Ridgeline Concepts and Solutions Guide Software Version 3.0 Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.com Published: February 2011 Part Number: 100396-00 Rev.
AccessAdapt, Alpine, Altitude, BlackDiamond, EPICenter, Essentials, Ethernet Everywhere, Extreme Enabled, Extreme Ethernet Everywhere, Extreme Networks, Extreme Standby Router Protocol, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, Go Purple Extreme Solution, Ridgeline, ScreenPlay, Sentriant, ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager, UniStack, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extrem
Table of Contents Preface.........................................................................................................................................................9 Introduction...............................................................................................................................................................9 Terminology ...................................................................................................................................................
Creating the Device Inventory ................................................................................................................................32 Using Discovery ..............................................................................................................................................33 Adding Devices Individually ............................................................................................................................
Chapter 5: Provisioning Network Resources ........................................................................................ 77 Provisioning Example .............................................................................................................................................77 Creating a VLAN .............................................................................................................................................77 Modifying a VLAN ....................................
Displaying VMAN Details ..............................................................................................................................141 Categorizing VLANs With Network Names ..........................................................................................................141 Creating a Network Name .............................................................................................................................141 Assigning VLANs to a Network Name........................
Verifying EAPS Information ..................................................................................................................................185 Running EAPS Reports ........................................................................................................................................186 EAPS Summary Report ................................................................................................................................186 EAPS Log Reports .....................
Exporting the Collected Data .................................................................................................................226 The MIB Query Tool ......................................................................................................................................226 Reconfiguring Ridgeline Ports ..............................................................................................................................227 Using the Ridgeline Debugging Tools .............
Configuring a New Directory Server..............................................................................................................280 Editing LDAP Client Properties .....................................................................................................................283 Deleting a Directory Server ...........................................................................................................................285 Viewing Network User Information ........................
Appendix D: Configuring RADIUS for Ridgeline Authentication .......................................................331 Step 1. Create an Active Directory User Group for Ridgeline Users ....................................................................331 Step 2. Associate Users with the Ridgeline Group...............................................................................................332 Step 3. Enable Ridgeline as a RADIUS Client ................................................................
Preface This preface provides an overview of this guide, describes guide conventions, and lists other useful publications. Introduction This guide provides the required information to use the Ridgeline software.
Conventions Conventions Table 1 and Table 2 list conventions that are used throughout this guide. Table 1: Notice Icons Icon Notice Type Alerts you to... Note Important features or instructions. Caution Risk of unintended consequences or loss of data. Warning Risk of permanent loss of data. . Table 2: Text Conventions Convention Description Screen displays This typeface represents information as it appears on the screen.
Related Publications The Ridgeline documentation set includes the following: ● Ridgeline Reference Guide ● Ridgeline Concepts and Solutions Guide (this guide) ● Ridgeline Installation and Upgrade Guide ● Ridgeline Release Notes ● Ridgeline License Agreement Both the Ridgeline Reference Guide and the Ridgeline Concepts and Solutions Guide can be found online in Adobe Acrobat PDF format in the docs subdirectory of the Ridgeline installation directory. You must have Adobe Acrobat Reader version 5.
Related Publications Ridgeline Concepts and Solutions Guide 12
1 Ridgeline Overview CHAPTER This chapter describes: ● The features of the Ridgeline™ software ● The Ridgeline software architecture and components ● Overview of Ridgeline switch management Introduction Today's corporate networks commonly encompass hundreds or thousands of systems, including individual end user systems, servers, network devices such as printers, and internetworking systems.
Ridgeline Overview environments. Ridgeline’s open architecture accommodates a multi-vendor, service-rich environment that enables voice-class availability and the enforcement of robust security policies. ● Operational Simplicity. Simplicity begins with a detailed real-time view of the entire network. Ridgeline’s maps provide users with an overview of every element of the network and how they all connect at Layer 2 and Layer 3.
1 ● Support for third-party devices. Any device running a MIB-2 compatible SNMP agent can be discovered by Ridgeline and monitored at a basic level. These devices can appear on a topology map, with basic status and alarm handling based on MIB-2 functionality.
Ridgeline Overview ● Manage large numbers of devices. Ridgeline server can manage up to 2000 devices with a single installation of the Ridgeline software. For even larger networks, you can split the management task among several Ridgeline servers in a distributed server mode that lets you monitor the status of those servers from a single client. ● VPLS discovery and visualization.
1 Network Views Ridgeline’s Network Views provide at-a-glance information about the devices, device groups, and port groups in your network. You can display summary information about the devices or ports, links between devices, VLANs, and EAPS domains, and you can select individual devices in tables or maps to view detailed information about them.
Ridgeline Overview Fault detection is based on SNMP traps, RMON traps, Syslog messages, and some limited polling. The Alarm Manager supports SNMP MIB-2 and the Extreme Networks private MIB. You can also configure alarms based on certain event thresholds, or on the content of Syslog messages. When an alarm occurs you can specify actions such as sending e-mail, forwarding a trap, running a program, running a script, sending a page, or sounding an audible alert.
1 Ridgeline Reports Ridgeline Reports are HTML pages that can be accessed separately from the main Ridgeline user interface, without logging on to Ridgeline. Ridgeline reports do not require Java, so reports can be loaded quickly, even over a dial-up connection, and can be viewed on systems that cannot run the Ridgeline client. Reports can be printed using your browser’s Print function.
Ridgeline Overview EAPS Monitoring and Configuration Verification Ethernet Automatic Protection Switching (EAPS) provides “carrier-class” network resiliency and availability for enterprise networks. Ridgeline monitors EAPS rings from Network Views. You can identify and display the status of EAPS rings, including Master and Transit nodes, link status, and a variety of status information. Detailed status information is provided in multiple tables for domains, devices and links.
1 Figure 1 illustrates the architecture of the Ridgeline software. Figure 1: Ridgeline Software Architecture Extreme Networks Switch Management Ridgeline primarily uses the Simple Network Management Protocol (SNMP) to monitor and manage the devices in the network. The Ridgeline server periodically does a status poll of the devices it is managing to determine if the devices are still accessible. It also does a full detailed poll of each device at longer intervals.
Ridgeline Overview The Remote Monitoring (RMON) MIB Ridgeline can use statistics gathered from the Remote Monitoring (RMON) MIB to provide utilization statistics on a port-by-port basis, if RMON is supported and enabled on the Extreme devices Ridgeline is managing. Utilization and error statistics can be displayed within the Real-Time Statistics application, which provides a number of chart, graph, and tabular display formats.
1 Optionally, you can use SSH2 instead of Telnet to communicate with Extreme Networks devices. This requires that you run a version of ExtremeWare or ExtremeXOS that supports SSH. You can disable Telnet polling if necessary through the Server Properties for Devices in Ridgeline Administration. However, you will lose the ability to collect edge port information via FDB polling, as well as netlogin information.
Ridgeline Overview Ridgeline Concepts and Solutions Guide 24
2 Getting Started with Ridgeline CHAPTER This chapter covers how to use some of the basic features of the Ridgeline system: ● Starting Ridgeline ● How to get help ● Working with Ridgeline windows ● Ridgeline user roles ● Adding devices to Ridgeline ● Using Network Views ● Displaying device inventory information ● Viewing device properties ● Opening a Telnet session to a device from Ridgeline ● Managing device configurations and firmware ● Using the Ridgeline Alarm Manager ● Using B
Getting Started with Ridgeline Starting the Ridgeline Server The Ridgeline Server consists of two components: ● The Ridgeline Database Server ● The Ridgeline Server Both components must be running in order to run the Ridgeline client. In a Windows environment, the Ridgeline server components are installed as services. By default, the two Ridgeline Server components will start automatically when you boot the server. At installation, you can optionally specify that the components be started manually.
2 To launch the Ridgeline Client, you need to have the following information: ● The name or IP address of the Ridgeline Server to which the Client should connect ● The HTTP port that the Client uses to communicate with the server (the default is 8080). This is the HTTP port you entered when you installed the Ridgeline Server. To launch the Ridgeline Client, do the following: 1 Launch your web browser.
Getting Started with Ridgeline 5 Ridgeline checks if your system is running the correct version of the Java plug-in. If you are not running the correct version, you are directed to a page where you can download the correct version. If you are running the correct version of the Java plug-in, the Ridgeline Client software is downloaded from the Ridgeline Server and installed on the local system. 6 After the software is downloaded, you are prompted whether you want to run the application.
2 Getting Help This guide provides an overview of the Ridgeline software features with the goal of showing how you can use Ridgeline to simplify your network management tasks and help you solve problems with your network or its devices. It does not provide a detailed explanation of how to use the features of the software. For detailed help on specific features, Ridgeline provides context-sensitive online Help, accessible through the Help menu located in the Ridgeline menu bar.
Getting Started with Ridgeline Figure 5: Components of the Ridgeline User Interface (Network Views Window) Menu Bar Icon Bar Tabbed Windows Map View Device Details Frame Folders Navigation Frame Navigation Table The main components of the Ridgeline user interface are the following: Menu Bar Options and commands available in Ridgeline. The items shown in the menu bar vary based on the folder that is selected in the Navigation Frame.
2 Modifying Table Views Much of the information displayed in Ridgeline is in tabular format. You can sort the rows in a table, modify the table column size, move columns around in a table, and remove columns from a table. Sorting Table Rows You can sort the rows of a columnar display according to the contents of any individual column. To sort the rows, click on the column heading you want to use as the sort criteria. Click once to sort in ascending order; click a second time to reverse the sort order.
Getting Started with Ridgeline Moving Tabbed Windows in Ridgeline Tabbed windows in Ridgeline are dockable, which means that you can move them to new locations in the main Ridgeline window. To move a window to a new location, do the following: 1 Place the cursor over the tab of the window you want to move. 2 Click and hold the left mouse button to “grab” the window. 3 Drag the window to a new location. 4 Release the left mouse button.
2 Using Discovery When you first install Ridgeline, the device inventory is empty. The easiest way to populate the inventory database is to use the Discovery feature (select New > Discover device from the File menu) to automatically detect the devices on your network. With Discovery you can: ● Search for devices by specific IP addresses or ranges of IP address, including using wildcard search parameters to specify the IP address sets you want to query.
Getting Started with Ridgeline Figure 8: Results of a discovery To add devices to the database, select the set of devices you want to add and click the Add button.
2 Figure 9: Adding Devices to Ridgeline Individually Ridgeline pre-fills the fields in the window with the default communication information—you can change it as appropriate. Setting Up Default Device Contact Information For simplicity in managing multiple devices in large networks, administrators typically use the same logins, passwords, community strings and so on, for multiple devices.
Getting Started with Ridgeline Using Network Views After you add devices to Ridgeline, they appear in Ridgeline Network Views. Network Views provide ata-glance displays of the devices, device groups, ports, and port groups in your network. You can view summary information about the devices or ports, links between devices, VLANs, and EAPS domains, and you can select individual devices in tables or maps to view detailed information about them. Figure 10 shows an example of a Ridgeline Network Views display.
2 The table has the following tabs: Devices Displays information about the devices in the device group. Clicking on a device in the table displays additional information about the selected device in the details window, and also highlights the device’s icon in the Map View. Links Displays information about all of the links between the devices in the device group, including automatically detected and user-defined links. Clicking on a link highlights the link in the Map View.
Getting Started with Ridgeline The status of items in Network Views is displayed graphically, with icons indicating the operational condition of devices or ports, and lines indicating the state and traffic level of links between devices. A bell icon shows the level of the highest alarm level for devices or groups.
2 Figure 13: Network Topology Map View A network topology map is a graphical representation of a device group. In Network Views, you have the option of selecting the Map View of the device group, which causes Ridgeline to generate a network topology map, populated with the devices in the group. Ridgeline also adds any links that exist between the device nodes, and organizes them into submaps as appropriate.
Getting Started with Ridgeline To display the Device Inventory for a device, click on the device’s row in the Devices table, then select Inventory from the Device menu. This display shows additional information that Ridgeline has gathered from the switch agent. Figure 14: Device Inventory Window You can click on the slots and ports in the Panel View to display additional information about the selected item. Viewing Device Properties You can view the properties of a device in Ridgeline.
2 Figure 15: Device Properties window The Device Properties window displays a set of tabs at the top of the window, depending on the type and configuration of the device. The following tabs may appear: ● Device ● Network Clients ● Syslog Messages Each tab displays the name of the device and a status “light” which shows the status of the device as detected by the Ridgeline software. For details about the information displayed on these tabs, see the Ridgeline Reference Guide or the online Help.
Getting Started with Ridgeline Figure 16: Ridgeline Telnet Window The Ridgeline Telnet window is a two-tone window—the bottom of the window is white, the top is gray. The last 25 lines of Telnet commands and responses always appear in the white portion of the window. As output grows, the older lines scroll up into the gray portion of the screen. This makes it easy to tell whether you are viewing the most recent Telnet output.
2 The file name is in the format --
Getting Started with Ridgeline Figure 17: Configure TFTP Server Use the cursor to scan the entire path to the TFTP directory. If the server uses the default system TFTP server, the path is /opt/ExtremeNetworks/RidgelineServiceAdvisor2.0EPICenter7.1_web/user.war/tftp. Log into the server to retrieve the .tgz files using the protocol that the server requires, Telnet or SSH.
2 Using the Ridgeline Alarm Manager The Ridgeline Alarm Manager provides fault detection and alarm handling for the network devices monitored by Ridgeline. This includes Extreme devices as well as some third-party devices—those that Ridgeline can include in its database.
Getting Started with Ridgeline for Use With Ridgeline” on page 309 for information on registering Ridgeline as a trap receiver on non-Extreme devices. The Alarm Log Browser You use the Alarm Log Browser to view a summary of the alarms that have occurred among the devices you are managing. An alarm can be generated due to an SNMP or RMON trap, a syslog message, or based on the results of a poll.
2 reports by logging directly into the Reports feature from a browser, without running the Ridgeline client: just select the Log on to Reports only link from the Ridgeline Welcome page. Figure 19 shows a few of the reports you can view through the Reports feature. Figure 19: Examples of Ridgeline reports Most reports can be sorted in a number of ways, and many reports can be filtered to display only the data of interest, based on the types of information shown in the report.
Getting Started with Ridgeline In addition to the Network Summary Report, Ridgeline provides the following reports and tools: Table 3: Ridgeline Reports Report Category Report Name Description Main • Extreme eSupport Export Exports Ridgeline data for use by Extreme technical support. Accessible from the Main reports page. Network Summary Report • Network Summary Report Summary status of the network, as well as version and patch information about the Ridgeline server.
2 Table 3: Ridgeline Reports (continued) Report Category Report Name Description Client Reports • Network Login List of network login activity by device • Current Clients Wireless Client History Report List of all current wireless clients detected, regardless of client state. • Client History Historical presentation of activity by wireless client • Spoofed Clients Device Details Wireless Port Details List of clients with the same MAC address detected on different wireless interfaces.
