Summit 300-48 Switch Software User Guide Software Version 6.2a Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 http://www.extremenetworks.com Published: September 2003 Part number: 123007-00 Rev.
©2003 Extreme Networks, Inc. All rights reserved. Extreme Networks, ExtremeWare, Alpine, and BlackDiamond are registered trademarks of Extreme Networks, Inc. in the United States and certain other jurisdictions.
Contents Preface Chapter 1 Chapter 2 Introduction 15 Conventions 15 Related Publications 16 ExtremeWare Overview Summary of Features Unified Access Virtual LANs (VLANs) Spanning Tree Protocol Quality of Service Load Sharing ESRP-Aware Switches 17 18 18 18 19 19 19 Software Licensing 19 Security Licensing Obtaining a Security License Security Features Under License Control 20 20 20 Software Factory Defaults 20 Accessing the Switch Understanding the Command Syntax Syntax Helper Command Short
Contents Chapter 3 Chapter 4 4 Configuring Management Access User Account Administrator Account Default Accounts Creating a Management Account 28 29 29 29 30 Domain Name Service Client Services 31 Checking Basic Connectivity Ping Traceroute 32 32 32 Managing the Switch Overview 35 Using the Console Interface 36 Using Telnet Connecting to Another Host Using Telnet Configuring Switch IP Parameters Disconnecting a Telnet Session Controlling Telnet Access 36 36 36 38 39 Using Secure Shell 2 (SSH
Contents Chapter 5 Chapter 6 Port Numbering 55 Enabling and Disabling Switch Ports Configuring Switch Port Speed and Duplex Setting Switch Port Commands 55 56 56 Load Sharing on the Switch Load-Sharing Algorithms Configuring Switch Load Sharing Load-Sharing Example Verifying the Load-Sharing Configuration 57 57 58 59 59 Switch Port-Mirroring Port-Mirroring Commands Port-Mirroring Example 59 60 61 Extreme Discovery Protocol EDP Commands 61 61 Virtual LANs (VLANs) Overview of Virtual LANs Benefit
Contents Chapter 7 Chapter 8 Chapter 9 6 Configuring Wireless Port Interfaces 79 Managing Wireless Clients 80 Show Commands 80 Event Logging and Reporting 81 Unified Access Security Overview of Security 83 User Access Security Authentication Privacy Cipher Suites 84 84 85 85 Network Security Policies Policy Design Policy Examples Policies and RADIUS Support RADIUS Attributes 87 87 88 88 88 CLI Commands for Security on the Switch Security Profile Commands 89 89 Example Wireless Configura
Contents Chapter 10 Chapter 11 Chapter 12 Access Policies Overview of Access Policies Access Control Lists Rate Limits 107 107 107 Using Access Control Lists Access Masks Access Lists Rate Limits How Access Control Lists Work Access Mask Precedence Numbers Specifying a Default Rule The permit-established Keyword Adding Access Mask, Access List, and Rate Limit Entries Deleting Access Mask, Access List, and Rate Limit Entries Verifying Access Control List Configurations Access Control List Commands Acce
Contents Chapter 13 Chapter 14 8 Port Statistics 135 Port Errors 136 Port Monitoring Display Keys 137 Setting the System Recovery Level 137 Logging Local Logging Remote Logging Logging Configuration Changes Logging Commands 138 139 139 140 140 RMON About RMON RMON Features of the Switch Configuring RMON Event Actions 142 142 142 143 144 Spanning Tree Protocol (STP) Overview of the Spanning Tree Protocol 145 Spanning Tree Domains Defaults STPD BPDU Tunneling 145 146 146 STP Configurations
Contents Appendix A Resetting and Disabling Router Settings 163 Configuring DHCP/BOOTP Relay Verifying the DHCP/BOOTP Relay Configuration 164 165 UDP-Forwarding Configuring UDP-Forwarding UDP-Forwarding Example ICMP Packet Processing UDP-Forwarding Commands 165 165 166 166 166 Safety Information Important Safety Information Power Power Cord Connections Lithium Battery Appendix B Supported Standards Appendix C Software Upgrade and Boot Options Appendix D 169 169 170 170 171 Downloading a New I
Contents Debug Tracing 187 TOP Command 187 Contacting Extreme Technical Support 187 Index Index of Commands 10 Summit 300-48 Switch Software User Guide
