIM-DM routers perform reverse path multicasting (RPM).
Overview IGMP Overview IGMP is a protocol used by an IP host to register its IP multicast group membership with a router. Periodically, the router queries the multicast group to see if the group is still in use. If the group is still active, a single IP host responds to the query, and group registration is maintained. IGMP is enabled by default on the switch. However, the switch can be configured to disable the generation of periodic IGMP query packets.
IP Multicast Routing To display the IGMP snooping static groups, use the following command: show igmp snooping vlan static [group | router] IGMP Snooping Filters IGMP snooping filters allow you to configure a policy file on a port to allow or deny IGMP report and leave packets coming into the port. (For details on creating policy files, see “Management Access Security” on page 167.
Configuration Examples Figure 55: IP multicast routing using PIM-DM configuration example Area 0 IR 2 10.0.1.1 IR 1 10.0.1.2 10.0.3.2 Headquarters ABR 2 10.0.3.1 HQ 3 0_ 0_ _1 HQ _1 0_ 0_ 2 10.0.2.2 ABR 1 10.0.2.1 161.48.2.2 Los Angeles LA Ch i_1 60 2 _2 8_ 6_ _4 Virtual link 161.48.2.1 61 26 160.26.26.1 _1 160.26.25.1 160.26.26.2 160.26.25.
IP Multicast Routing PIM-SM Configuration Example In Figure 56, the system labeled ABR1 is configured for IP multicast routing using PIM-SM. Figure 56: IP multicast routing using PIM-SM configuration example IR 2 10.0.1.1 IR 1 10.0.1.2 10.0.3.2 Headquarters ABR 2 10.0.3.1 HQ 3 0_ 0_ _1 HQ _1 0_ 0_ 2 10.0.2.2 ABR 1 HQ_10_10_4 Area 0 10.0.2.1 Rendezvous point 161.48.2.2 Los Angeles LA 26 Ch i_1 60 2 _2 8_ 6_ _4 Virtual link 161.48.2.1 61 160.26.26.1 _1 160.26.25.1 160.26.26.
Part 3 Appendixes
A Software Upgrade and Boot Options This appendix describes the following topics: • Downloading a New Image on page 311 • Saving Configuration Changes on page 314 • Using TFTP to Upload the Configuration on page 316 • Using TFTP to Download the Configuration on page 317 • Synchronizing MSMs on page 318 • Accessing the Bootloader on page 318 Downloading a New Image The image file contains the executable code that runs on the switch and is preinstalled at the factory.
Software Upgrade and Boot Options If you download and install the software image on the active partition, you must reboot the switch. The following message appears when downloading and installing on the active partition: Image will be installed to the active partition, a reboot required. Do you want to continue? (y or n) Enter y to continue the installation and reboot the switch. Enter n to cancel.
Downloading a New Image Output from this command includes the selected and booted images and if they are in the primary or secondary partition. If two Management Switch Fabric Modules (MSMs) are installed in the BlackDiamond 10808 switch, the downloaded image is saved to the same location on each one.
Software Upgrade and Boot Options Use this command to schedule a time to reboot the switch or to reboot the switch immediately. To schedule a time to reboot the switch, use the following command: reboot time
Saving Configuration Changes NOTE Configuration files have a .cfg file extension. When you enter the name of the file in the CLI, the system automatically adds the .cfg file extension. If you have made a mistake or you must revert to the configuration as it was before you started making changes, you can tell the switch to use the backup configuration on the next reboot. Each file name must be unique and can be up to 32 characters long but cannot include any spaces, commas, or special characters.
Software Upgrade and Boot Options Returning to Factory Defaults To return the switch configuration to factory defaults, use the following command: unconfigure switch This command resets the entire configuration, with the exception of user accounts and passwords that have been configured and the date and time.
Using TFTP to Download the Configuration You can also see a complete list of configuration files by entering the following syntax followed by the Tab key: • save configuration • use configuration Renaming Configuration Files To rename an existing configuration file in your system, use the following command: mv Where the following is true: • old-name—Specifies the current name of the configuration file • new-name—Specifies the new name of the configuration file If you rename a config
Software Upgrade and Boot Options If the configuration currently running in the switch does not match the configuration that the switch used when it originally booted, an asterisk (*) appears before the command line prompt when using the CLI.
Upgrading the BootROM The following describes some ways that you can use the Bootloader. • Viewing images—To display a list of installed images, use the show image command. • Selecting an image—To change the image that the switch boots from in flash memory, use the boot {image number} command. If you specify image number, the specified image is booted. If you do not specify an image name, the default image is booted.