Getting Started with Ridgeline Ridgeline Concepts and Solutions Guide 50
3 Organizing Devices and Ports Into Groups CHAPTER This chapter describes how you can use the Ridgeline grouping feature to place devices and ports into hierarchical groups. About Ridgeline Groups Ridgeline has a powerful grouping feature that allows you to assemble groups of devices and ports, and view information about them or manage them at a group level.
Organizing Devices and Ports Into Groups Figure 20: Displaying a Device Group Network Views Folder “All” Device Group Top-level Group Subgroup Group Alarm Status Port Group Map View of Group Table View of Group The Network Views folder in the Ridgeline Navigation frame lists the device groups and port groups defined in Ridgeline. By default, a single device group, All, contains all of the devices known to Ridgeline.
3 Group Membership Guidelines Groups can contain only one kind of object: ports cannot be members of device groups, and devices cannot be members of port groups. A given device or port can reside in multiple groups in the Network Views folder, but not within the same top-level group hierarchy. For example, you can create a top-level device group called “North America,” with a subgroup “Bay Area” that has a subgroup “Santa Clara Campus”.
Organizing Devices and Ports Into Groups Figure 21: New Group Window 2 Enter the name and optional description for the new group 3 Click the appropriate radio button to specify whether this is a device or port group 4 Select the location in the Network Views hierarchy where the new group should be placed. Highlight Network Views to make this a top-level group. If other top-level groups exist, highlight one of them to make the new group a subgroup of the highlighted group.
3 Figure 22: Copy to Device Group Window 4 Select the group in which you want to place the device. Note that a device can be placed in a toplevel group hierarchy only once. See “Group Membership Guidelines” on page 53 for more information. 5 Click OK to place the device in the selected group. Adding Ports to a Port Group The ports that make up a port group can be either from a single device or from multiple devices.
Organizing Devices and Ports Into Groups Figure 23: Device Details Window 3 The Device Details window lists all of the ports on the selected device. Select the ports you want to add to the port group. Use Shift-Click to select a group of ports or Ctrl-Click to select individual ports. 4 After selecting the ports, right-click and select Copy to group from the pop-up menu. The Copy to group window is displayed, as shown in Figure 24. This window lists the port groups that have been created in Ridgeline.
3 Adding Ports from Multiple Devices to a Port Group If the port group will contain ports from multiple devices, do the following: 1 From the File menu, select Group > Add Ports to Port Group The Add to Port Group window is displayed, as shown in Figure 25. Figure 25: Add to Port Group Window 2 The Add to Port Group window lists the devices in the Ridgeline inventory.
Organizing Devices and Ports Into Groups Figure 26: Port Selection Window 5 The port selection window lists all of the ports on all of the devices you selected in the Add to port group window. Select the ports you want to add to the port group. You can use the Filter and Quick Filter boxes to limit the number of ports displayed in the table. Use Shift-Click to select a group of ports or Ctrl-Click to select individual ports. 6 After selecting the ports, click the Add Selected Port(s) to Group button.
3 To copy or move a group to another group, do the following: 1 In the Network Views folder, select the group you want to copy or move. 2 Right-click and select either Copy to group or Move to group from the pop-up menu. A window is displayed listing the groups that have been created in Ridgeline. By default, just the top-level groups are displayed. To display the subgroups within a top-level group, click the plus sign next to the group name.
Organizing Devices and Ports Into Groups Figure 27: Properties Window for a Device Group 3 Add or change information in the Name or Description fields, and click OK to save the changes. Displaying Group Details To display details about a group, click on the group’s row in the Table View. Information about the selected group appears in the details frame. If you double-click on the row, the device details are displayed in a separate window, as shown in Figure 28.
3 Figure 28: Group Details Window Groups and subgroups within the hierarchy are indicated by a vertical bar (|) character between device group names. For example, “North America | Bay Area” indicates a top-level group “North America” with a subgroup “Bay Area”. In addition, the display lists information the contents of the group, either ports or devices. You can use the Filter and Quick Filter boxes to limit the contents of the table.
Organizing Devices and Ports Into Groups Figure 29: Save As Window 3 Select whether to save the only the viewable data (that is, just the filtered data currently shown in the table), or all data for all devices/ports in the group. 4 Click Browse and specify the location and name for the exported file. 5 Click Save to export the group information to the specified location.
4 Using Map Views CHAPTER This chapter describes Ridgeline’s Map View feature and how you can use it to create graphical representations of device groups in your network. It contains the following sections: ● “About Network Topology Maps” on page 63 ● “Creating Maps” on page 69 About Network Topology Maps In Ridgeline, a map view is a graphical representation of a specific device group or the All group.
Using Map Views Figure 30: Map View of a Device Group Network Views Folder Device Group Map View Zoom Bar Device Details Group Alarm Status Device Node Link Submap Node Navigation Table Navigation Box The main components of an Ridgeline Map View are the following: Device Group A set of devices that have been placed in an Ridgeline group hierarchy In Ridgeline, you can create groups of ports and devices, although topology maps are supported for device groups only.
4 Alarm Status The highest level alarm currently unacknowledged among the devices in the current map or any of its submaps. Devices and submaps within this map that have alarm propagation disabled do not contribute to this status. If the alarm icon has an “X” through it, this means alarm propagation has been disabled for this map, and will not contribute to the alarm status of the next higher-level map. Device Node Within the map view, an icon that represents a managed device in the device group.
Using Map Views Subgroup Nodes. A subgroup node represents a child map of the current map. It resembles a folder icon. The subgroup node icon shows the following information: ● The name of the node (submap), which can be edited. ● The subgroup alarm status, indicated by the presence of an alarm icon (small bell). The alarm status shows the highest level alarm currently unacknowledged for any device within the subgroup.
4 NOTE For devices with EDP and/or LLDP disabled or not supported, you can manually add user-defined links to the map to represent connectivity between devices. They are not updated when the map topology changes. The behavior of the system-discovered links described in the following paragraphs does not apply to user-defined links. When a discovered link connects two devices on the same map, the link will be annotated with the port number, or slot and port number for each of the endpoints.
Using Map Views NOTE Ridgeline does not support load sharing on devices running ExtremeXOS. Navigating Maps To move around in the map, you can do the following: ● Use the Zoom bar to zoom in or out of an area of the map ● Use the Navigation box to move to a section of a map ● Click in the Map view and drag so that the section appears in the display Zooming In and Out on a Map To zoom in the current map, do one of the following: ● Select Zoom in from the Map menu.
4 Figure 31: Navigation Box in a Map View Arrow Icon Drag the smaller box to move around the map Navigation Box Use the smaller box within the Navigation Box to move around a large map. Click the arrow icon to display or hide the Navigation Box in the Map View.
Using Map Views Creating a Map for a Device Group Since a map is a graphical representation of a device group, the first step in creating a topology map is to create a device group. See Chapter 3, “Organizing Devices and Ports Into Groups” for information about creating device groups. To create a topology map for a device group, do the following: 1 In the Network Views folder, select a device group. (Topology maps are not available for port groups or the All group.
4 alarm icon (small bell). The alarm status shows the highest level alarm currently unacknowledged for the device. The color of the bell indicates the severity of the alarm. You can also specify how information is displayed for the devices on the map. Each kind of device information (alarm status, device name, IP address, device annotation) can be shown with the device icon at all zoom levels, not at all, or at relevant zoom levels.
Using Map Views To create a user-defined link, do the following: 1 Display the map for the device group by clicking on the Map tab at the bottom of the Ridgeline window. 2 From the File or the Map menu, select New > Link, or select two devices and right-click in the map view and select New > Link from the pop-up menu. The New Link window is displayed, as shown in Figure 33.
4 To remove the inactive links for all the devices in all device groups: ● From the Map menu, select Clear inactive links from > All devices. Adding Graphic Elements to the Map In addition to devices, links, and background images, you can add other graphic elements to the map to represent objects not managed by Ridgeline. These elements include: ● Decorative Nodes. Decorative nodes represent any type of node that is not discovered or managed by Ridgeline, such as a server or workstation.
Using Map Views Adding a Device Annotation A device annotation is a single line of text that can be placed with a device icon enhance its description. The device annotation, if configured, appears only with the device icon on the map; it does not appear in any other view. To add a device annotation, do the following: 1 Select the device in the map view. 2 From the Map menu, select Device annotation, or right-click the device in the map view and select Device annotation from the pop-up menu.
4 Deleting Maps To delete the maps for a device group, do the following: 1 In the Ridgeline Administration folder, click Optimization. Ridgeline displays a table of the top-level device groups that have topology maps defined, as shown in Figure 37. Figure 37: Selecting Maps to Delete from the Optimization Folder The table displays the name of each top-level group, the description (if one is configured), and the number of maps in the group and subgroups.
Using Map Views Ridgeline Concepts and Solutions Guide 76
5 Provisioning Network Resources CHAPTER Ridgeline’s network resource provisioning feature simplifies network configuration tasks by allowing you to specify devices, ports, and parameters using options in lists in dialog boxes. Ridgeline automatically validates the options you’ve selected prior to deploying the configuration to managed devices, ensuring that the configuration is correct before it goes into production.
Provisioning Network Resources 1 Under Network Views, select the folder containing the devices you want to configure. 2 In the Navigation Table, or the Map View (if displayed), click on the devices to select them. For a VLAN, you can select one or more switches, links, or ports.
5 3 From the Services menu, select New > VLAN, or right-click in the Navigation Table and select VLAN from the pop-up menu. The VLAN Provisioning window is displayed, as shown in Figure 39. Figure 39: VLAN Provisioning Window In the VLAN provisioning window, the selected devices automatically appear in the Available devices table. If the switch software running on a device does not support the feature you are configuring, it is greyed-out in the Available devices table.
Provisioning Network Resources Figure 40: Progress and Results Window for VLAN Provisioning Tasks Validating command syntax and checking software compatibility Verifying connectivity to the selected devices Deploying the commands on the devices Updating the device information in the database The validation rules or commands entered on the device for the selected task 8 Ridgeline validates the options you selected against a set of predefined configuration rules, and ensures that the target switches are r
5 3 Right-click in the Navigation Table and select the setting you want to modify from the pop-up menu. For a VLAN, you can edit the list of ports or links in the VLAN, as well as the name and network name of the VLAN. You can also delete the VLAN from the devices where it is configured. Figure 41: Selecting a VLAN to Modify 4 If you select Properties from the pop-up menu, the Properties window for the VLAN is displayed, which provides a list of settings you can modify.
Provisioning Network Resources Figure 42: VLAN Properties Window 5 Click the setting you want to modify to bring up the provisioning window for that setting. For example, Figure 43 shows the provisioning window for a VLAN port list. Figure 43: Provisioning Window for a VLAN Port List 6 Make any necessary changes to the VLAN configuration. 7 When you have finished modifying the VLAN, click the Save changes button to validate and deploy the changes to the VLAN.
5 Troubleshooting for Provisioning Tasks Ridgeline’s provisioning interface makes it easy to identify errors in network configuration and correct them. You can click on any of the tasks in the Progress and Results window and display additional information about the validation rules or CLI commands executed for the selected task. If a validation task is unsuccessful, Ridgeline flags the task in the Progress and Results window.
Provisioning Network Resources NOTE Only one provisioning request can be processed on the Ridgeline server at a time. If you attempt to make multiple provisioning requests at the same time, such as simultaneously from two different Ridgeline clients, an error message is displayed. Viewing Logged Information about Provisioning Tasks Ridgeline logs information about the provisioning tasks it has performed on managed devices. You can view this information in the Ridgeline Audit Log.
5 You can double-click a row in the table to display the progress and results details in a separate window. Figure 46: Audit Log Details Window for a Provisioning Task See the Ridgeline Reference Guide for more information about the features of the Audit Log.
Provisioning Network Resources Ridgeline Concepts and Solutions Guide 86
6 Managing Ethernet Services CHAPTER An Ethernet service is a method for provisioning Ethernet connectivity over a wide-area or Metro Ethernet network. Ethernet services can provide customers point-to-point or multipoint-to-multipoint Ethernet connectivity across a service provider’s network. Service providers set up Ethernet services for their customers at User Network Interface (UNI) ports connecting customer equipment to their network.
Managing Ethernet Services Figure 47: E-Line Service E-Line Service (Point-to-Point) UNI Port UNI Port Customer Equipment Customer Equipment Transport Method Can be VLAN / VMAN / BVLAN Service Provider Network When Ridgeline provisions an E-Line service, it also adds the VLAN, VMAN, or PBB BVLAN to an EAPS domain on the devices where the VLAN/VMAN/BVLAN is configured. E-LAN Service An E-LAN service is a multipoint-to-multipoint EVC, as illustrated in Figure 48.
6 Bandwidth Profiles By default, an E-Line or E-LAN service provides best-effort service for customer traffic on the UNI ports. In some cases, such as when the UNI ports in an Ethernet service have different line rates, you can specify bandwidth profiles and apply them to the UNI ports. A bandwidth profile can specify values for Committed Information Rate (CIR), Committed Burst Size (CBS), Excess Information Rate (EIR), Excess Burst Size (EBS), and single/dual-rate profile settings.
Managing Ethernet Services Figure 49: E-Line Service Provisioning Window 2 Enter a name for the new E-Line or E-LAN service. 3 Optionally, enter a description for the service. 4 Select the customer who will be using this service. See “Creating a Customer Profile” on page 95 for information about adding a customer to this list. 5 Select the transport type to be used with this service: 802.1Q (VLAN), 802.1ad (PB/VMAN), or 802.1ah (PBB). 6 Select the UNI ports for this service.
6 Figure 50: Traffic Mapping Options for an Ethernet service (VLAN or VMAN Transport Type) Ridgeline Concepts and Solutions Guide 91
Managing Ethernet Services Figure 51: Traffic Mapping Options for an Ethernet service (PBB BVLAN Transport Type) 8 In the Traffic Mapping box, select the VLAN, VMAN, or BVLAN that will be used as the transport method for the service. Ridgeline automatically populates the list box with the available VLANs, VMANs, or BVLANs. ● For VLANs, specify whether traffic is tagged or untagged for both UNI ports, or for a selected UNI port.
6 Figure 52: Validation Window for an Ethernet Service 13 If the validation is successful, click Create Ethernet Service to deploy the service to the target devices. Otherwise, click Back to go back to the previous screen and modify the settings.
Managing Ethernet Services Figure 53: Provisioning Window for an Ethernet Service 14 After Ridgeline successfully validates the selected options, it verifies network connectivity to the target switches. If a connection can be established to all of the target switches, Ridgeline deploys the configuration commands, then saves the configuration file on each switch. Finally, Ridgeline updates its own database with information about the configuration changes on the switches.