Figures 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Summit 300-48 Switch Software User Guide Example of a port-based VLAN on the Summit 300-48 switch Single port-based VLAN spanning two switches Two port-based VLANs spanning two switches Physical diagram of tagged and untagged traffic Logical diagram of tagged and untagged traffic Sample integrated wired and wireless network Permit-established access list example topology Access control list denies all TCP and UDP traffic Access list allows TCP traffic
Figures 12 Summit 300-48 Switch Software User Guide
Tables 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 Summit 300-48 Switch Software User Guide Notice Icons Text Conventions ExtremeWare Summit 300-48 Factory Defaults Command Syntax Symbols Line-Editing Keys Common Commands Default Accounts DNS Commands Ping Command Parameters SNMP Configuration Commands RADIUS Commands Multiselect List Box Key Definitions Greenwich Mean Time Offsets SNTP Configuration Commands Switch Port Commands Switch Port-Mirroring Configu
Tables 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 14 Security Profile Command Property Values Per-Port LEDs Power Over Ethernet Configuration Commands PoE Show Commands FDB Configuration Commands Access Control List Configuration Commands Traffic Type and QoS Guidelines QoS Configuration Commands Traffic Groupings by Precedence 802.1p Priority Value-to-QoS Profile to Hardware Queue Default Mapping 802.
Preface This preface provides an overview of this guide, describes guide conventions, and lists other publications that may be useful. Introduction This guide provides the required information to install the Summit™ 300-48 switch and configure the ExtremeWare™ software running on the Summit 300-48 switch. This guide is intended for use by network administrators who are responsible for installing and setting up network equipment.
Preface Table 1: Notice Icons (continued) Icon Notice Type Alerts you to... Caution Risk of personal injury, system damage, or loss of data. Warning Risk of severe personal injury. Table 2: Text Conventions Convention Description Screen displays This typeface indicates command syntax, or represents information as it appears on the screen. The words “enter” and “type” When you see the word “enter” in this guide, you must type something, and then press the Return or Enter key.
1 ExtremeWare Overview This chapter describes the following topics: • Summary of Features on page 17 • Security Licensing on page 20 • Software Factory Defaults on page 20 ExtremeWare is the full-featured software operating system that is designed to run on the Summit 300-48 switch. This section describes the supported ExtremeWare features for the Summit 300-48 switch.
ExtremeWare Overview • SSH2 connection • Simple Network Management Protocol (SNMP) support • Remote Monitoring (RMON) • Traffic mirroring for ports Unified Access The Summit 300-48 supports the Unified Access architecture, enabling wired and wireless applications across a completely integrated enterprise infrastructure. With the Altitude product line, the Summit 300-48 supports 802.11 WLAN connectivity. Provisioning of Unified Access is completely controlled by the Summit 300-48.
Software Licensing Quality of Service ExtremeWare has Quality of Service (QoS) features that support IEEE 802.1p, MAC QoS, and four queues. These features enable you to specify service levels for different traffic groups. By default, all traffic is assigned the “normal” QoS policy profile. If needed, you can create other QoS policies and rate-limiting access control lists and apply them to different traffic types so that they have different maximum bandwidth, and priority.
ExtremeWare Overview Security Licensing Certain additional ExtremeWare security features, such as the use of Secure Shell (SSH2) encryption, may be under United States export restriction control. Extreme Networks ships these security features in a disabled state. You can obtain information on enabling these features at no charge from Extreme Networks.