Software Upgrade and Boot Options 320 ExtremeWare XOS 11.
B Troubleshooting This appendix describes some troubleshooting tips on the following topics: • LEDs on page 321 • Using the Command Line Interface on page 322 • Debug Mode on page 327 • TOP Command on page 327 • System Health Check on page 328 • System Odometer on page 329 • Temperature Operating Range on page 329 • Running MSM Diagnostics from the Bootloader on page 329 If you encounter problems when using the switch, this appendix may be helpful.
Troubleshooting enabled will not be lit. The default configuration for a Gigabit port is autonegotiation enabled. Verify by entering the following command: show ports configuration On power-on, some I/O modules do not boot: Check if you are using 110V power input. The BlackDiamond switch powers-up only four Input/Output (I/O) modules if it is connected to a 110V outlet. Error LED on the MSM turns amber: Check the syslog message for a “critical” software errors.
Using the Command Line Interface For console port access, you may need to press [Return] several times before the welcome prompt appears. The SNMP Network Manager cannot access the device: Check that: • The Simple Network Management Protocol (SNMP) access is enabled for the system. • The device IP address, subnet mask, and default router are correctly configured, and that the device has been reset.
Troubleshooting Permanent entries remain in the FDB: If you have made a permanent entry in the FDB that requires you to specify the VLAN to which the entry belongs and then deleted the VLAN, the FDB entry remains. Although this does not harm the system, if you want to removed the entry, you must manually delete it from the FDB.
Using the Command Line Interface No link light on Gigabit fiber port: Check that: • The transmit fiber goes to the receive fiber side of the other device and vice-versa. All Gigabit fiber cables are of the crossover type. • The Gigabit ports are set to Auto Off (using the command configure port auto off) if you are connecting the Extreme Networks switch to devices that do not support autonegotiation. By default, the Extreme Networks switch has autonegotiation set to On for Gigabit ports.
Troubleshooting STP You have connected an endstation directly to the switch and the endstation fails to boot correctly: The switch has the Spanning Tree Protocol (STP) enabled, and the endstation is booting before the STP initialization process is complete. Specify that STP has been disabled for that VLAN, or turn off STP for the switch ports of the endstation and devices to which it is attempting to connect; then, reboot the endstation.
Debug Mode You cannot enable an ESRP domain: Before you enable a specific ESRP domain, it must have a domain ID. A domain ID is either a user-configured number or the 802.1Q tag (VLANid) of the tagged master VLAN. The domain ID must be identical on all switches participating in ESRP for that particular domain. If you do not have a domain ID, you cannot enable ESRP on that domain.
Troubleshooting System Health Check There are two modes of health checking available on the switch: polling and backplane diagnostic packets. These methods are briefly described in the following: • Polling is always enabled on the system and occurs every 60 seconds by default. The system health checker polls and tracks the ASIC counters that collect correctable and uncorrectable packet memory errors, check sum errors, and parity errors on a per ASIC basis.
System Odometer System Odometer Each field replaceable component contains a system odometer counter in EEPROM. Use the show odometers command to see how long an individual component has been in service since it was manufactured.
Troubleshooting 3 Reboot the MSM and press the spacebar key on the keyboard of the terminal during the boot up process. NOTE You must press the spacebar key immediately after a power cycle of the MSM in order to get into the Bootloader application. As soon as you see the BOOTLOADER> prompt, release the key. From here, you can run the diagnostics on the MSM. To run diagnostics on the MSM: 1 Identify the currently running software images by using the show images command.
C Supported Protocols, MIBs, and Standards The following is a list of software standards and protocols supported by ExtremeWare XOS. General Routing and Switching RFC 1812 Requirements for IP Version 4 Routers RFC 793 Transmission Control Protocol RFC 1519 An Architecture for IP Address Allocation with CIDR RFC 826 Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48.
Supported Protocols, MIBs, and Standards RIP RFC 1058 Routing Information Protocol RFC 2453 RIP Version 2 OSPF RFC 2328 OSPF Version 2 RFC 1765 OSPF Database Overflow RFC 1587 The OSPF NSSA Option RFC 2370 The OSPF Opaque LSA Option BGP4 RFC 1771 A Border Gateway Protocol 4 (BGP-4) RFC 1745 BGP4/IDRP for IP---OSPF Interaction RFC 1965 Autonomous System Confederations for BGP RFC 2385 Protection of BGP Sessions via the TCP MD5 Signature Option RFC 2796 BGP Route Reflection - An Alternative to Full
Management - SNMP & MIBs RFC 1157 Simple Network Management Protocol (SNMP) RFC 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) RFC-1215 Convention for defining traps for use with the SNMP RFC 2573 Simple Network Management Protocol (SNMP) Applications RFC 1901 Introduction to Community-based SNMPv2 RFC 2574 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) RFC 1902 Structure of Management Information for Version
Supported Protocols, MIBs, and Standards 334 ExtremeWare XOS 11.