6 3 If you select Properties from the pop-up menu, the Properties window for the Ethernet service is displayed, which provides a list of settings you can modify. Figure 54: Ethernet Service Properties Window 4 Click the setting you want to modify to bring up the provisioning box for that setting. For example, Figure 55 shows the provisioning box for the Ethernet service name and description.
Managing Ethernet Services Figure 56: Customer Profile Configuration Window 2 Click New to create a new customer profile, or select an existing profile and click Edit. Figure 57: Customer Settings Window 3 In the Customer Settings window, enter a name for the customer, and optionally specify a description, address, contact, and fax number. When you are done, click Add (for a new customer profile) or Modify (for an existing customer profile).
6 Figure 58: Bandwidth Profile Configuration Window 2 Click New to create a new bandwidth profile, or select an existing profile and click Edit.
Managing Ethernet Services 4 When you are done, click Add (for a new bandwidth profile) or Modify (for an existing bandwidth profile). 5 After you create a bandwidth profile, you can apply it to the UNI ports in Ethernet services. See “Modifying an Ethernet Service” on page 94. Viewing Ethernet Services Information You can display information about E-Line and E-LAN services from the All map or All table, or from the Services view under Network Views.
6 Figure 61: E-LAN Service Selected in a Map View Information about the selected Ethernet service appears in the Details panel. You can double-click on the row in the Services table to display the information in a separate window. See “Displaying Ethernet Service Details” on page 100 for information on what this panel contains. Using the Services View The Services view displays information about the E-Line and E-LAN services known to Ridgeline.
Managing Ethernet Services Figure 62: Services View Services Table Map Panel Details Panel Displaying Ethernet Service Details To display details about an E-Line or E-LAN service, click on a row in the Services table. Information about the selected Ethernet service appears in the details window. If you double-click on the row, the Ethernet service details are displayed in a separate window, as shown in Figure 63.
6 Figure 63: E-Line Service Details Window Ridgeline Concepts and Solutions Guide 101
Managing Ethernet Services Ridgeline Concepts and Solutions Guide 102
7 Importing Services CHAPTER This chapter describes using Ridgeline service reconciliation to import the following services: ● Import E-Line Services ● Import E-LAN Services Importing E-Line and E-L AN Services NOTE It is best not to perform provisioning related operations on Ridgeline when you are importing services. To import an E-line or ELAN service, do the following: 1 On the menu bar, go to Services>Import>E-Line.
Importing Services Figure 64: E-Line Wizard Information Input Screen 2 Enter a name for the new E-Line or E-LAN service. See Figure 64. 3 Enter a description for the service. This is optional. 4 Select the customer who is using the service. Refer to “Creating a Customer Profile” on page 118 for information about adding a customer to this list.
7 Figure 65: E-Line/E-LAN Wizard Dialog Box - Enter Name of New Service 5 Choose the Transport type you want to use in this service from the drop down list: ● 802.1Q (VLAN) ● 802.1ah (PB/VMAN) ● 802.1ad(PBB) 6 Click Next. If you select VLAN as the transport type, the dialog opens and asks: What is the VLAN used in the service? See Figure 66. A list of VLANs available in Ridgeline show in the 802.1Q(VLAN) drop down list in the Traffic mapping section of the dialog box 7 Choose the appropriate VLAN.
Importing Services Figure 66: UNI Port Selection Dialog (Transport Type - VLAN) 9 Click Validate if you chose VLANs as the transport type; then go to step 14. 10 If you select PBB as the transport type, the dialog opens asking: What are the BVLANs, ISIDs, and SVLANs/CVLANs used in the service? See Figure 67. Ridgeline shows a list of Available BVLANs in the 802.1ah(PBB) drop down list in the Traffic mapping section of the dialog box.
7 Figure 67: UNI Port Selection Dialog Box (Transport Type - PB/VMAN) Figure 68: UNI Port Selection Dialog Box (Transport Type - PBB 13 When you finish adding UNI ports, click Validate to start the validation process. You have two validation options: ● The default (that is, the check box is not selected), Ridgeline validates the settings you select for the Ethernet service, then gives you the option to import the service to the database.
Importing Services 14 If the validation is successful, click Import E-Line or E-LAN Service to import the service to the database. Otherwise, click Back to go back to the previous screens and modify the settings. See Figure 69. 15 After Ridgeline successfully validates the selected options, it imports the service into its database. To view the newly created services, Refer to “Viewing Ethernet Services Information” on page 98.
7 Figure 70: Successful Results Dialog After Clicking Import E-Line or ELAN Service 17 Click Close. The Services list shows the new entry and the map shows the newly imported service. See Figure 71.
Importing Services Figure 71: Services List and Map with Newly Imported Service 18 To validate and import services at the same time, click the check box: If validation has no errors, continue automatically to creating the new E-Line service. If the validation is successful, you save a step in this procedure. The dialog box opens showing the results. 19 With a successful validation, click Close. Ridgeline shows the Services list with the newly imported service and the map showing the service.
7 Figure 72: Importing E-Line Service Dialog with Validation Errors Ridgeline Concepts and Solutions Guide 111
Importing Services Ridgeline Concepts and Solutions Guide 112
8 Managing PBB Networks CHAPTER Virtual metropolitan area networks (VMANs) allow metropolitan area network (MAN) service providers to carry VLAN traffic from multiple customers across a common Ethernet network, known as a provider bridge network. The provider bridge network uses Provider Bridges (PBs) to create a Layer 2 network that supports VMAN traffic. A Provider Backbone Bridge (PBB) network enables VMAN transport over the Internet. PBB is defined by the IEEE 802.
Managing PBB Networks receive and transmit VMAN traffic. VMAN traffic that is addressed to locations at other PBB network access points enters a PBB network access port, is switched through the PBB network, and exits at a PBB network access port. If you do not configure any frame manipulation options, the frames that exit the PBB network are identical to the frames that entered the PBB network.
8 Creating a BVLAN To create a BVLAN, do the following: 1 From the Services menu, select New > BVLAN. The BVLAN Provisioning window is displayed, as shown in Figure 74. Figure 74: BVLAN Provisioning Window In the BVLAN provisioning window, the selected devices automatically appear in the Available devices table. You can provision BVLANs only on BlackDiamond 20K series switches running ExtremeXOS 12.4 or higher. Devices that do not support BVLANs are greyed-out in the BVLAN Provisioning window.
Managing PBB Networks Figure 75: Progress and Results Window for VMAN Provisioning Tasks Validating command syntax and checking software compatibility Verifying connectivity to the selected devices Deploying the commands on the devices The validation rules or commands entered on the device for the selected task 6 Ridgeline validates the options you selected against a set of predefined configuration rules, and ensures that the target switches are running a version of software that supports the features
8 3 Right-click, and select Properties from the pop-up menu. The Properties window for the BVLAN is displayed, which provides a list of settings you can modify. For a BVLAN, you can edit the list of ports or links in the BVLAN, as well as the name and network name of the BVLAN (although not the tag value). You can also delete the BVLAN from the devices where it is configured. Figure 76: BVLAN Properties Window 4 Click the setting you want to modify to bring up the provisioning window for that setting.
Managing PBB Networks Figure 77: Provisioning Window for a BVLAN Port List 5 Make any necessary changes to the BVLAN configuration. 6 When you have finished modifying the BVLAN, click the Save changes button to validate and deploy the changes to the BVLAN. Viewing PBB Information To view information about PBB networks known to Ridgeline, click a device group or the All map or All table group under the Network Views folder, then click the PBB tab.
8 Figure 78: PBB Table in Network Views If you also have enabled the map view of a device group, you can select a row in the table and display an overlay view highlighting all of the devices and links in the map where the selected BVLAN, CVLAN, or SVLAN is configured, as shown in Figure 78.
Managing PBB Networks Figure 79: Displaying PBB Components in a Map View NOTE To view PBB information from an Extreme Networks switch, enable HTTP on the switch. Displaying PBB Details To display details about a BVLAN, CVLAN, SVLAN, or ISID, click on a row in the PBB table. Information about the selected item appears in the details window. If you double-click on the row, the details are displayed in a separate window.
8 BVLAN, CVLAN, and SVLAN Details For BVLANs, CVLANs, and SVLANs, the following window is displayed: Figure 80: PBB VLAN Details Window Ridgeline Concepts and Solutions Guide 121
Managing PBB Networks ISID Details For ISIDs, the following window is displayed: Figure 81: ISID Details Window Ridgeline Concepts and Solutions Guide 122
9 Managing and Monitoring VPLS Domains CHAPTER A Virtual Private LAN Service (VPLS) domain is a Layer 2 multipoint VPN that allows multiple sites to be connected in a single bridged domain over a provider-managed IP/MPLS network. VPLS enables service providers to offer Ethernet private line services that use a simple Layer 2 interface at the customer edge, and benefit from the resilience and scalability of an MPLS/IP core.
Managing and Monitoring VPLS Domains Hierarchical VPLS (H-VPLS) When MPLS is used at the edge of the network, a fully meshed VPLS domain becomes less practical, due to the number of PWs that must be configured between a large number of peers. A hierarchical VPLS (H-VPLS) network can improve network scalability by reducing the number of PWs that need to be configured between peers. In an H-VPLS domain, VPLS domains can be constructed hierarchically in a partial-mesh or hub-andspoke configuration.
9 This results in a significant reduction in the number of pseudo wires that need to be established and maintained. For example, a 10 core PE network with 50 MTU devices per core PE requires almost 260,000 pseudo wires using a fully meshed VPLS design. A hierarchical VPLS design requires only 590 pseudo wires. VPLS Support in Ridgeline Using Ridgeline, you can configure and monitor both fully meshed and hierarchical VPLS domains.
Managing and Monitoring VPLS Domains Figure 84: VPLS Table in Network Views From the All map view, or if you also have enabled the map view of the device group, you can select a VPLS domain and display an overlay view highlighting all of the devices and links in the map where the selected VPLS domain is configured, as shown in Figure 84.
9 When you select a VPLS domain from the table, all of the peer devices for the selected VPLS domain are highlighted in the map view. In the Details panel, Ridgeline displays information about the pseudo wires in the VPLS domain. For a selected VPLS domain, you can display information about the pseudo wires. When you select a pseudo wire from the table, Ridgeline highlights the LSP in use. The links and the end nodes of the LSP are highlighted in the map view.
Managing and Monitoring VPLS Domains Figure 87: Pseudowire Details Window Configuring VPLS Using Ridgeline, you can configure fully meshed and hierarchical (hub-and-spoke) networks. VPLS configuration tasks are performed using Ridgeline’s scripting feature.
9 Figure 88: Configuration Screen for the Create VPLS Script For information on how to use Ridgeline scripts, see “Creating and Running Ridgeline Scripts” on page 229.
Managing and Monitoring VPLS Domains Ridgeline Concepts and Solutions Guide 130
10 Managing VLANs CHAPTER This chapter describes how you can use Ridgeline to configure, monitor, and manage VLANs in your network.
Managing VLANs Configuring VLANs With Ridgeline, you can perform common VLAN configuration tasks, including creating, modifying, and deleting VLANs, as well as configuring VLAN protocol settings. There are two methods you can use for configuring VLANs in Ridgeline: ● Using Ridgeline’s network resource provisioning feature ● Using Ridgeline’s scripting feature. Additionally, you can optionally assign VLANs a network name, which is a means for categorizing VLANs into logical groups.
10 Figure 89: Selecting Devices to Provision 3 From the Services menu, select New > VLAN, or right-click in the Navigation Table and select VLAN from the pop-up menu. The VLAN Provisioning window is displayed, as shown in Figure 90.
Managing VLANs Figure 90: VLAN Provisioning Window for Selected Devices In the VLAN provisioning window, the selected devices automatically appear in the Available devices table. If the switch software running on a device does not support the feature you are configuring, it is greyed-out in the Available devices table. You can expand the list of items in the Available devices table by selecting a group from the Show devices in box.
10 4 Click one of the devices to view the Available ports table for the device. 5 For each port or link you want to add to the VLAN, select the port and click the Add tagged or Add untagged button. When the VLAN is created, the port is removed from the default VLAN and added to the new VLAN. 6 Edit the values in the Tag and Name fields for the new VLAN. 7 When you have finished configuring the VLAN, click the Create VLAN button to start the validation and deployment process.
Managing VLANs Modifying a VLAN For existing VLANs, you can edit settings and deploy the changes to the devices where the VLAN is configured. To modify a VLAN, do the following: 1 Under Network Views, select the folder containing the devices you want to configure. 2 In the Navigation Table, click the VLAN tab, and select the VLAN you want to modify. 3 Right-click in the Navigation Table and select the setting you want to modify from the pop-up menu.
10 Figure 94: VLAN Properties Window 5 Click the setting you want to modify to bring up the provisioning window for that setting. For example, Figure 95 shows the provisioning window for a VLAN port list. Figure 95: Provisioning Window for a VLAN Port List 6 Make any necessary changes to the VLAN configuration. 7 When you have finished modifying the VLAN, click the Save changes button to validate and deploy the changes to the VLAN.
Managing VLANs Running VLAN Configuration Scripts Ridgeline includes a number of bundled scripts that allow you to specify VLAN configuration settings and deploy them on managed Extreme devices.
10 Viewing VLAN Information To view information about VLANs in Ridgeline, click a device group or the All group under the Network Views folder, then click the VLANs tab. A table listing the VLANs in the group is displayed. If you also have enabled the map view of the device group, you can select a VLAN and display an overlay view highlighting all of the devices and links in the map where the selected VLAN is configured, as shown in Figure 97.
Managing VLANs Displaying VLAN Details To display details about a VLAN, click on the VLAN’s row in the VLAN table. Information about the VLAN appears in the details window. If you double-click on the row, the VLAN details are displayed in a separate window, as shown in Figure 98. Figure 98: VLAN Details Window Viewing VLAN Services Information Ridgeline shows additional details based on the type of services configured on a VLAN.
10 See the Ridgeline Reference Guide or the online help for information about the VLAN service details displayed by Ridgeline. Displaying VLAN Details for an Individual Device To display details about the VLANs configured on a specific device, click on the device’s row in the Devices table in Network Views. Information about the selected device appears in the details window. The VLAN tab in the details window contains information about the VLANs configured on the device.
Managing VLANs Figure 99: Modify Network Name Window 3 Click New to open the New network name window. 4 Enter the network name and click create. Assigning VLANs to a Network Name To assign VLANs to a network name: 1 Under the Network Views folder, select the device group that contains the VLANs you want to categorize, or select the All group. 2 Do one of the following: ● Click the VLANs tab in the table view to display the VLANs in the device group.