Software Factory Defaults Table 3: ExtremeWare Summit 300-48 Factory Defaults (continued) Item Default Setting IP multicast routing Disabled IGMP Enabled IGMP snooping Disabled SNTP Disabled DNS Disabled Port Mirroring Disabled Wireless Enabled NOTE For default settings of individual ExtremeWare features, see the applicable individual chapters in this guide.
ExtremeWare Overview 22 Summit 300-48 Switch Software User Guide
2 Accessing the Switch This chapter describes the following topics: • Understanding the Command Syntax on page 23 • Line-Editing Keys on page 25 • Command History on page 26 • Common Commands on page 26 • Configuring Management Access on page 28 • Domain Name Service Client Services on page 31 • Checking Basic Connectivity on page 32 Understanding the Command Syntax This section describes the steps to take when entering a command.
Accessing the Switch Syntax Helper The CLI has a built-in syntax helper. If you are unsure of the complete syntax for a particular command, enter as much of the command as possible and press [Return]. The syntax helper provides a list of options for the remainder of the command. The syntax helper also provides assistance if you have entered an incorrect command. Command Completion with Syntax Helper ExtremeWare provides command completion by way of the [Tab] key.
Line-Editing Keys Names All named components of the switch configuration must have a unique name. Names must begin with an alphabetical character and are delimited by whitespace, unless enclosed in quotation marks. Symbols You may see a variety of symbols shown as part of the command syntax. These symbols explain how to enter the command, and you do not type them as part of the command itself. Table 4 summarizes command syntax symbols.
Accessing the Switch Table 5: Line-Editing Keys (continued) Symbol Description [Ctrl] + W Deletes previous word. Insert Toggles on and off. When toggled on, inserts text and shifts previous text to right. Left Arrow Moves cursor to left. Right Arrow Moves cursor to right. Home or [Ctrl] + A Moves cursor to first character in line. End or [Ctrl] + E Moves cursor to last character in line. [Ctrl] + L Clears screen and movers cursor to beginning of line.
Common Commands Table 6: Common Commands (continued) Command Description config sys-recovery-level [none | critical | all] Configures a recovery option for instances where an exception occurs in ExtremeWare. Specify one of the following: • none — Recovery without system reboot. • critical — ExtremeWare logs an error to the syslog, and reboots the system after critical exceptions. • all — ExtremeWare logs an error to the syslog, and reboots the system after any exception.
Accessing the Switch Table 6: Common Commands (continued) Command Description disable ssh2 Disables SSH2 access to the switch. disable telnet Disables Telnet access to the switch. enable bootp vlan [ | all] Enables BOOTP for one or more VLANs. enable cli-config-logging Enables the logging of CLI configuration commands to the Syslog for auditing purposes. The default setting is enabled.
Configuring Management Access User Account A user-level account has viewing access to all manageable parameters, with the exception of: • User account database. • SNMP community strings. A user-level account can use the ping command to test device reachability, and change the password assigned to the account name. If you have logged on with user capabilities, the command-line prompt ends with a (>) sign.
Accessing the Switch Changing the Default Password Default accounts do not have passwords assigned to them. Passwords must have a minimum of four characters and can have a maximum of 12 characters. NOTE User names and passwords are case-sensitive. To add a password to the default admin account, follow these steps: 1 Log in to the switch using the name admin. 2 At the password prompt, press [Return].
Domain Name Service Client Services Viewing Accounts To view the accounts that have been created, you must have administrator privileges. Use the following command to see the accounts: show accounts Deleting an Account To delete a account, you must have administrator privileges. To delete an account, use the following command: delete account NOTE The account name admin cannot be deleted.
Accessing the Switch Checking Basic Connectivity The switch offers the following commands for checking basic connectivity: • ping • traceroute Ping The ping command enables you to send Internet Control Message Protocol (ICMP) echo messages to a remote IP device. The ping command is available for both the user and administrator privilege level.