Glossary A ABR Area border router. In OSPF, an ABR has interfaces in multiple areas, and it is responsible for exchanging summary advertisements with other ABRs. ACL Access Control List. ACLs are a mechanism for filtering packets at the hardware level. Packets can be classified by characteristics such as the source or destination MAC, IP addresses, IP type, or QoS queue. Once classified, the packets can be forwarded, counted, queued, or dropped.
Glossary A (continued) ASBR Autonomous system border router. In OSPF, an ASBR acts as a gateway between OSPF and other routing protocols or other ASs. autobind In STP, autobind, when enabled, automatically adds or removes ports from the STPD. If ports are added to the carrier VLAN, the member ports of the VLAN are automatically added to the STPD. If ports are removed from the carrier VLAN, those ports are also removed from the STPD. autonegotation As set forth in IEEE 802.
B (continued) blackholing In Extreme Networks implementation, you can configure the switch so that traffic is silently dropped. Although this traffic appears as received, it does not appear as transmitted (because it is dropped). BOOTP Bootstrap Protocol. BOOTP is an Internet protocol used by a diskless workstation to discover its own IP address, the IP address of a BOOTP server on the network, and a file that can be loaded into memory to boot the machine.
Glossary C (continued) CLI Command line interface. You use the CLI to monitor and manage the switch. cluster In BGP, a cluster is formed within an AS by a route reflector and its client routers. control VLAN In EAPS, the control VLAN is a VLAN that sends and receives EAPS messages. You must configure one control VLAN for each EAPS domain. CRC Cyclic redundancy check. This simple checksum is designed to detect transmission errors.
D (continued) DHCP Dynamic Host Configuration Protocol. DHCP allows network administrators to centrally manage and automate the assignment of IP addresses on the corporate network. DHCP sends a new IP address when a computer is plugged into a different place in the network. The protocol supports static or dynamic IP addresses and can dynamically reconfigure networks in which there are more computers than there are available IP addresses. DiffServ Differentiated Services.
Glossary E (continued) EDP Extreme Discovery Protocol. EDP is a protocol used to gather information about neighbor Extreme Networks switches. Extreme Networks switches use EDP to exchange topology information. EEPROM Electrically erasable programmable read-only memory. EEPROM is a memory that can be electronically programmed and erased but does not require a power source to retain data. EGP Exterior Gateway Protocol.
E (continued) ESRP groups An ESRP group runs multiple instances of ESRP within the same VLAN (or broadcast domain). To provide redundancy at each tier, use a pair of ESRP switches on the group. ESRP instance You enable ESRP on a per domain basis; each time you enable ESRP is an ESRP instance. ESRP VLAN A VLAN that is part of an ESRP domain, with ESRP enabled, is an ESRP VLAN. Ethernet This is the IEEE 802.
Glossary G (continued) Gigabit Ethernet This is the networking standard for transmitting data at 1000 Mbps or 1 Gbps. Devices can transmit at multiples of gigabit Ethernet as well. HA Host Attach. In ExtremeWare XOS software, HA is part of ESRP that allows you to connect active hosts directly to an ESRP switch; it allows configured ports to continue Layer 2 forwarding regardless of their ESRP status.
I (continued) IP Internet Protocol. The communications protocol underlying the Internet, IP allows large, geographically diverse networks of computers to communicate with each other quickly and economically over a variety of physical links; it is part of the TCP/IP suite of protocols. IP is the Layer 3, or network layer, protocol that contains addressing and control information that allows packets to be routed.
Glossary L (continued) Layer 2 Layer 2 is the second, or data link, layer of the OSI model, or the MAC layer. This layer is responsible for transmitting frames across the physical link by reading the hardware, or MAC, source and destination addresses. Layer 3 Layer 3 is the third layer of the OSI model. Also known as the network layer, Layer 3 is responsible for routing packets to different LANs by reading the network address. LSA Link state advertisement.
M (continued) member VLAN In ESRP, you configure zero or more member VLANs for each ESRP domain. A member VLAN can belong to only one ESRP domain. The state of the ESRP device determines whether the member VLAN is in forwarding or blocking state. MIB Management Information Base. MIBs make up a database of information (for example, traffic statistics and port settings) that the switch makes available to network management systems.