10 Figure 100: Filtering the VLAN Table Using the Network Name Quick Filter Network Name Quick Filter Ridgeline Concepts and Solutions Guide 143
Managing VLANs Ridgeline Concepts and Solutions Guide 144
11 Managing Virtual Machines CHAPTER This chapter describes Ridgeline’s Extreme Network Virtualization (XNV). Overview Typical data centers support multiple Virtual Machines (VMs) on a single server. These VMs usually require network connectivity to provide their services to network users and to other VMs.
Managing Virtual Machines Local virtual port profiles (LVPPs), which override network policies, must be configured on each switch. LVPPs are a good choice for simple network topologies, but NVPPs offer easier network management for more complex network topologies. VM Authentication Process The XNV feature supports three methods of authentication: ● Ridgeline authentication. ● Network authentication using a downloaded authentication database stored in the VMMAP file.
11 Through file synchronization, the VM configuration and policy files are periodically downloaded to the XNV-enabled switches, which allows these switches to continue to support VM connections when the Ridgeline server or the repository server is unavailable. You can also initiate a file synchronization from the XNV-enabled switch. Network Management and Inventory Ridgeline’s XNV feature is designed to support network management programs such as Ridgeline.
Managing Virtual Machines Figure 101: Topology of XNV Configuration Network Ridgeline repository server Ridgeline server Data Center core switch Vlan V1 23 Top of rack Switch1 1:22 11.1.1.50/24 11.1.1.1/24 Vlan V1 11.1.1.
11 ● VM counters are cleared when a VM moves between ports on the same switch (because the ACLs are deleted and recreated). Identifying VMMs and VMs The Virtual Machine Manager lists all virtual machine managers added to and used by Ridgeline. These include: ● VMware - vCenter Server Virtualization Management ● Citrix - XenServer Virtual Machine Manager Table To open the Machine Manager Table, do the following: 1 On the Folder list, go to Ridgeline Administration>Virtualization management.
Managing Virtual Machines Figure 102: VM Manager Table Adding and Importing VMs When you want to add a VM to your network, Ridgeline identifies a VMM and any associated VMs and imports them. After you add a VM, Ridgeline automatically tracks its movement and configuration information.
11 1 With the Virtualization management tab open, go to File>New>VM manager. The Import VMs Wizard launches. See Figure 103. Figure 103: Import VMs Wizard 2 Click Next. Ridgeline discovers VMs or resource pools and shows the information in the next dialog box. See Figure 104. Figure 104: Discovered VMs 3 Click Import VMs. 4 If Ridgeline cannot discover any VMMs, the dialog box indicates it was unable to find any VMs.
Managing Virtual Machines ● Password To edit these VM manager settings, do the following: 1 On the Virtualization management tab, click the VM managers tab. 2 Right click on the VM manager you want to edit. 3 On the menu that opens, select Properties. The Edit VM Manager setting dialog box opens. See Figure 105. Figure 105: Edit VM Manager 4 Enter the new User name and/or Password for the VM manager. 5 Click Update.
11 To use the wizard, do the following: 1 On the menu bar, open Edit and choose Edit List of VM Devices. The Edit List of Devices dialog box opens. See Figure 106. Figure 106: Select Device or Device Group 2 Select Devices or Device groups. If you select Devices, a window opens and asks “Monitor VMs on which devices?” See Figure 107. It shows the switch names and their IP addresses. If you select Device groups a window opens showing ports, device names and IP addresses. See Figure 108.
Managing Virtual Machines Figure 107: Select Devices to Monitor Figure 108: Select Device Group to Monitor 3 Click Next. The Select the ports window shown in Figure 109 opens.
11 4 Select the ports you want monitored from the Available Ports column in the dialog box. A port is grayed out if it is an up link port or if it has Netlogin enabled. Figure 109: Select Ports 5 Click Next. The Configuring devices for virtual machines monitoring dialog box shown in Figure 110 opens to show the progress of the operation.
Managing Virtual Machines Figure 110: Progress Window 6 To view VM tracking on a device go to the Virtualization tab>Device Ports tab. See Figure 111. Figure 111: Tracking On a Device Editing List of Devices and Ports A wizard lets you edit the list of devices and ports on the VM Monitoring Table. To use the wizard, do the following: 1 On the menu bar, open Edit and choose Edit List of VM Devices. The Edit List of Devices dialog box opens. See Figure 112.
11 Figure 112: Edit List of Devices 2 Choose Device or Device groups. 3 Click Next. The dialog that opens asks “Monitor VMs on which devices?” See Figure 113. If a device is grayed out it, means that the device does not support VM monitoring or the device has Identity Management enabled. If all the devices in a group apply one of these categories, the group is disabled. Figure 113: Choose Devices 4 Click the switches or ports you want to change. 5 To disable a device, clear the check box.
Managing Virtual Machines Figure 114: Select the Ports 8 To choose a device, click the device row in the left window. The center window shows the number assigned to the device by Ridgeline. The window on the right shows the port number. Port descriptions and numbers are grayed out if an up link port will be disabled, or if a Netlogin port is enabled. 9 The progress of the configuration is shown in the Configuring Devices for virtual machine monitoring window. See Figure 115.
11 Policy Match Condition Combinations Table 4 lists the ingress and policy match condition combinations for Extreme Network Virtualization. The following items provide additional information about the match conditions: ● EXOS dynamically inserts the Source MAC in the ingress policy. It does not allow you to add a source MAC in the ingress policy. ● EXOS dynamically inserts the Destination MAC in the egress policy It does not allow you to add a Destination MAC in an egress policy.
Managing Virtual Machines 1 Select XNV: Virtual-port profiles on the Folder List then go to File>New>Virtual-port profile. The New Virtual-Port Profile dialog box opens. See Figure 117. Figure 116: Create a New VPP Menu 2 Enter the name of the new VPP. 3 Choose ingress or egress policy, both ingress and egress, or none. 4 Choose a policy from the Policies list.
11 5 Click Create profile. The new VPP shows on the Virtual-port profile list. See Figure 118. Figure 118: Virtual-Port Profile list Attaching Policies, VPPs, and VMs The following diagram shows the flow for attaching policies, VPPs, and VMs.
Managing Virtual Machines Attaching a VPP to a VM To attach a VPP to a VM, do the following: 1 On the menu bar, go to File>Edit>Attach, or right click on the VPP in the list to which you want to attach a policy. The menu opens. See Figure 120. Figure 120: Menus to Attach a VPP to a VM 2 Choose Attach>Virtual-port profiles to VMs from the menu bar or Attach to VMs when you right click on the Virtual-port profile list. The Attach Virtual-Port Profile to VMs dialog box opens.
11 Figure 121: Attach Virtual-Port Profile to VMs Dialog Box 3 Choose a VM from the Available Virtual machines list, then add it to the Selected virtual machines list. 4 Click Attach. If the VPP is already attached to another VM, the results show in the dialog box. See Figure 122. Click Close to close the dialog box and return to the Virtual-port profile list.
Managing Virtual Machines Figure 122: Attach Virtual-Port Profile to VMs Results 5 The Virtual-port profile list that shows the VPP attached. See Figure 123.
11 Attaching a Policy to a VPP To attach a policy to a VPP, do the following: 1 On the menu bar go to File>Attach>Policies to virtual port profiles. You can also access the menu by right clicking on the profile The virtual port profile dialog box opens. It shows the policy name. See Figure 125.
Managing Virtual Machines Figure 125: Attach a Policy to a VPP 2 Choose a policy from the list and click Attach. If the policy is already attached to a VPP, click Save changes. The dialog box opens and shows the results of the operation. See Figure 126.
11 Detaching VPPs To begin the detach VPP operation, do the following: 1 On the menu bar, go to File>Edit>Detach, or right click on the VPP in the list to which you want to Detach from a VPP. The menu opens. Figure 127: Detach a VPP Detaching a VPP from a VM To detach a VPP from a VM, do the following: 1 Select a VPP on the list. 2 On the menu bar, go to File>Edit>Detach, or right click on the VPP in the list from which you want to detach a VM. The menu opens. See Figure 127.
Managing Virtual Machines Figure 128: Detach Virtual-Port Profiles from VMs 4 Select the VM you want to detach from the Available virtual-port profile list. 5 Click Add to move it to the Selected virtual machines list. 6 Click Detach. The dialog box opens and shows the successful results of the operation. 7 Click Close to return to the list of VPPs. Detaching a VPP from a Policy To detach a VPP from a Policy, do the following: 1 Select a VPP on the list.
11 Figure 129: Detach a VPP from a Policy 4 Deselect the policies you want to detach from the VPP. 5 Click Save changes. The dialog box opens and shows the successful results of the operation. 6 Click Close to return to the list of VPPs. Viewing Information on the VMs Tab After successfully discovering VMs and enabling VM Tracking on the switches, Ridgeline shows the mapping between the VMs and the devices they access. All associated policies are listed.
Managing Virtual Machines Power Status Current power status of the VM.
11 In Map view, when you select a VM, Ridgeline highlights the device and shows the number of VMs currently accessing the switch. See Figure 131. Figure 131: All Map View Server Switch Device Group/Subgroup Views On the VM tab>Device Group/Sub Group Table and Map View, only the VMs that access the device and are part of the selected group are shown. See Figure 132. Figure 133 shows the selected device group, circled, and its access, dotted lines, to subgroups..
Managing Virtual Machines VM Details View The VMs tab, Table view shows he VM Details on the right side of the Ridgeline window. See Figure 133.
11 Figure 133: VM Properties View and NIC Tab NIC Tab The NIC tab (Figure 133) lists all the network interface cards (NIC) associated to a VM and includes the following details: ● VM MAC address ● Device name ● NIC port number ● Port ● Port name History Tab-VM Movement History The History tab (Figure 134) shows VM movement history of all discover VMs across devices and hosts.
Managing Virtual Machines Egress Policy result State Figure 134: History Tab Device Details with VM Monitoring The Devices tab on Table view shows VM Monitoring is enabled. See Figure 135. The Device Details window on the right shows the VM tab and contains the same information as the VM details view. See “VM Details View” on page 172.
11 Figure 135: VM Monitoring Device Details VM Monitoring Audit Log Information in the Audit Log for VM monitoring is listed under VM Monitoring tab>Audit Log node. See Figure 136. Ridgeline creates an Audit Log entry for the following reasons: Ridgeline creates an Audit Log entry for the following reasons: 1 A virtual port profile has been modified (for example, an update of an ingress or egress policy.
Managing Virtual Machines The Actions window lets you filter the log information by hour or date and search for log items or details.
12 Managing Your EAPS Configuration CHAPTER This chapter describes how use Ridgeline to configure and monitor an Ethernet Automatic Protection Switching (EAPS) configuration in your network.
Managing Your EAPS Configuration Creating an EAPS Domain To create an EAPS domain, do the following: 1 Under Network Views, from the Protocol menu, select New > EAPS domain. The New EAPS Domain window is displayed, as shown in Figure 137. Figure 137: New EAPS Domain Window 2 Enter a name for the new EAPS domain 3 Select the links that will make up the new EAPS domain. 4 In the Master Node box, select the device that will be the master node for the new EAPS domain.
12 Modifying an EAPS Domain For existing EAPS domains, you can edit settings and deploy the changes to the devices where the EAPS domain is configured. To modify an EAPS domain, do the following: 1 Under Network Views, select the folder containing the EAPS domain you want to configure. 2 In the Navigation Table, click the EAPS tab, and select the EAPS domain you want to modify. 3 Right-click in the Navigation Table and select the setting you want to modify from the pop-up menu.
Managing Your EAPS Configuration Creating a Shared Link An EAPS shared link is a physical link that carries overlapping VLANs that are protected by more than one EAPS domain. To create an EAPS shared link, do the following: 1 Under Network Views, from the Protocol menu, select New > Shared link. The New Shared Link window is displayed, as shown in Figure 137. Figure 140: New Shared Link Window 2 Select the link that will make up shared link. You can specify only one link to be used as a shared link.
12 3 From the File menu, select Delete. Ridgeline prompts you to confirm your action. 4 Click Yes to delete the EAPS domain. Note that the Control VLAN is deleted along with the EAPS domain. Viewing EAPS Information To view information about your EAPS domains, select a device group or the All table or All Map in the Network Views folder, then click the EAPS tab. A table listing the EAPS domains in the group is displayed.
Managing Your EAPS Configuration The EAPS Map View The EAPS map view shows the devices in a device group with respect to their EAPS implementation, including the EAPS-related links between devices and a summary status for each device and for each EAPS ring. Figure 141 above shows an example of the EAPS map view for a device group.
12 For a Transit node: ● ● A Green T means both ring ports are up and forwarding ● A Yellow T means a ring port is up but blocked ● A Red T means that one or both ring ports are down. Node Alarm Status (shown for all devices): If alarms have occurred on the node and have not yet been acknowledged, the highest severity alarm is indicated with the small bell symbol. The color indicates the severity of the alarm: ● ● A green bell is a “Normal” alarm.
Managing Your EAPS Configuration ● A grey line indicates that the link status is unknown. ● A blue line indicates the link is user-created rather than automatically discovered by Ridgeline When the map is zoomed in sufficiently, the port endpoints are automatically displayed for each link. Displaying EAPS Domain Details To display details about an EAPS domain, click on the domain’s row in the EAPS table. Information about the EAPS domain appears in the details window.
12 Verifying EAPS Information Ridgeline lets you verify the EAPS configurations in your network, and provides a report that shows where configuration errors are found. To run the verification procedure on your EAPS domains, select Verify EAPS domains from the Protocol menu. Depending on the size of your network and your EAPS configurations, this can take as long as 15 minutes. The results of the verification are shown in the EAPS Verification Results window.
Managing Your EAPS Configuration Table 5: EAPS Verification Error Types (continued) • Incomplete VLAN Protection • Shared Port Not Created • Inconsistent Control VLAN Naming • Shared Port Not Configured Running EAPS Reports You can run the following reports to produce information about the EAPS domains known to Ridgeline: ● EAPS Summary Report, which provides a brief overview of the status of the EAPS domains ● EAPS log report, which shows the EAPS traps and EAPS-related syslog entries that have
12 EAPS Log Reports The EAPS log report shows the EAPS traps and EAPS-related syslog entries that have occurred for the selected device. This report can be very helpful in troubleshooting your EAPS device configurations. Once you run the report, you can filter it further based on the following: ● The IP address (must be exact, wildcards are not supported).
Managing Your EAPS Configuration Ridgeline Concepts and Solutions Guide 188
13 Managing Network Security CHAPTER This chapter describes how you can use the features of Ridgeline to help you ensure the security of your network.
Managing Network Security the switch to allow only authenticated, authorized access, and securing the management traffic between the switch and the administrator’s host to ensure confidentiality. Ridgeline provides authentication and authorization for login to Ridgeline itself, so you can control who can access Ridgeline and what functions they are allowed to perform.