Checking Basic Connectivity • from uses the specified source address in the ICMP packet. If not specified, the address of the transmitting interface is used. • ttl configures the switch to trace up to the time-to-live number of the switch. • port uses the specified UDP port number.
Accessing the Switch 34 Summit 300-48 Switch Software User Guide
3 Managing the Switch This chapter describes the following topics: • Overview on page 35 • Using the Console Interface on page 36 • Using Telnet on page 36 • Using Secure Shell 2 (SSH2) on page 39 • Using SNMP on page 40 • Authenticating Users on page 43 • Using ExtremeWare Vista on page 47 • Using the Simple Network Time Protocol on page 51 Overview Using ExtremeWare, you can manage the switch using the following methods: • Access the CLI by connecting a terminal (or workstation with terminal-emulation
Managing the Switch Using the Console Interface The CLI built into the switch is accessible by way of the 9-pin, RS-232 port labeled console, located on the front of the Summit 300-48 switch. After the connection has been established, you will see the switch prompt and you can log in. Using Telnet Any workstation with a Telnet facility should be able to communicate with the switch over a TCP/IP network. Up to eight active Telnet sessions can access the switch concurrently.
Using Telnet You can enable BOOTP on a per-VLAN basis by using the following command: enable bootp vlan [ | all] By default, BOOTP is disabled on the default VLAN. To enable the forwarding of BOOTP and Dynamic Host Configuration Protocol (DHCP) requests, use the following command: enable bootprelay If you configure the switch to use BOOTP, the switch IP address is not retained through a power cycle, even if the configuration has been saved.
Managing the Switch When you have successfully logged in to the switch, the command-line prompt displays the name of the switch in its prompt. 5 Assign an IP address and subnetwork mask for the default VLAN by using the following command: config vlan ipaddress {} For example: config vlan default ipaddress 123.45.67.8 255.255.255.0 Your changes take effect immediately.
Using Secure Shell 2 (SSH2) Controlling Telnet Access By default, Telnet services are enabled on the switch. To display the status of Telnet, use the following command: show management You can choose to disable Telnet by using the following command: disable telnet To re-enable Telnet on the switch, at the console port use the following: enable telnet You must be logged in as an administrator to enable or disable Telnet.
Managing the Switch You can specify a list of predefined clients that are allowed SSH2 access to the switch. To do this, you must create an access profile that contains a list of allowed IP addresses. For more information on creating access profiles, refer to Chapter 10. You can also specify a TCP port number to be used for SSH2 communication. By default the TCP port number is 22. The supported cipher is 3DES-CBC. The supported key exchange is DSA.
Using SNMP Supported MIBs In addition to private MIBs, the switch supports the standard MIBs listed in Appendix B. Configuring SNMP Settings The following SNMP parameters can be configured on the switch: • Authorized trap receivers — An authorized trap receiver can be one or more network management stations on your network. The switch sends SNMP traps to all trap receivers. You can have a maximum of 16 trap receivers configured for each switch.
Managing the Switch Table 10: SNMP Configuration Commands (continued) Command Description config snmp sysname Configures the name of the switch. A maximum of 32 characters is allowed. The default sysname is the model name of the device (for example, Summit 300-48). The sysname appears in the switch prompt. disable snmp access Disables SNMP on the switch. Disabling SNMP access does not affect the SNMP configuration (for example, community strings).
Authenticating Users Authenticating Users ExtremeWare provides a Radius client to authenticate switch admin users who login to the switch: RADIUS Client Remote Authentication Dial In User Service (RADIUS, RFC 2138) is a mechanism for authenticating and centrally administrating access to network nodes. The ExtremeWare RADIUS client implementation allows authentication for Telnet or console access to the switch. You can define a primary and secondary RADIUS server for the switch to contact.
Managing the Switch Table 11: RADIUS Commands (continued) Command Description show radius Displays the current RADIUS client configuration and statistics. unconfig radius {server [primary | secondary]} Unconfigures the radius client configuration.