Glossary N neutral state/switch In ESRP, the neutral state is the initial state entered by the switch. In a neutral state, the switch waits for ESRP to initialize and run. A neutral switch does not participate in ESRP elections. NLRI Network layer reachability information. In BGP, the system sends routing update messages containing NLRI to describe a route and how to get there.
O (continued) OSI reference model The 7-layer standard model for network architecture is the basis for defining network protocol standards and the way that data passes through the network. Each layer specifies particular network functions; the highest layer is closest to the user, and the lowest layer is closest to the media carrying the information.
Glossary P (continued) PMBR PIM multicast border router. A PIMBR integrates PIM-DM and PIM-SM traffic. policy files You use policy files in ExtremeWare XOS to specify ACLs and policies. A policy file is a text file (with a .pol extension) that specifies a number of conditions to test and actions to take. For ACLs, this information is applied to incoming traffic at the hardware level.
Q QoS Quality of Service. Policy-enabled QoS is a network service that provides the ability to prioritize different types of traffic and to manage bandwidth over a network. QoS uses various methods to prioritize traffic, including IEEE 802.1p values and IP DiffServ values. RADIUS Remote Authentication Dial In User Service.
Glossary R (continued) route aggregation In BGP, you can combine the characteristics of several routes so they are advertised as a single route, which reduces the size of the routing tables. route flapping A route is flapping when it is repeatedly available, then unavailable, then available, then unavailable. In the ExtremeWare XOS BGP implementation, you can minimize the route flapping using the route flap dampening feature.
S (continued) STP Spanning Tree Protocol. STP is a protocol, defined in IEEE 802.1d, used to eliminate redundant data paths and to increase network efficiency. STP allows a network to have a topology that contains physical loops; it operates in bridges and switches. STP opens certain paths to create a tree topology, thereby preventing packets from looping endlessly on the network.
Glossary T (continued) TCN Topology change notification. The TCN is a timer used in RSTP that signals a change in the topology of the network. TCP Transmission Control Protocol. Together with Internet Protocol (IP), TCP is one of the core protocols underlying the Internet. The two protocols are usually referred to as a group, by the term TCP/IP.
V (continued) virtual router MAC address In VRRP, RFC 2338 assigns a static MAC address for the first five octets of the VRRP virtual router. These octets are set to 00-00-5E-00-01. When you configure the VRRP VRID, the last octet of the MAC address is dynamically assigned the VRID number. VLAN Virtual LAN. The term VLAN is used to refer to a collection of devices that communicate as if they are on the same physical LAN. Any set of ports (including all ports on the switch) is considered a VLAN.
Glossary V (continued) 354 VRRP Virtual Router Redundancy Protocol. VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. The VRRP router controlling the IP address(es) associated with a virtual router is called the master router, and forwards packets sent to these IP addresses. The election process provides dynamic failover in the forwarding responsibility should the master router become unavailable.
Index of Commands C check policy clear access-list counter clear counters clear log counters clear session clear slot clear vlan dhcp-address-allocation configure access-list configure account configure banner configure bgp add aggregate-address configure bgp add network configure bgp delete network configure bgp import-policy configure bgp neighbor dampening configure bgp neighbor no-dampening configure bgp neighbor peer-group configure bgp neighbor route-policy configure bgp peer-group dampening configur
Index of Commands configure ospf area timer 286 configure ospf ase-limit 279 configure ospf timer 286 configure ospf virtual-link timer 286 configure ospf vlan area 280 configure ospf vlan timer 284, 286 configure pim add vlan 306 configure ports auto off 31, 71 configure ports auto on 71 configure ports qosprofile 118 configure protocol add 89 configure qosprofile ingress 123 configure radius server client-ip 167 configure radius shared-secret 168 configure radius timeout 167 configure radius-accounting 1
Index of Commands disable esrp disable idletimeout disable learning port disable log debug-mode disable log target disable ospf capability opaque-lsa disable ospf export disable ospf export static disable port disable radius disable radius-accounting disable rip export disable rip export static disable sharing disable snmp access disable ssh2 disable sys-health-check disable sys-health-check slot disable telnet disable udp-echo-server download bootrom download image 237, 327 32 105 327 132 279 284 263 32,
Index of Commands show banner show bgp neighbor show bgp peer-group show bootprelay show checkpoint-data show configuration show dhcp-client state show dhcp-server show diagnostics slot show diffserv show eaps show edp show esrp show esrp counters show fans show fdb show igmp snooping filter show igmp snooping static group show iparp show ipconfig show iproute show log show log components show log configuration filter show log configuration target show log counters show log events show management show mirr
Index Symbols # prompt * prompt .cfg file .pol file .xmod file .xos file > prompt 34 34 315 148, 158 312 312 33 Numerics 802.1D 802.1Q tagging 802.1W 198, 199 84, 85 198 A access control lists. See ACLs access levels account types admin user accounting server, RADIUS accounts creating default deleting failsafe viewing ACL match conditions ACL-based traffic, QoS ACLs .