13 If you have created your own custom roles, you can set a Vendor-Specific Attribute (VSA) to send the appropriate role information along with the authentication status of the user. There are a number of steps required to set up your RADIUS server to provide authentication and authorization for Ridgeline users. The following provides an overview of the process. A detailed example can be found in Appendix D, “Configuring RADIUS for Ridgeline Authentication”.
Managing Network Security Attribute format: String Attribute value: AlarmsOnly Once this has been set up, for all users logging into Ridgeline who match the conditions defined in the remote access policy, a VSA with value “AlarmsOnly” will be passed to Ridgeline. Ridgeline then will apply the user role “AlarmsOnly” to those users to provide feature access as defined by that role.
13 Figure 148 shows an example of adding an SNMPv3 device that uses CBC DES privacy and SHA authentication protocols. Figure 148: Adding an SNMPv3 Device to Ridgeline If you change the contact password or SNMP community string, Ridgeline will ask if you want to change these settings on the device as well as in the Ridgeline database. If you choose not to change the settings on the device, you will need to configure them manually on each device before Ridgeline will be able to access them.
Managing Network Security b After the form is submitted, Extreme Networks will review the request and respond within 2 business days. c If your request is approved, an email will be sent with the information needed to obtain the “sshenabler” key file. d Place the “ssh-enabler” key file in your existing Ridgeline installation directory. This will unlock the Ridgeline SSH-2 features.
13 recommended) on the same system as the Ridgeline client, and installing and running an SSH server (OpenSSH is recommended) on the same system where the Ridgeline server resides. Tunneled communication is accomplished through port forwarding.
Managing Network Security Using the MAC Address Finder You may need to track down a specific host on your enterprise network. This host may be involved in malicious activity, be a compromised source for virus infections, be using excessive bandwidth, or have network problems. Ridgeline provides the IP/MAC Address Finder tool to locate any MAC address on your network. Ridgeline provides two ways to find a MAC address in your enterprise network.
13 ● Other packets directed to the switch that must be discarded by the CPU If any one of these functions is overwhelmed, the CPU may become too busy to service other functions and switch performance will suffer. Even with very fast CPUs, there will always be ways to overwhelm the CPU by with packets requiring costly processing.
Managing Network Security Table 6: Security-based Syslog Messages Error Message Explanation USER: Login failed for user through telnet A login attempt failed for an administrative user attempting to connect to a device using telnet. SYST: card.c 1000: Card 3 (type=2) is removed. A card has been removed from the device. This is a possible breach of physical security if this is an unauthorized removal.
13 Chapter 10, “Managing VLANs” on page 131 for more information about how Ridgeline can help you manage the VLANs on your network.
Managing Network Security Ridgeline Concepts and Solutions Guide 200
14 Policies CHAPTER Overview The policy manager is responsible for maintaining a set of policy statements in a policy database and communicating these policy statements to the applications that request them. Policies are used by the routing protocol applications to control the advertisement, reception, and use of routing information by the switch. Using policies, a set of routes can be selectively permitted (or denied) based on their attributes, for advertisements in the routing domain.
Policies Figure 151: Policy Details Viewing Policies for Devices To view a policy for a device, do the following: 1 On the Folder List, go to Network Views>All table then click the VM tab. 2 Select a device. 3 Scroll to the right. You see the Host IP address, Host name, and Ingress and Egress policies.
14 Creating a New Policy To create a new policy, do the following: 1 On the Folder List go to Network Administration>Policies. The Policies tab opens. 2 On the menu bar, go to File>New>Policy. See Figure 153. The New Policy dialog opens. Figure 153: Create New Policy on Menu 3 Enter the name of the device on which you want to create a policy, the policy type, the policy direction, Ingress or Egress. Click New. See Figure 154.
Policies Figure 154: New Policy Dialog 4 Click New. The New Policy Rule dialog opens and asks: What is the name, description, and match condition for your new rule? See Figure 155. It describes the criteria for the entries: You can specify multiple, single, or zero match conditions. If no match condition is specified all packets match the new entry.
14 Figure 155: New Policy Rule Dialog - Match Conditions 5 Enter the Rule Name, Rule description, Rule category. 6 Click on the available conditions to view a description of each condition at the bottom of the dialog box. 7 You can select a condition from the list of Available match conditions, then move each condition to the Selected match conditions list on the right. NOTE All the conditions must be matched.
Policies Figure 156: New Policy Rule Dialog - Inputs for Match Conditions 9 Enter and then select the match conditions information needed for the conditions you chose on the previous dialog. 10 Click Next. The dialog opens and asks: What is the action and action modifiers for your rule? See Figure 157.
14 Figure 157: New Policy Rule - Action and Action Modifiers 11 If you do not select Also include these action modifiers, click Create Rule. The New Policy dialog opens showing the newly created policy. See Figure 159. 12 If you want to include action modifiers, select Also include these action modifiers, then click Create Rule. The next dialog asks: What are the inputs for action modifiers for your rule? See Figure 158.
Policies Figure 158: New Policy Rule - Inputs for Action Modifiers 17 Click Create Rule. The New Policy dialog opens showing the newly created rule on the Rules list. See Figure 157. 18 Click Create Policy.
14 Figure 159: New Policy Dialog Copying a Policy to Create a New Policy To copy an existing policy to create a new policy, do the following: 1 Click Network Administration>Policies in the Folder List. The Policies tab opens. 2 Select a policy on the list. 3 Go to File on the menu bar and choose Save as. The Save Policy As dialog opens. See Figure 160.
Policies Figure 160: Save Policy As Dialog Box 4 Choose the policy you want to copy from the Policies list. 5 Choose from the following: ● Save in Ridgeline - Saves the policy to the server where Ridgeline is installed. ● Export to - Changes the policy file format that enables you to take the policy from a Ridgeline installation to another Ridgeline installation. a Select the file type: .
14 Figure 161: Edit Policy Dialog 4 Click Edit. A Policy Rule dialog opens and asks: What is the name, description and match condition for your new rule? See Figure 154 on page 204. 5 Make changes as you would when you create a new policy. Start at step 5 on on page 204. 6 When you finish making changes and the Edit Policy dialog opens, click Save changes. Deleting a Policy To delete a policy, do the following: 1 Select the policy you want to delete from the list of policies.
Policies Figure 162: Policy Attached Dialog Box Detaching a Policy For information about detaching a policy refer to “Detaching VPPs” on page 210. Attaching a Policy 1 On the Policies tab, select the policy you want to attach. 2 On the menu bar, go to Edit>Attach> Policies to virtual port profiles. Or, right click on the policy you select and choose Attach policy to virtual port profile from the menu. The Attach Policy to Virtual Port Profiles dialog box opens.
14 Categorizing Policies You can categorize policies to make it easier for you to find policies. This a user tool; switches do not use it, nor does it affect a policy’s function. To categorize policies, do the following: 1 Click Network Administration>Policies in the Folder List. The Policies tab opens. 2 On the Policies list, right click on the policy you want to categorize. See Figure 164. The Categorize Policy dialog opens. See Figure 165.
Policies 5 Click Create. Categorizing Policy Rules To categorize policy rules, do the following: 1 On the Folder list, go to Network Administration>Policies. The Policies tab opens. 2 Double click on the policy information you selected or select a policy on the list of policies and right click to open a menu. 3 Choose Open. The Policy dialog opens. The header shows the name of the policy to which the rule belongs. 4 Click Edit.
15 Tuning and Debugging Ridgeline CHAPTER This chapter describes how to tune Ridgeline performance and features to more effectively manage your network. It also describes some advanced features that are available to an Ridgeline administrator (a user with an Administrator role) to help analyze Ridgeline or Extreme device operation.
Tuning and Debugging Ridgeline ● To disable Ridgeline management for a device, select the device in a Network Views window, and select Managing > Disable from the Device menu. Note that this does not physically change the device; it just sets Ridgeline to ignore the device as if it were offline. ● To re-enable Ridgeline management for the device when it is again reachable, select it, and select Managing > Enable from the Device menu.
15 Through the MAC Polling Server Properties, you set the amount of load, which determines the amount of elapsed time between sets of FDB polling requests. A complete MAC address polling cycle consists of multiple groups of requests, until all devices with MAC address polling enabled have been polled. A setting of Light (recommended) means the elapsed time between groups of MAC address polling requests will be calculated to place a lighter load on the Ridgeline server.
Tuning and Debugging Ridgeline and scoped on all devices. Therefore, tuning the alarm system can have a significant impact on the overall performance of the Ridgeline server.
15 To disable an alarm you must modify its alarm definition: 1 Open Alarm Manager, and click the Alarm Definition tab. 2 Click the Modify button to open the Modify Alarm Definition window with the selected alarm definition displayed. 3 Uncheck the Enabled checkbox to disable the alarm, then click OK. Note that disabling alarms that are not likely to occur will not have much performance impact.
Tuning and Debugging Ridgeline Figure 167: Defining the scope of an alarm You can scope an alarm to Device Groups and Port Groups as well as individual devices and ports. To change the alarm scope for an existing alarm: 1 Open Alarm Manager, and click the Alarm Definition tab. 2 Select the alarm you want to scope, and click Modify. 3 Select the Scope tab 4 Uncheck the Scope on all devices and ports checkbox. This enables the Source Type and Select Group fields.
15 Using Device Groups and Port Groups for Alarm Scopes Special-purpose Device Groups and Port Groups are very useful for purposes of alarm scoping. Since Ridgeline allows you to put the same devices or ports into multiple top-level groups, you can create special purpose groups that simplify the configuration of alarm scopes. For example, you might create a port group for the critical links on your core devices, another for edge port links or for wireless interfaces.
Tuning and Debugging Ridgeline The OIDs and devices to be polled, the poll interval, number of polling cycles and the amount of polled data to be stored is all defined in the Administrator-created collections.xml file. ● The MIB Query tool allows an Administrator to create a one-time MIB query request to retrieve the value of specific variables from a set of specified devices. This is a one-shot query, and does not poll repeatedly or store the data it retrieves.
15 The collection properties must be defined in the collection statement at the beginning of each collection definition: Table 7: Control properties for a MIB collection specification name A name for the collection, between 1 – 255 characters. pollingIntervalInSecs The interval at which Ridgeline should poll for the variables defined in this collection, between 1 – 2147483 seconds.
Tuning and Debugging Ridgeline From this page, any user can view the details of the collection, view information about the devices on which data is being collected, view the xml file that defines the collections, and export the current results of the collection. An Ridgeline Administrator can start or stop polling for any or all of the collections, and can reload the collections.xml file. Loading, Starting and Stopping a Collection If a file named collections.
15 The top area of the MIB Collection Detail Report shows the properties of the collection, as defined in the collections.
Tuning and Debugging Ridgeline Viewing the XML Collection Definition To view the collection definitions, click the Show XML button in the MIB Collection Poller Summary. This displays the XML that defines the currently loaded collections. Figure 171 show an example of the XML for a collection definition.
15 Figure 172: A MIB Query example To perform a MIB query, you enter the required data into the appropriate fields: ● Enter into the first field the IP addresses of the devices from which you want to get data. ● Enter any scalar MIB OIDs you want to retrieve into the second field. ● Enter any Table-based MIB OIDs into the third field. Entries must be one item per line. Click Submit to execute the query. The results are returned in XML format in the reports window.
Tuning and Debugging Ridgeline If changing ports with the Port Configuration Utility does not solve your port conflict problems, you can change some of the other ports used by the Ridgeline server. To change these ports, you must edit the runserver.sp file found in the jboss/bin directory under the Ridgeline installation directory: ● In Windows, this would be \Program Files\Extreme Networks\Ridgeline 3.0\jboss\bin\runserver.sp. ● In Solaris, it would be /opt/ExtremeNetworks/Ridgeline3.
16 Creating and Running Ridgeline Scripts CHAPTER This chapter describes how you can use to create and edit Ridgeline scripts, then run them on managed devices.
Creating and Running Ridgeline Scripts See http://www.tcl.tk for a list of Tcl commands supported in Ridgeline scripts. Some Tcl commands are not supported in Ridgeline scripts. See “Tcl Support in Ridgeline Scripts” in the Ridgeline Reference Guide for a list of blocked Tcl commands. Syntax and constructs from these sources work seamlessly within Ridgeline scripts. For example, the response from a switch to an ExtremeXOS CLI command issued from a script can be processed using Tcl functions.
16 Figure 174: Ridgeline Scripts View The Scripts table lists all of the scripts configured in Ridgeline. To the right of the Scripts table is a view of the selected script. You can double click a script to open it in the Script Editor window, which is shown in Figure 175.
Creating and Running Ridgeline Scripts Figure 175: Ridgeline Script Editor Window The Ridgeline Script Editor is where you can add content to a script, set values for parameters, specify runtime settings, and indicate which Ridgeline users can run the script.
16 Creating a New Ridgeline Script To create a new Ridgeline script, select New > Script from the Ridgeline File menu. A Script Editor window appears, displaying a script with default content. Figure 176: Ridgeline Script Editor Window By default, a new script created in Ridgeline contains a metadata section where you can enter a script description and define script sections and metadata that appears on the Overview tab.
Creating and Running Ridgeline Scripts Tags” and “Ridgeline-Specific System Variables” in the Ridgeline Reference Guide for more information. For example: Figure 177: Specifying a script description A detailed script description can be placed between the metadata tags #@DetailDescriptionStart and #@DetailDescriptionEnd. This appears on the Description tab. You can place variable definition statements in the metadata section, so that variables can be defined by entering values in the Overview tab.
16 Figure 178: Defining variables in the metadata section of a script When you do this, the variables appear on the Overview tab as script parameters, as shown in Figure 179. Figure 179: Overview tab with a variable definition field You can enter ExtremeXOS 12.1 CLI scripting commands and Tcl commands and constructs after the metadata section of the script. See “Ridgeline Script Reference” in the Ridgeline Reference Guide for information about what can appear in an Ridgeline script.
Creating and Running Ridgeline Scripts To save the script, select Save As... from the File menu. Ridgeline prompts you for the name of the script and for an optional script comment. You can save the script on the Ridgeline server, or you can click Export to and specify a directory on your local system. The script is saved in XML format. Figure 180: Save Script As dialog Specifying Run-Time Settings for a Script To specify the run-time settings for a script, click the Run-time Settings tab.
16 ● Whether to create an entry in the Ridgeline Audit Log when this script is run. The first two settings apply to all users; the third is available to Ridgeline users with read/write access. Specifying Permissions and Launch Points for a Script You can specify which Ridgeline user roles have permission to run the script, and whether an option to run the script should appear in the Network Views menu or in a shortcut menu.
Creating and Running Ridgeline Scripts Running a Script To run a script, do one of the following: ● Select a device, port, or group in a Network Views folder, and select Run script from the Device menu, or right-click the item and select Run script. If the script has been configured to be shown in the shortcut menu for the selected item, then the script is listed in the Run Script window, as shown in Figure 183.