Authenticating Users eric Password = "", Service-Type = Administrative Filter-Id = "unlim" albert Password = "password", Service-Type = Administrative Filter-Id = "unlim" samuel Password = "password", Service-Type = Administrative Filter-Id = "unlim" RADIUS Per-Command Configuration Example Building on this example configuration, you can use RADIUS to perform per-command authentication to differentiate user capabilities.
Managing the Switch Filter-Id = "unlim" admin Password = "", Service-Type = Administrative Filter-Id = "unlim" eric Password = "", Service-Type = Administrative, Profile-Name = "" Filter-Id = "unlim" Extreme:Extreme-CLI-Authorization = Enabled albert Password = "", Service-Type = Administrative, Profile-Name = "Profile1" Filter-Id = "unlim" Extreme:Extreme-CLI-Authorization = Enabled lulu Password = "", Service-Type = Administrative, Profile-Name = "Profile1" Filter-Id = "unlim" Extreme:Extreme-CLI-Aut
Using ExtremeWare Vista Using ExtremeWare Vista The ExtremeWare Vista™ device-management software that runs on the switch allows you to access the switch over a TCP/IP network using a standard web browser. Any properly configured standard web browser that supports frames and JavaScript (such as Netscape Navigator 3.0 or above, or Microsoft Internet Explorer 3.0 or above) can be used to manage the switch.
Managing the Switch • After downloading a newer version of the switch image, clear the browser disk and memory cache to see the updated menu screens. You must clear the cache while at the main ExtremeWare Vista Logon screen, so that all underlying .GIF files are updated. • Check for newer versions of stored pages. Every visit to the page should be selected as a cache setting. If you are using Netscape Navigator, configure the cache option to check for changes “Every Time” you request a page.
Using ExtremeWare Vista Task Frame The task frame has two sections: menu buttons and submenu links. The four task menu buttons are: • Configuration • Statistics • Support • Logout Below the task buttons are options. Options are specific to the task button that you select. When you select an option, the information displayed in the content frame changes. However, when you select a new task button, the content frame does not change until you select a new option.
Managing the Switch Status Messages Status messages are displayed at the top of the content frame. The four types of status messages are: • Information—Displays information that is useful to know prior to, or as a result of, changing configuration options. • Warning—Displays warnings about the switch configuration. • Error—Displays errors caused by incorrectly configured settings. • Success—Displays informational messages after you click Submit.
Using the Simple Network Time Protocol Do a GET When Configuring a VLAN When configuring a VLAN using ExtremeWare Vista, prior to editing the VLAN configuration, you must first click the get button to ensure that subsequent edits are applied to the correct VLAN. If you do not click the get button and you submit the changes, the changes will be made to the VLAN that was previously displayed.
Managing the Switch Once enabled, the switch sends out a periodic query to the NTP servers defined later (if configured) or listens to broadcast NTP updates from the network. The network time information is automatically saved into the on-board real-time clock. 4 If you would like this switch to use a directed query to the NTP server, configure the switch to use the NTP server(s). If the switch listens to NTP broadcasts, skip this step.
Using the Simple Network Time Protocol Table 13: Greenwich Mean Time Offsets (continued) GMT Offset in Hours GMT Offset Common Time Zone in Minutes References -9:00 -540 YST - Yukon Standard -10:00 -600 AHST - Alaska-Hawaii Standard Cities CAT - Central Alaska HST - Hawaii Standard -11:00 -660 NT - Nome -12:00 -720 IDLW - International Date Line West +1:00 +60 CET - Central European +2:00 +120 EET - Eastern European, Russia Zone 1 Athens, Greece; Helsinki, Finland; Istanbul, Turkey; Je
Managing the Switch SNTP Configuration Commands Table 14 describes SNTP configuration commands. Table 14: SNTP Configuration Commands Command Description config sntp-client [primary | secondary] server [ | ] Configures an NTP server for the switch to obtain time information. Queries are first sent to the primary server. If the primary server does not respond within 1 second, or if it is not synchronized, the switch queries the second server.