Index BGP (continued) features loopback interface peer groups creating deleting description mandatory parameters neighbors private AS numbers redistributing to OSPF route aggregation description using route confederations route flap dampening configuring description viewing route reflectors route selection static networks bi-directional rate shaping configuring description maximum bandwidth settings maximum committed rate maximum ingress queues minimum bandwidth settings BlackDiamond switch hardware suppor
Index debug mode See also EMS default accounts gateway passwords port status returning to factory settings software values users default VLAN DF bit DHCP relay and IP multinetting configuring viewing DHCP server and IP multinetting description requirements DHCP, using diagnostics displaying I/O module MSM running DiffServ See also QoS code point configuring examining disabling route advertising, RIP distance-vector protocol, description DNS configuring description Domain Name Service.
Index EMS (continued) filters configuring creating viewing log target default disabling enabling types logs displaying displaying counters uploading parameters behavior matching viewing components and subcomponents viewing conditions encapsulation modes See also STP entries, FDB ESRP 802.
Index H hardware support, BlackDiamond switches hitless failover ESRP STP host attach, ESRP 19 234 202 242 I I/O module diagnostics 126 power management 51 IEEE 80.2.1W 209 IEEE 802.1D 195 IEEE 802.1Q 84 IEEE 802.1Q tagging 84 IGMP and IP multinetting 271 description 305 snooping 305 snooping filters 306 static 305 image .xos file 312 downloading 311 primary and secondary 312 selecting a partition 313 upgrading 311 version string 313 ingress rate shaping.
Index load sharing (continued) guidelines load-sharing group, description master port overview verifying the configuration local agent log target, EMS disabling enabling logging in logging messages. See EMS loopback interface LSA type numbers (table) LSA, description LSDB, description 76 74 76 22 77 144 132 132 34 298 278 278 278 M MAC learning, FDB MAC-based security management access Management Information Base. See MIBs management port Management Switch Fabric Module.
Index PIM and IP multinetting mode interoperation multicast border router (PMBR) PIM-DM description example PIM-SM description example rendezvous point poison reverse, RIP policies .pol file action statements autonomous system expressions checking the syntax creating description editing examples translating a route map translating an access profile file syntax rule entry transferring to the switch troubleshooting using policy match conditions policy-based QoS.
Index QoS (continued) bi-directional rate shaping configuring description maximum bandwidth maximum committed rate minimum bandwidth settings class of service classification priorities committed rates database applications default QoS profiles description DiffServ changing mapping to QoS profile configuring default mapping to QoS profile examining replacing value viewing mapping to QoS profile examples source port VLAN file server applications guidelines ingress hardware queues default mapping to priority
Index RSTP (continued) link types auto broadcast configuring description edge point-to-point operation overview port roles alternate backup designated edge root propagating topology information rapid reconvergence receiving bridge behavior root port rapid behavior terms timers rule entry ACL policy slot 211 211 211 211 211 211 213 209 210 211 210 211 210 215 215 215 214 210 212 149 158 S sampling rate, sFlow saving configuration changes secondary image Secure Shell 2.
Index start process static IGMP static networks, and BGP static routes statistics, port status monitoring stop process STP advanced example and ESRP and IP multinetting and RSTP and VLANs and VRRP autobind ports basic configuration example bridge priority carrier vlan configurable parameters configuration examples configuring description displaying settings domains 802.1D 802.1W creating deleting description displaying EMISTP example rules encapsulation mode 802.
Index Telnet (continued) disabling 46 displaying status 46 re-enabling 46 server 43 session establishing 42 maximum number of 43 opening 42 terminating 46 viewing 46 using 42 temperature range 329 temperature, displaying fans 129 I/O modules 128 MSM modules 128 power controllers 128 power supplies 129 Terminal Access Controller Access Control System Plus.
Index VLANs (continued) precedence protocol filters customizing deleting predefined protocol-based QoS profile renaming routing tagged troubleshooting trunks tunneling types untagged packets VLANid VMANs and virtual routers configuring description example guidelines names tagging ports tunneling voice applications, and QoS VRRP advertisement interval and ESRP and IP multinetting and STP backup router configuration parameters (table) default gateway description electing the master examples interfaces IP add