16 Figure 184: Selecting the Order for Executing a Script After the sequence for script execution has been selected, you can make device-specific changes to the parameters in the script.
Creating and Running Ridgeline Scripts To modify the script parameters for a device, select the device in the table, then click on the parameter you want to modify, and change it in the text box. The modified parameter applies only when the script is run on the selected device. After you have made device-specific parameter changes, the following window appears, which allows you to specify the script task options for the script.
16 Click Next to display a window where you can view the runtime information for the script and run it on the specified devices. Figure 187: Script Verification Window Click Run Script to execute the script on the selected devices. A window appears indicating the progress and results of the script execution.
Creating and Running Ridgeline Scripts Figure 188: Progress and Results of Script Execution You can display the script execution results (and any errors) for each device where the script was executed. The results can be saved to a file. You can also elect to run the script again, or save the script as a script task. The Ridgeline Audit Log feature provides a way to view information about scripts that have been run on managed devices.
16 Figure 189: Import Script Window 3 In the From field, specify the location on your local system where the script file resides. 4 In the Script name field, enter the name of the script file to import. 5 Click Import to import the script into Ridgeline. NOTE Exported Ridgeline 6.0 Telnet macros cannot be imported as XML scripts. Categorizing Scripts You can optionally assign scripts to categories, such as “VLAN Scripts”, “Port Scripts”, and so on.
Creating and Running Ridgeline Scripts Figure 190: Categorize Script Window 4 To create a new category, click New, and specify a category name. 5 To assign the script to a category, click the button next to the category and click Save. After a script has been assigned to a category, you can filter the scripts table using the category name.
16 Figure 192: Script Tasks Table From the Script Tasks table, you can configure parameters for a script task as well as specify a schedule for running it. To configure a script task, double-click it in the table, or highlight it and select Open from the File menu. The Script Task Configuration window is displayed. Figure 193: Script Task Configuration Window ● On the Script tab, you can specify global or device-specific parameters for the script.
Creating and Running Ridgeline Scripts Using the Audit Log to Troubleshoot Ridgeline Scripts The Ridgeline Audit Log is a means for viewing information about the UPM profiles and Ridgeline scripts that have been deployed in your network. You can use the Audit Log as a troubleshooting aid to reveal errors when an Ridgeline script is run unsuccessfully. Using the Audit Log, you can correct the errors and redeploy the script.
16 Within each tab are filters that allow you to limit the information in the display based on the time period deployed, log table contents, or details table contents. The log table contains information about each deployed profile or script. The details table contains information about the deployment results of a selected profile or script on each device where it was run.
Creating and Running Ridgeline Scripts Figure 196: Response Detail Window for a Script The response detail window displays messages generated when the script was run. As a troubleshooting aid, you can review the contents of the window for error messages. To open a script, select it in the Audit Log Details window and then select Open script from the File menu. The script is opened in an editor window. You can then make changes to the script, and rerun it.
17 Using Identity Management CHAPTER This chapter describes how to use Ridgeline to monitor the logon and network usage of LLDP devices and users connected to managed switches in your network. This information is obtained using the ExtremeXOS Identity Management feature. Identity Management Software License Your software license determines the level of Identity Management available on Ridgeline.
Using Identity Management Figure 197: User Matched to a Defined Role “rrodgers” “sharpster” Active directory rrodgers user login: sharpster “rrodgers” Company = “EXTR” Match State = “CA” criteria Department = “NMS” Role = “US Engineer” EX_idm_0004 Role-Based Access Control You enable role-based access control on the switches and ports where user login data is identified. Then you define user roles that include conditions to match the user who has logged into the network.
17 Figure 198: Roles and Policies Roles Policies Employee Company = “Extreme” Priority 3 Can access intranet Engineer Company = “Extreme” Department = “Eng” Priority 2 Can access development subnet Engineers will inherit “Can access intranet” and will be able to also access the development subnet. Can access customer information The Sales role does not automatically inherit the Company match condition from Employee.
Using Identity Management Figure 199: Hierarchical Role Management Example Policy 1: Allow common file shares Policy 2: Allow access to time-sheet application Employees (Company == XYZCORP) Policy 3: Allow CRM applications Policy 4: Deny Engineering resources Sales (Company == XYZCORP AND Department == Sales) Managers Policy 5: Allow access to Finance applications Policy 6: Allow access to HR tools (Company == XYZCORP AND Department == Sales AND Title contains Manager) Engineers Policy 7: Allow ac
17 Figure 200: Role Hierarchy Parent role Children roles Supports five levels EX_roles_01 Role Inheritance Child roles inherit the policies of the parent role in the hierarchy. When an identity is assigned to a role, the policies and rules defined by that role and all higher roles in the hierarchy are applied.
Using Identity Management LDAP Attributes and Server Selection Active Directory provides lightweight directory access protocol (LDAP) service to Ridgeline. The following lists LDAP role match criteria you can assign to the switch: ● Employee ID ● Title ● Email Address ● Department ● Company ● Locality ● State ● Country When Active Directory is queried, if it fails to respond, the next configured Active Directory server is contacted.
17 Figure 202: Enable Monitoring —Choose Devices 3 Choose Devices or a Device group. 4 Choose a device or devices on the list. Click Select all to include all the available switches or Clear all to deselect all the devices. 5 Click Next. If you choose Devices, the dialog box opens and asks: Enable monitoring on which devices? See Figure 203. Skip steps 6 and 7.
Using Identity Management Figure 203: Enable Monitoring—Device Selection 6 If you have chosen Device groups to monitor, the next dialog opens and asks: Monitor Identities on which device groups? The dialog box shows the device groups you can monitor. You can expand each device to view the devices in the group. See Figure 204. Select the device groups you want to monitor.
17 Figure 204: Enable Monitoring—Device Groups Figure 205: Enable Monitoring—Port Selection 8 Choose the device whose ports you want monitored on the Selected devices list. See Figure 205. The Available ports list shows the available ports for the device. You must choose a minimum of 1 port on each device. 9 Click Add> to move the Available ports to the Selected ports list.
Using Identity Management 11 The Result dialog opens and shows a summary of the ports. See Figure 206. You can edit the virtual router (VR) names in this dialog. Figure 206: Enable Monitoring Wizard—Results 12 Click Finish. This begins the port configuration process. When this process completes, the dialog box opens and shows the results. See Figure 207.
17 Figure 207: Enable Monitoring Wizard—Successful Results 13 To view the details of the script run, choose an item on the list. The details show in the field below. If Ridgeline cannot enable monitoring on a device, the list indicates: Unsuccessful. Select the item with an error. The script run details show in the field below. Editing Monitored Device Ports To edit ports that are being monitored on a device., do the following: 1 Go to Ridgeline Administration>ID management: Network users.
Using Identity Management Figure 208: Edit Ports of Network Users devices 6 Click Save changes to modify the ports being monitored. Or, click Edit Notification to change additional port information such as: ● Host IP address ● XML target ● Connection type ● Virtual router (VR) name. 7 Click Save changes. Ridgeline validates the changes and returns the results of the modification as successful or unsuccessful. 8 Click Close.
17 Figure 209: Choosing Disable Monitoring 3 A dialog asks you to confirm your selection. See Figure 210. Figure 210: Disable Monitoring Confirmation 4 Click Yes to disable monitoring. Click No to continue monitoring on the switch. A dialog box confirms that monitoring is disabled on the devices you chose. See Figure 211.
Using Identity Management Figure 212: Enabling Role Based Access Control Choice on the File Menu Ridgeline Concepts and Solutions Guide 262
17 Figure 213: Choose Devices to Enable Role-based Access Control 2 Choose the devices you want. 3 Click Next. The dialog box opens with the device highlighted and asks: Any specific client configuration? See Figure 214.
Using Identity Management Figure 214: Client Configuration Dialog Box 4 Choose a VLAN from the drop down list in the Directory server client attributes area. 5 Click Finish. The device shows on the Role-based access devices tab. See Figure 215.
17 Disabling Role-based Access Control To disable role-based access control, do the following: 1 On the menu bar, go to Edit>Disable role-based access control. Or, right click on the device on the Devices enabled for role-based access control list. A menu opens. See Figure 216. Figure 216: Disable Role-based Access Control on Ports Menus 2 Choose Disable role-based access control.
Using Identity Management A role can: ● Be independent of a parent or a child ● Have children (8 maximum) ● Have only one parent (maximum) Defining a New Role You can define network wide roles and specify the match criteria for placing a device under the role, as well as, set role priority. You can create roles in a hierarchy to place a user under a role. To create a role hierarchy, you define one or more roles as child roles of what becomes parent role.
17 ● Can have a maximum of 32 characters. ● Can contain only alphabetic characters, numerals, hyphens, and underscores. All other special characters are invalid. ● Cannot have spaces. ● Cannot begin with a numeral. ● Cannot be assigned an existing name. ● Cannot be authenticated and unauthenticated. If you do not use these conventions, the Invalid input dialog box opens. To review the rules for naming, click Details.
Using Identity Management 4 Type the values for the match criteria in the entry field on the right and choose the operators in the middle column: ● Equal to == ● Not equal to != ● Contains 5 After entering the first condition, click New condition to add multiple conditions. A New condition field shows. See Figure 220. You can add a maximum of 16 conditions. Figure 220: Create a New Role—Multiple Match Criteria Conditions 6 Click OK. Tree view and Table view list the new role.
17 Figure 221: Child Role Match Criteria Conditions 3 Enter the role name. You can also enter a description and set priority. If you do not change the default priority, 255, the most recently created role receives the highest priority. See Figure 222. 4 Select Inherit parent criteria next to the Parent role name. The Match criteria area is populated with the match criteria of the Parent.
Using Identity Management Figure 222: Create Child Role—Inherit Parent Match Criteria 5 Add more match conditions if you want to further distinguish the user. 6 Click OK when you are satisfied with the match criteria. The criteria is copied from the parent, but the switch does not inherit parent criteria. The inherited criteria adds to the total maximum conditions of 16 allowed in the parent role. See Figure 223.
17 Figure 223: Create Child Role—Match Criteria Tree View shows the new child role in the hierarchy. Table View lists roles by name and function. Refer to “Viewing Roles” on page 272. Creating a Child Role with Conditions Inherited from a Different Role A child role does not need to inherit match conditions from its parent. It can inherit conditions from another parent, but the child role can only have one parent. Only the conditions are inherited.
Using Identity Management Figure 224: Inherit a Role from a Different Parent—Drop Down list 3 Choose the parent with the match conditions you want for the child role criteria. The conditions fill the match criteria fields when you do this. The criteria is copied from the parent, but the switch does not inherit parent criteria. This inherited criteria is a condition which adds to the total maximum conditions of 16 included in the parent role. 4 Click OK.
17 Figure 226: Configured Roles Table View Viewing Role Details Details about the role show on the right of the window, including role name, description, priority, the name or the role. children names. The Match criteria tab below shows the conditions for the role. The Policies tab shows the attached policies in the order in which they apply. To view details about the created roles, do the following: 1 On the ID management: Roles tab, select the role for which you want to view details.
Using Identity Management Figure 228: Role Details Definition and Policies Tab Editing Roles You can edit role parameters for parent child relationships and the priority. Editing a role automatically attaches to the corresponding updated roles to all the switches that are enabled with Identity Management. To edit a role, do the following, 1 Select a role in Tree View or Table View and double-click. The Edit role dialog opens. If you are editing a child role double click the child on the Roles list.
17 Figure 229: Edit Roles Dialog 3 Click OK. Deleting Roles When you delete a role definition, the changes are attached on all switches enabled with Identity Management. To delete a role, do the following: 1 Select a role on Tree View or Table View. 2 On the menu bar, go to Edit>Delete. A confirmation dialog asks if you are sure want to delete the role and indicates child roles, if they exist. See Figure 230. Figure 230: Information and Confirmation Dialog Box 3 Click Yes.
Using Identity Management Policy Match Condition Combinations Table 8 lists the ingress policy match condition combinations for Identity Management. The following items provide additional information about the match conditions: ● EXOS dynamically inserts the source IP. It does not allow you to add a source IP in the ingress policy. ● The egress policy is not supported for Identity Management.
17 Figure 232: Attach Policies to Roles Dialog Box 2 Choose a role from the Roles list. See Figure 232. 3 Choose a policy from the Available Policies column and move it to the Selected Policies column by clicking the arrow buttons. 4 Click Save Changes. The Association Modifications Page Summary opens. See Figure 233.
Using Identity Management Figure 233: Attach Roles and Policies Summary Page 5 Click Finish. The Roles list shows the role is attached to a policy. See Figure 234. Figure 234: Role Attached to Policy Shows on Roles List Deleting a Policy Attached to a Role When you choose to delete a policy from the existing role’s attachment to that policy, you must detach the policy from the role before deleting the policy. Ridgeline does not allow you to delete a policy if it is attached to a role or VM.
17 After you have detached a policy from a role, you can delete the policy that was attached with the role. Do the following: 1 Go to Policies to view the list of created policies. 2 Select the policy you want to delete. 3 Go to Edit on the menu bar and choose delete. A dialog opens to confirm you want to delete the policy.
Using Identity Management ● If the connection succeeds, the second server is marked Active and all further LDAP requests are sent to the second server and so on. Configuring LDAP server settings internally, deploys the settings to all Identity Management enabled switches. If you add LDAP server settings without Identity Management enabled switches, later when you enable Identity Management, Ridgeline uses the configured server settings for deployment.
17 Figure 237: Manage Servers Menu Figure 238: LDAP Server Configuration and Edit Dialog Box 3 Click New at the bottom of the dialog box. The New directory server wizard opens. 4 Enter the server name, IP address/DNS Name. The port number and default security Mechanism are shown in the dialog box. See Figure 239.
Using Identity Management Figure 239: New Directory Server Dialog Box 5 Click Next. The dialog box that opens asks: The Any Specific client configuration? See Figure 240. 6 Select an Identity Management enabled device from the list. NOTE To change the client IP address and VR-Name, you must select a VLAN.
17 Figure 240: Client IP Configuration Window 7 Change Directory Server Client Attributes. You can also reset to IP Management. 8 Click Finish. Reset to IP management resets the client attributes to use the VLAN and VR though which Ridgeline manages the device. Editing LDAP Client Properties To edit LDAP client properties, do the following: 1 With the Directory servers tab open, go to File>Manage Servers. The LDAP Server Configuration dialog box opens showing the currently configured LDAP servers.
Using Identity Management Figure 241: Edit a Directory Server Configuration 2 Select the server you want then click Edit client configuration at the bottom of the dialog box. The dialog box opens that shows the name of the server in the title. The server information is grayed out. 3 Click Next. The dialog opens and asks: Any specific client configuration. See Figure 240.