4 Configuring Ports on a Switch This chapter describes the following topics: • Port Numbering on page 55 • Enabling and Disabling Switch Ports on page 55 • Load Sharing on the Switch on page 57 • Switch Port-Mirroring on page 59 • Extreme Discovery Protocol on page 61 Port Numbering On a Summit 300-48 switch, the port number is a combination of the slot number and the port number.
Configuring Ports on a Switch Configuring Switch Port Speed and Duplex Setting By default, the switch is configured to use autonegotiation to determine the port speed and duplex setting for each port. You can manually configure the duplex setting and the speed of 10/100 Mbps ports. 10BASE-T and 100BASE-TX ports can connect to either 10BASE-T or 100BASE-T networks. By default, the ports autonegotiate port speed. You can also configure each port for a particular speed (either 10 Mbps or 100 Mbps).
Load Sharing on the Switch Table 15: Switch Port Commands (continued) Command Description enable sharing grouping {address-based} Defines a load-sharing group of ports. The ports specified in are grouped to the master port. The optional load-sharing algorithm, address-based, uses addressing information as criteria for egress port selection. restart ports Resets autonegotiation for one or more ports by resetting the physical link.
Configuring Ports on a Switch You can configure the address-based load-sharing algorithm on the Summit 300-48 switch. The address-based load-sharing algorithm uses addressing information to determine which physical port in the load-sharing group to use for forwarding traffic out of the switch. Addressing information is based on the packet protocol, as follows: — IP packets — Uses the source and destination MAC and IP addresses. — All other packets — Uses the source and destination MAC address.
Switch Port-Mirroring • Ports on the switch are divided into a maximum of five groups. • Port-based and round-robin load sharing algorithms do not apply. • A redundant load share group can only include ports from the following ranges: 1:1-1:24, 1:25-1:48, 1:49-1:52. To define a load-sharing group, you assign a group of ports to a single, logical port number.
Configuring Ports on a Switch Up to eight mirroring filters and one monitor port can be configured. After a port has been specified as a monitor port, it cannot be used for any other function. NOTE Frames that contain errors are not mirrored. The mirrored port always transmits tagged frames. The default port tag will be added to any untagged packets as they are mirrored.
Extreme Discovery Protocol Port-Mirroring Example The following example selects port 1:3 as the mirror port and sends all traffic coming into or out of the switch on port 1:1 to the mirror port: enable mirroring to port 1:3 tagged config mirroring add port 1:1 Extreme Discovery Protocol The Extreme Discovery Protocol (EDP) is used to gather information about neighbor Extreme Networks switches. EDP is used by the switches to exchange topology information.
Configuring Ports on a Switch 62 Summit 300-48 Switch Software User Guide
5 Virtual LANs (VLANs) This chapter describes the following topics: • Overview of Virtual LANs on page 63 • Types of VLANs on page 64 • VLAN Names on page 69 • Configuring VLANs on the Switch on page 70 • Displaying VLAN Settings on page 71 Setting up Virtual Local Area Networks (VLANs) on the switch eases many time-consuming tasks of network administration while increasing efficiency in network operations.
Virtual LANs (VLANs) • VLANs ease the change and movement of devices. With traditional networks, network administrators spend much of their time dealing with moves and changes. If users move to a different subnetwork, the addresses of each endstation must be updated manually. Types of VLANs VLANs can be created according to the following criteria: • Physical port • 802.
Types of VLANs Spanning Switches with Port-Based VLANs To create a port-based VLAN that spans two switches, you must do two things: 1 Assign the port on each switch to the VLAN. 2 Cable the two switches together using one port on each switch per VLAN. Figure 2 illustrates a single VLAN that spans a BlackDiamond switch and a Summit 300-48 switch. All ports on the BlackDiamond switch belong to VLAN Sales. Ports 1:1 through 1:24, and port 1:26 on the Summit 300-48 switch also belong to VLAN Sales.
Virtual LANs (VLANs) Figure 3 illustrates two VLANs spanning two switches. On system 1, ports 1:12 through 1:24, and port 1:51 are part of VLAN Accounting; ports 1:37 through 1:48, and port 1:52 are part of VLAN Engineering. On system 2, all ports on slot 1 are part of VLAN Accounting; all ports on slot 8 are part of VLAN Engineering.
Types of VLANs NOTE The use of 802.1Q tagged packets may lead to the appearance of packets slightly bigger than the current IEEE 802.3/Ethernet maximum of 1,518 bytes. This may affect packet error counters in other devices, and may also lead to connectivity problems if non-802.1Q bridges or routers are placed in the path. The tag also carries the 802.1 (802.1p) priority bits. This is the only way priority information can be shared between seperate devices (hosts, switches/routers and so on).
Virtual LANs (VLANs) Figure 4: Physical diagram of tagged and untagged traffic System 1 1:49 S M S 1:1 - 1:12 1:13 - 1:24 1 2 3 1:25 - 1:36 4 A B 5 1:37 - 1:48 6 7 8 50015 M M = Marketing S = Sales = Tagged port Marketing & Sales 802.1Q Tagged server M 1 M S 2 S 3 S S 4 System 2 LB48008A Figure 5 is a logical diagram of the same network.
VLAN Names • The server connected to port 1:16 on system 1 has a NIC that supports 802.1Q tagging. • The server connected to port 1:16 on system 1 is a member of both VLAN Marketing and VLAN Sales. • All other stations use untagged traffic. As data passes out of the switch, the switch determines if the destination port requires the frames to be tagged or untagged. All traffic coming from and going to the server is tagged. Traffic coming from and going to the trunk ports is tagged.
Virtual LANs (VLANs) Renaming a VLAN To rename an existing VLAN, use the following command: config vlan name The following rules apply to renaming VLANs: • After you change the name of the default VLAN, it cannot be changed back to default. • You cannot create a new VLAN named default. Configuring VLANs on the Switch This section describes the commands associated with setting up VLANs on the switch. Configuring a VLAN involves the following steps: 1 Create and name the VLAN.
Displaying VLAN Settings Table 18: VLAN Configuration Commands (continued) Command Description delete vlan Removes a VLAN. unconfig ports monitor vlan Removes port-based VLAN monitoring. unconfig vlan ipaddress Resets the IP address of the VLAN. VLAN Configuration Examples The following Summit 300-48 switch example creates a tag-based VLAN named video. It assigns the VLANid 1000. Ports 1:4 through 1:8 are added as tagged ports to the VLAN.
Virtual LANs (VLANs) 72 Summit 300-48 Switch Software User Guide
6 Wireless Networking This chapter describes wireless networking using the Summit 300-48 switch and the Altitude 300 wireless port and includes information on the following topics: • Overview of Wireless Networking on page 73 • Wireless Devices on page 74 • Bridging on page 75 • Configuring RF Properties on page 76 • Configuring Wireless Switch Properties on page 78 • Configuring Wireless Ports on page 79 • Configuring Wireless Port Interfaces on page 79 • Managing Wireless Clients on page 80 • Show Comma
Wireless Networking Figure 6: Sample integrated wired and wireless network Summit 300-48 Altitude 300 Wireless clients Altitude 300 Wired network Wireless clients LB48018A This arrangement is part of the Extreme Unified Access Architecture, which is designed to support both wired and wireless networks from a single network switch. Because the intelligence normally associated with an access point is maintained in the Summit 300-48 switch, the cost of implementing radio access is greatly reduced.
Bridging You can set network policies at Layers 2 and 3 to cover both the wired and wireless networks. In this way you can block access to individuals suspected of intrusion across the entire network infrastructure. In addition to traditional wired devices, the Summit 300-48 switch supports the Altitude 300 wireless port, third party access points, and devices that rely on Power over Ethernet (PoE).