17 Figure 242: Edit a Specific Client Configuration 4 Edit the client properties you want to modify. 5 Click Save changes to table then click Finish to return to the LDAP Server Configuration dialog 6 Click Save changes. 7 Click Finish. The new configuration deploys to the switch. Deleting a Directory Server To delete a directory Server, do the following: 1 Open the LDAP Server Configuration dialog box by double clicking the server name on the Servers tab.
Using Identity Management Figure 243: Delete Directory Server Dialog Viewing Network User Information After Identity Management is enabled on the switches you want to monitor, and you have configured Ridgeline to monitor them, you can view user and device information in Ridgeline dashboards, the Users table, and in Ridgeline reports. From the Users table you can display detailed information about a selected user or device.
17 Figure 244: Network User Dashboard Reports on the Ridgeline Home Page To place a dashboard on the Ridgeline home page, click the Home folder and select Show Dashboard Palette from the View menu. Drag the dashboard reports you want to view from the palette to the viewing area. When you are done, select Show Dashboard Palette from the View menu again to dismiss the Dashboard Palette. See Chapter 2 “Getting Started with Ridgeline” on page 24 for more information about working with dashboards.
Using Identity Management Active Users Tab Figure 245 shows the Active Users tab of the Users table. Figure 245: Users Table – Active Users Tab The Active Users tab of the Users table has the following columns. You can filter the contents of the table by expanding the Filter box, and entering text and search criteria, or by expanding the Quick Filter box and selecting an available quick filter.
17 Type The user type, either Human or Device. Port name The name of the port where the user connected to the network. Member of The device groups the user belongs to, if any. Last updated Date and time when information about the user was last received by Ridgeline. Last attempt to update The last time Ridgeline polled for information about the user, whether successful or not. Inactive and Active Users Tab Figure 245 shows the Inactive and Active Users tab of the Users table.
Using Identity Management Log on time Date and time the user logged on to the network. If the switch is running ExtremeXOS 12.3 or earlier, this is shown as Unavailable. Port number The port number on the switch where the user connected to the network. User's MAC address The MAC address of the user. Device IP address The IP address of the switch where the user connected to the network. User's IP address The IP address assigned to the user. Status Status of the user.
17 Figure 247: Network User Details Window The Network User details window has the following fields: User name The login name of the human user, or “None” if it is a device user, along with an icon indicating the status of the user. The status icon can be one of the following: or or The user is active. or or The last known status of the user is active. or or The user was unable to log into the network. or or The user is inactive.
Using Identity Management Device IP address The IP address of the switch where the user connected to the network. Port number The port number on the switch where the user connected to the network. Port name The name of the port where the user connected to the network. Last updated Date and time when information about the user was last received by Ridgeline. Last attempt to update: The last time Ridgeline polled for information about the user, whether successful or not.
18 Managing Network Device Configurations and Updates CHAPTER This chapter describes how to use Ridgeline to manage your Extreme device configurations.
Managing Network Device Configurations and Updates Figure 249: Scheduling archival configuration file uploads You can schedule daily or weekly uploads, and specify the time of day (and day of the week) at which they should be done. This lets you schedule uploads at times when it will have the least impact on your network load. You can create different schedules for each individual device, if that suits your needs.
18 When you view information about the configuration files that have been uploaded for a device in the main Configuration Manager window, the display indicates whether a baseline file exists for the device.
Managing Network Device Configurations and Updates Figure 250: Configuration change report for changes detected in an archived configuration Ridgeline will combine into one report any differences detected in archive operations that occur within a 10 hour time frame, to avoid generating many small reports. If you have a large number of devices that you are archiving, you may want to schedule them in groups with a time lapse in between that is sufficient for Ridgeline to save and email a completed report.
18 Managing Firmware Upgrades Managing the versions of firmware on your devices can be a significant task, since there are a number of different versions for different device types and modules, and versions of the software and the bootROM images must be compatible as well.
Managing Network Device Configurations and Updates Figure 251: Firmware Manager Window Ridgeline Concepts and Solutions Guide 298
A Troubleshooting APPENDIX This appendix describes how to resolve problems you may encounter with Ridgeline. Troubleshooting Aids If you are having problems with Ridgeline, there are several things you can do to help prevent or diagnose problems. One of the first things you should do is run the Package Debug Info command. This command packages the various log, property, syslog and other debugging information files and archives them into a zip file.
Book Title Enabling the Java Console To facilitate problem diagnosis, you can attempt to duplicate the problem with the Java Console enabled. To enable the Java Console on Windows systems, do the following: 1 Go to the Windows Control Panel. 2 Click the Java icon to launch the Java Control Panel. 3 Click the Advanced tab 4 Expand the Java console setting 5 Click the Show console button 6 Click Apply.
To change the color palette, double-click the Display icon in the Control Panel, select the Settings tab, and use the drop-down list in the Color Palette field to select the appropriate setting. Problem: Browser does not bring up the Ridgeline Welcome page. Verify the version of the browser you are using. See the system requirements in the Ridgeline Installation and Upgrade Guide or see the Ridgeline Release Notes shipped with the software.
Book Title To recover the database in Solaris, do the following: 1 Open a shell window (csh is used for the following example). The following commands assume you have accepted the default installation location, /opt/ExtremeNetworks/Ridgeline3.0. If you have installed Ridgeline in a different location, substitute the correct installation directory in the commands below. 2 Go to the Ridgeline install directory: cd /opt/ExtremeNetworks/Ridgeline3.
See “Administering Ridgeline” in the Ridgeline Reference Guide for information on Ridgeline Administration. Problem: Telnet polling messages can fill up a device’s syslog file. The Ridgeline server uses Telnet polling to retrieve certain switch information such as Netlogins, FDB data (if FDB polling is enabled) and power supply information. By default, Ridgeline does status polls every five minutes and detailed polls once every 90 minutes.
Book Title configure log filter DefaultFilter add exclude events All match string “ : disable clipaging session” For example, to set up the filter for an Ridgeline server with IP address 10.255.48.40, and using account name “admin” to login to the switch, you would enter the following: configure log filter DefaultFilter add exclude events All match string “10.255.48.40 admin: disable clipaging session” Problem: Traps may be dropped during a trap “storm.
4 Select the connection you want Ridgeline to use, use the up and down arrow buttons at the right to move it to the top of the list, then click OK. 5 Restart the Ridgeline server. VLAN Management Problem: Multiple VLANs have the same name. A VLAN is defined by the name, its tag value, and its protocol filter definition. Ridgeline allows multiple VLANs of the same name if one of the defining characteristics of one VLAN is different from the other. Problem: Multiple protocols have the same name.
Book Title Problem: An RMON rule is defined to monitor a counter variable, and to cause an alarm when the counter exceeds a certain value. The counter has exceeded the threshold value but no alarm has occurred. There are several things to check: ● Make sure the RMON rule and the alarm definition are set up correctly ● If the value of the counter was already above the threshold value when you set up the RMON rule, and you have the Sample Type set to Absolute, no alarm will ever be generated.
Ridgeline Inventory Problem: Multiple switches have the same name. This is because the sysName of those switches is the same. Typically, Extreme Networks switches are shipped with the sysName set to the type of the switch “Summit48,” “Summit1i,” “Alpine3808,” and so on, depending on the type of switch. You can change the way names are displayed through a server property in the Ridgeline Administration. You can display devices by name or by IP address and name.
Book Title Reports Problem: After viewing reports, added a user-defined report, but it doesn’t appear in the list of reports on the main reports page. The Reports page updates the list of reports when the page is loaded. To update the list, Refresh the page. Problem: Reports cannot be launched. Due to a problem with Windows, sometimes reports cannot be launched from the Ridgeline client.
B Configuring Devices for Use With Ridgeline APPENDIX This appendix describes how to configure certain features on Extreme and third-party devices to enable Ridgeline features relative to those devices. It also includes information about configuring an external RADIUS server for use with Ridgeline.
Book Title Setting Ridgeline as a Trap Receiver When Extreme devices are added to the Ridgeline inventory, they are automatically configured to send traps to the Ridgeline server. However, third-party devices are not automatically configured to do so. If you want alarms to function for third-party devices, you must manually configure the devices to send traps to the Ridgeline server.
● Launching of third-party proprietary device-related tools Through this framework, integration of third-party devices can be accomplished independently of Ridgeline product releases. The integration is achieved by adding or editing XML, text and images files to accomplish different levels of integration. Each aspect of device integration can be performed independently—i.e. you can integrate a device into Ridgeline but may elect not to integrate trap support in the Alarm System, for example.
Book Title XML files for third-party devices extend and further specify properties unique to each device type and device. Extreme Networks devices are also recognized through this same ATL mechanism. When Ridgeline discovers a device, it searches this hierarchy for a match to the device or device type that will provide the properties for the device. Figure 252: ATL XML file hierarchy All Devices Extreme.xml etc. Extreme Summit 3rd Party.xml Extreme Unmanaged 3Com.xml etc. etc. etc. Summit_48.
Table 9: Attributes Used in an ATL File (continued) TAG Attribute SysobjectID Value The OID value of the device, or the enterprise OID (if a device type) Protocol Use SNMP as the default value Attributes This contains the properties that define the features and capabilities of the third-party device, such as enabling Telnet. These are described later in this section. ImageIconsFilename Provides the name of the image that is displayed in the navigation frame for the device.
Book Title The OID folder Device images used for display in inventory and on topology maps, are kept in the extreme.war/gifs directory, under directories named by the OID of the device. There are typically three files in these subdirectories: ● DeviceView.gif, the image (front panel or front and back panel) displayed in the Inventory window. ● MapView.gif, the small image that appears in the topology maps. ● DeviceInfo.
For example, the dpsimages.zip file included the file 3comicons.gif, which matches the name specified in the 3Com.xml file: 3comicons.gif If individual devices do not require unique icons, this can be specified in the parent XML file (for the device type) and can be left out of the XML files for individual devices of that type.
Book Title Note that in the case of 3COM, the Telnet integration is handled at the device type level, since it is the same for all the 3COM devices. Therefore, it is not duplicated in each device ATL XML file, but handled one at the device type (enterprise) level. Alarm Integration Alarm Integration for a third-party device will enable Ridgeline users to create Alarms based on trap events from the third-party device.
Table 11: Components of the an Events.xml event entry (continued) Attribute Value(s) Comments SubTypeName The name of the specific event, e.g. “link down” Together with the Type name, it forms the event name e.g. “SNMP trap link down” The following is a sample entry for an SNMP V1 trap: PAGE 320Book Title Once this integration has been accomplished, you can launch the third-party application from Ridgeline by selecting Third party applications from the Tools menu.
C Using SSH for Secure Communication APPENDIX This appendix describes in detail how to set up secure tunneling between the Ridgeline server and Ridgeline clients. By default, communication between the Ridgeline server and its clients is unencrypted. This means the traffic between client and server could easily be captured, including passwords, statistics, and device configurations. PuTTY is used in conjunction with Ridgeline to encrypt (tunnel) communication between an Ridgeline server and clients.
Book Title Step 1: Install PuTTY on the Ridgeline Client PuTTY is a free SSH application that can be downloaded from the following URL: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html Download the file putty.exe. This program is not compressed (zipped) and does not require installation. You must download this application to each Ridgeline client for which you want to secure your client-server communication.
Click on SSH in the left column tree, then select 2 for Preferred SSH protocol version, as shown in Figure 254. Figure 254: The Basic SSH Settings 3 Under SSH, click on X11 to display the dialog shown in Figure 255. For X display location type localhost:0. Figure 255: SSH X11 Forwarding 4 Under SSH, click on Tunnels, as shown in Figure 256.
Book Title Figure 256: SSH Tunneling Settings 5 Click the Local radio button. 6 For the Source port type the HTTP port number you configured when you installed Ridgeline (by default, this is port 8080). 7 For the Destination type localhost: where is the HTTP port you configured at installation (8080 by default). 8 Click Add. Doing so adds the source and destination HTTP ports to the Forwarded ports box. 9 Click Local again.
Figure 257: Saving the Session Profile Click Save. Step 3: Installing OpenSSH Server The following section demonstrates the installation of the OpenSSH server on the Ridgeline server. If there is an SSH server already running on the Ridgeline server, skip this step. 1 Create a folder c:\cygwin. 2 Next, download the file setup.exe from http://www.cygwin.com/ and store it in the folder c:\cygwin. 3 Double click the setup.exe file in the c:\cygwin directory.
Book Title Figure 258: Choose Installation Type 4 Click the Install from Internet radio button, then click Next. The Choose Installation Directory dialog appears. Figure 259: Choose Installation Directory 5 In the Root Directory field type C:\cygwin, which is where the OpenSSH will be installed. Select the All Users radio button so all users will have access the SSH server. Click Next. The Select Local Package Directory dialog appears.
Figure 260: Select Local Package Directory 6 In the Local Package Directory field type C:\cygwin, then click Next. 7 When the Select Packages window appears (see Figure 261), click the View button for a full view. Figure 261: Select Packages 8 Locate the line OpenSSH, click on the word skip so that an X appears in Column B.
Book Title 9 Find the line cygrunsrv, click on the word skip so that an X appears in Column B. 10 Click Next to begin the installation. 11 Next, right-click My Computer and click Properties. 12 Select the Advanced tab and click Environment Variables.
Figure 263: System Variable for Cygwin Successfully Added 14 From the Environment Variables window, scroll the System variables list, select the Path variable, and click the Edit button. Figure 264: Path Variable 15 Append “;c:\cygwin\bin” to the end of the existing variable string.
Book Title Figure 265: Modifying the Path Click OK. 16 Next, open a cygwin window (by double clicking the Cygwin icon ). A black window appears. Figure 266: Configuring the SSH Server Through Cygwin 17 At the prompt, enter ssh-host-config. ● When the script asks about privilege separation be used, answer yes. ● When the script asks about local user, answer yes.
To configure the Windows Firewall to allow SSH connects, do the following: 1 Open the Windows Control Panel and double click the Windows Firewall icon. The Windows Firewall window opens. Figure 267: Configuring the Windows Firewall to Allow Port 22 Connections 2 Click on the Exceptions tab and click on Add Port…. The Add a Port window opens.
Book Title 3 In the Name field, type SSH, and type and 22 for the Port number. Click the TCP radio button, then click OK. The Windows firewall is now configured to allow SSH connections. Step 5: Initiate Ridgeline Server/Client Communication To establish an encrypted tunnel between the Ridgeline server and client, do the following: 1 Run the Putty application (putty.exe) and select the Ridgeline session. 2 Enter your SSH username and password. This creates an SSH session between the client and server.
D Configuring RADIUS for Ridgeline Authentication APPENDIX This appendix describes in detail how to set up an external RADIUS server to provide authentication services for Ridgeline users, when Ridgeline is configured to act as a RADIUS client. The following example is a step-by-step walk-through example using Microsoft Active Directory and Internet Authentication Service. This example also leads you through the process of setting up a VSA for passing role information. Step 1.
Book Title 1 To add a group, select the appropriate domain under Active Directory Users and Computers, then click Users, then New> Group Figure 270: Adding a Group 2 Type the same group name in each of the two group name fields. Scope should be Global, type should be Security. Click OK. 3 If you want to authenticate Ridgeline users with more than one role, repeat these steps to create a group that corresponds to each Ridgeline role you use.
1 In the Users list right-click on a user name and display the Properties dialog. Figure 271: The Properties dialog for a user name 2 Click the Member Of tab, then click Add... Figure 272: The Member Of tab 3 In the Enter the object names to select field, type the name of the Ridgeline-related group this user should be associated with (see Figure 273). Click OK to continue.
Book Title Figure 273: Adding a group for the user 4 Click the Dial-in tab and select the Allow access and the No Callback radio buttons (see Figure 274). Click OK to continue. Figure 274: The Dial-in tab configuration Step 3. Enable Ridgeline as a RADIUS Client Within the Internet Authentication Service, enable Ridgeline as a RADIUS client. 1 Under the Internet Authentication Service click RADIUS Clients, then New> RADIUS Client.
Figure 275: Adding a RADIUS Client to IAS 3 Select RADIUS Standard from the Client-Vendor drop-down menu, and type the shared secret twice. You must use this same shared secret when you configure Ridgeline as a RADIUS client. Figure 276: Setting the shared secret for a RADIUS client 4 Click Finish. The new Ridgeline client should now appear in the list of RADIUS Clients under the Internet Authentication Service, as shown in Figure 277.
Book Title Figure 277: Verify the RADIUS client in IAS Step 4. Create a Remote Access Policy for Ridgeline Users Create a Microsoft Internet Authentication Remote Access Policy for each type of Ridgeline role that you plan to use within Ridgeline. For each different role (predefined roles such as Admin or Manager, or user-defined roles) a Remote Access Policy is needed, configured with the role information that must be transmitted to Ridgeline along with the user’s authentication status.
Figure 278: Configuring a Remote Access Policy using the wizard 3 To configure the Access Method (Figure 279), click the Ethernet radio button, then click Next to continue. Figure 279: Selecting the Access Method for network access 4 The User or Group Access window appears. This is where you associate a group with this policy.
Book Title Figure 280: The User or Group Access selection 5 Select the Group radio button, then click Add.... The Select Group pop-up window appears, as shown in Figure 281. Figure 281: The Select Groups window 6 Click on Locations.... The Locations pop-up appears, as shown in Figure 282.
Figure 282: The Locations window 7 Select the appropriate domain (the ebcdemo.com domain in this example) where your Ridgeline groups were created. Click OK to continue. This returns you to the Select Groups window, with the selected domain displayed (see Figure 283). Figure 283: The Select Groups window after setting the location 8 Type the name of the group you want to associate with this remote access policy. Click OK to continue.
Book Title Figure 284: The User or Group Access window after selecting the domain and group 9 Next, select the Authentication Method to be used. From the EAPS Type drop-down menu, select MD5-Challenge, then click Next. Figure 285: Setting the Authentication Method for the policy 10 Click Finish in the final window to complete your configuration of the remote access policy.
Step 5. Edit the Remote Access Policy to add a VSA Edit each new Remote Access Policy to add a Vendor Specific Attribute (VSA) or to set the Service Type attribute value. If you are using just the standard Ridgeline built-in roles (Admin, Manager, Monitor) you can simply set the service type attribute. If you have added administrator roles in Ridgeline, and want to authorize users with those you want to use, create a VSA to pass the role information to Ridgeline.
Book Title Figure 287: The Properties window for a remote access policy 2 Remove the NAS-Port-Type matches Ethernet policy: select NAS-Port-Type matches Ethernet and click Remove. 3 Next, select the Windows-Group matches “EBCDEMO\Ridgeline” policy and click Edit Profile. The Edit Dial-in Profile window appears.
Figure 288: The Edit Profile window, Authentication Tab 4 Select the Authentication tab, and check Unencrypted authentication (PAP,SPAP). Then click the EAPS Methods button. The Select EAPS Providers pop-up window appears (Figure 289). Figure 289: The Select EAPS Providers window 5 Remove the MD-5 Challenge method: select MD5-Challenge and click Remove. Then click OK. This returns you to the Edit Dial-in Profile window. 6 Select the Advanced Tab, and click Add... The Add Attribute window appears.
Book Title Figure 290: The Edit Profile window, Advanced Tab 7 Select Vendor-Specific and click Add. The Multivalued Attribute Information window appears. Figure 291: The Multivalued Attribute Information window 8 Click Add again. The Vendor-Specific Attribute Information window appears. This is where you add the Ridgeline VSA settings.
Figure 292: The Vendor-Specific Attribute Information window 9 Select the Enter Vendor Code radio button, and type 1916 as the vendor code. Select the Yes. It conforms radio button. Click Configure Attribute... The Configure VSA pop-up appears.
Book Title 10 In the next window, provide the following: Enter 210 for the Vendor-assigned attribute number. Select String from the Attribute format drop-down menu. Type an Attribute value that matches one of the Ridgeline role names; either a predefines role name, such as Administrator or Monitor, or a user-defined role name. If the Attribute value does not match a role, the user will default to the Monitor role only. Ridgeline roles can be found in the Ridgeline Administration under the Roles tab.
Step 6. Configure Ridgeline as a RADIUS Client Once Ridgeline is configured in IAS as a RADIUS client, you must configure it as a RADIUS client through Ridgeline Administration. 1 In Ridgeline Administration, select the RADIUS tab, as shown in Figure 295. Figure 295: Configuring Ridgeline as a RADIUS client 2 Click the Enable system as a RADIUS client button. The Client Configuration section of the page will become available.
Book Title Ridgeline Concepts and Solutions Guide 348
E Ridgeline Utilities APPENDIX This appendix describes several utilities and scripts, commands shipped with the Ridgeline software and installed on the Ridgeline server: ● The Package Debug Info utility (on page 349), that collects the various log files and other system information into an archive file (zip-format file) that can be sent to Extreme Networks technical support organization to help troubleshoot problems with Ridgeline.
Book Title Ridgeline_debug_info_.zip and is placed in the top-level Ridgeline server installation directory. To run the Package Debug Info command, go to /jboss/bin and run PackageDebugInfo.exe (PackageDebugInfo.bin in Linux or Solaris). You can specify a directory and a base file name as arguments to the PackageDebugInfo command: ● Use -output-file to change the name of the file. (If you specify your own file name, no timestamp is appended.
Figure 296: Ridgeline Port Configuration Utility There are two tabs, one for the Web (HTTP) port, and one for the Database Port. Each shows the current port number, the default port number, and provides a field where you can enter a new number. 2 Type in new port values for the ports you want to change. (click the Database tab to display the database port information). To reset the port value to its default, type in the default port number (shown below the editable field for each port).
Book Title device configurations. You can specify a list of devices in a file and have them added in a single operation. The DevCLI is useful for updating the Ridgeline inventory database quickly when large numbers of devices are added, modified or removed, or if changes occur frequently. It can also be useful when you want to duplicate the device inventory and device configurations across multiple installations of the Ridgeline server.
Table 12: DevCLI command options Option Value Default -a Device IP address. This option can be specified more than once. None -b SNMP version 3 user name. initialmd5 -d Device password. “” -f Input file name for IP addresses. This specifies an ascii file that contains a list of IP addresses, one per line. No other information can be included in this file. None This option can be specified more than once.
Book Title ● To add two devices (10.205.0.98 and 10.205.0.99) to the Ridgeline database on the local host, with read community string “read” and write community string “write,” enter the following command: devcli add -u admin -a 10.205.0.98 -a 10.205.0.99 -r read -w write ● To delete a set of devices specified in the file “devList.txt” with device login “admin2” and password “purple,” enter the following command: devcli del -u admin -f devList.txt -l admin2 -d purple The file devList.
slots.bat (Windows), or slots.sh (Linux or Solaris) exports slot ● information from the Ridgeline database. To run the command as user “user1,” and export slot information to file slotinfo.csv under Windows, enter the command: cd “\Program Files\Extreme Networks\Ridgeline 3.0\user.war\scripts\bin” slots.bat -u user1 -o slotinfo.csv Under Linux or Solaris, enter the command: cd /opt/ExtremeNetworks/Ridgeline3.0/user.war/scripts/bin slots.sh -u user1 -o slotinfo.csv msinv.
Book Title NOTE The inv.bat, inv.sh, slot.bat, and slot.sh scripts retrieve information only from an Ridgeline server that runs on the same machine as the scripts. Inventory Export Examples The following examples illustrate the usage of these commands. ● To export slot information to the file slotinventory.csv from the Ridgeline database whose login is “admin123” and password is “sesame” under Windows, enter the following command: slots.bat -u admin123 -p sesame -o slotinventory.
variable may be helpful in diagnosing problems with a device or its configuration, if its behavior as seen through the Ridgeline software is not as expected. Use of this utility assumes you are familiar with SNMP MIBs, and can determine the OID the variable you want to retrieve, as well as the meaning of the results that are returned. NOTE The SNMPCLI utility uses SNMP version 1.
Book Title SNMPCLI Examples The following examples illustrate the usage of these commands. ● To retrieve the values of the extremePrimaryPowerOperational and extremeRedundantPowerStatus variables for the Extreme Networks device with IP address 10.205.0 99, with read community string “purple” and a timeout of 1000 ms, enter the following command: snmpcli snmpget -a 10.205.0.99 -r purple -t 1000 -o .1.3.6.1.4.1.1916.1.1.1.10.0 -o .1.3.6.1.4.1.1916.1.1.1.11.0 This returns the following: IP Address: 10.205.
The Ridgeline user name is required. All other parameters are optional. The basic command displays information about the last 300 alarms in the Ridgeline database. By using filtering options, you can display information about selected alarms. You can specify a time period of interest as well as characteristics of the alarms you want to include.
Book Title Table 15: AlarmMgr command options (continued) Option Value Default -help Displays syntax for this command None ● You can specify only one Ridgeline server (database) in a command. If you want to display alarms from multiple Ridgeline databases, you must use a separate command for each server. ● The options for specifying the relevant time period (-h, -d, and -y) are mutually exclusive and cannot be combined.
● To display all alarm log entries for the alarm named FanFailed in the local Ridgeline database that occurred yesterday and are unacknowledged, enter the following command: AlarmMgr -user admin -y -u -an “Fan Failed” ● To find all alarm log entries that were generated from port 12 on device 10.2.3.4, and place the results in the file device1.txt enter the following command: AlarmMgr -user admin -dip 10.2.3.4 -p 12 -f device1.
Book Title Table 16: FindAddr command options (continued) Option Value Default -port Ridgeline server port number. 80 Do not specify this after the -dip option or it will be taken as a search domain specification. -f Name of file to receive output. If you do not specify a path, the file is placed in the current directory. If the file already exists, it is overwritten. Comman d window (stdout) -help Displays syntax for this command.
● You can specify each search domain option multiple times. - Wildcards are not supported for device IP addresses. To include multiple devices in the search domain, you can specify a device group that contains the devices, or specify multiple -dip options. - To restrict the search domain to one or more ports on a device, specify the -port option immediately after the -dip option. If you place it anywhere else in the command, it will be taken as the server port specification.
Book Title This command provides a command-line version of some of the functionality available in the Ridgeline Configuration Manager. Using the TransferMgr Command The TransferMgr utility is located in the Ridgeline bin directory, /client/bin. By default this is \Program Files\Extreme Networks\Ridgeline 3.0\client\bin in Windows, or /opt/ExtremeNetworks/Ridgeline3.0/client/bin in a UNIX environment.
Table 17: TransferMgr command options (continued) Option Value Default -fl Directory or path below the configs directory where the upload file should be placed. is the location of your TFTP server. By default, is \user\tftp. \config s -a Place upload file into the archive directory (\configs\\\\ _
Book Title NOTE Make sure the software version you download is compatible with the switch. If you download an incompatible version, the switch may not function properly. ● For uploading, you can specify multiple devices in one command. For the download options (-download, -incremental, and -software) you can specify only one device per command. If you want to download to multiple devices, you must execute multiple TransferMgr commands.
This command includes options for specifying Ridgeline server access information, the operation to be performed (create, modify or delete), the name of the VLAN, and the devices in the VLAN with their configuration options. Importing from a File. To import data from a text file, you define the resources you want to import in a tab-delimited text file. See “Importing from a File” in Chapter 8 of the Ridgeline Reference Guide for details. Importing from an LDAP Directory.
Book Title Table 18: ImportResources command options (continued) Option Value Default -ldap Specifies that the information to be imported is from an LDAP directory. Requires a specification file named LDAPConfig.txt, that resides in the Ridgeline user.war/import directory. See “Importing from an LDAP Directory” in the Ridgeline Reference Guide for details. None -domain Specifies that the information to be imported is from an Windows Domain Controller server or a Linux or Solaris NIS server.
To use the configFreeRadius command, do the following: 1 Open a command line console (Figure 297) and enter: cd Figure 297: Command Line 2 At the next prompt, enter the following commands as described in Table 19: Table 19: ConfigFreeRadius Command Options Command Function configFreeRadius Set the FreeRADIUS server to listen requests from to all the IP addresses that is on the server.
Book Title Ridgeline Concepts and Solutions Guide 370
Index Numerics 802.1Q tag, 131, 198 A About Ridgeline window, 299 access levels. See user roles Active users tab Tab active users, 288 Adding a new directory server, 280 Administrator access.
E-Line, ELAN, importing services, 103 enable Identity Management, 249 Enabling VM tracking, 152 Error and results handling, 279 eSupport Export report, 48 Event Log history, 221 Event Log report, 48 Extreme switch, support in Ridgeline, 23 F FindAddr utility, 361 firmware automated retrieval of updates, 297 detecting obsolete images, 297 Firmware Manager, 18 forwarding database.
Server State Summary, 49 Slot Inventory report, 48 Syslog, 48 Unused Port, 48 Ridgeline, 310 architecture, 21 components, 20 Ridgeline client description, 26 troubleshooting, 300 Ridgeline database, troubleshooting, 301 Ridgeline SA feature summary, 13 server components, 26 Ridgeline scripts, 229–248 Ridgeline server performance tuning, 217 starting under Solaris, 26 troubleshooting, 302 RMON predefined alarms, 45 traps, 22, 45, 46 Roles Associating with Policies, 276 Creating, 265 Defining new, 266 Deletin
Virtual machine Manager table, 149 VLAN Services, 140 VLANs 802.