Wireless Networking 7 Configure a specific channel (determined from a site survey), if desired, on each interface. If you do not configure a specific channel, the switch auto-selects the channel with the least interference. 8 Connect the Altitude 300 wireless port. After this process is complete, clients can access your network through the Altitude 300 wireless port. Configuring RF Properties RF profiles allow you to group RF parameters for access using a single CLI command.
Configuring RF Properties Table 20: RF Profile Property Values (continued) Property Default Allowed Values Description frag-length 2345 256-2345 Identifies fragment size in bytes. This value should remain at its default setting of 2345. It specifies the maximum size for a packet before data is fragmented into multiple packets. If you experience a high packet error rate, you may slightly increase the fragmentation threshold.
Wireless Networking Configuring Wireless Switch Properties Table 21 lists the wireless configuration command that applies to the switch as a whole, independent of individual ports or port interfaces. Table 22 lists the command properties. Table 21: Switch-Level Wireless Configuration Commands Command Description configure wireless Configures properties that are independent of the port or port interface. See Table 22 for values.
Configuring Wireless Ports Configuring Wireless Ports The configure wireless ports commands allow you to configure properties such as the IP address and the location of the port. Table 23 lists the configuration commands for wireless ports. Table 23: Wireless Port Configuration Commands Command Description config wireless ports Configures the named property for the specified port or ports. See Table 24 for values.
Wireless Networking Table 25 lists the configuration commands for wireless ports. Table 25: Wireless Port Interface Configuration Commands Command Description config wireless ports interface [1 | 2] rf-profile Attaches the port in the port list to the named RF profile. All ports in the port list must have the same wireless port version. config wireless ports interface [1 | 2] security-profile Attaches the ports in the port list to the named security profile.
Event Logging and Reporting Table 27: Show Commands (continued) Command Description show wireless ports interface [1 | 2] configuration {detail} Summarizes wireless configuration information for the selected port and interface. show wireless ports interface [1 | 2] stats Lists 802.11 interface statistics for the selected port and interface. show wireless ports interface [1 | 2] status Gives the current state of the selected port and interface.
Wireless Networking 82 Summit 300-48 Switch Software User Guide
7 Unified Access Security This chapter describes the security features of the Summit 300-48 switch and includes information on the following topics: • Overview of Security on page 83 • User Access Security on page 84 • Network Security Policies on page 87 • Network Security Policies on page 87 • CLI Commands for Security on the Switch on page 89 Overview of Security The Extreme Unified Access™ Security architecture provides secure access for all wired and wireless stations within the unified network.
Unified Access Security User Access Security Effective user security meets the following objectives: • Authentication — Assuring that only approved users are connected to the network at permitted locations and times. • Privacy — Assuring that user data is protected.
User Access Security then extends or denies access as instructed, and passes along configuration information such as VLAN and priority. 802.1x supports several EAP-class advanced authentication protocols, which differ in the specific identification types and encryption methods for the authentication: • EAP-TLS (Transport Layer Security) — Performs mutual authentication using security certificates.
Unified Access Security incorporate each of these suites, and the Altitude 300 wireless port supports hardware-based AES and RC4 encryption. Table 28: Wi-Fi Security Cipher Suites Name Authentication Privacy Sponsoring Organization WEP None or MAC WEP/RC4 IEEE WPA 802.1x TKIP/RC4 Wi-Fi Alliance WPA 802.1x CCMP/AES/TKIP IEEE WPA-Only Support To support WPA clients, the Summit 300-48 switch port sets the privacy bit in the beacon frames it advertises.
Network Security Policies Network Security Policies Network security policy refers to a set of network rules that apply to user access. You can base the rules on a variety of factors, including user identification, time and location, and method of authentication. It is possible to design network security policies to do all of the following: • Permit or deny network access based on location and time of day. • Place the user into a VLAN based on identity or authentication method.
Unified Access Security Policy Examples The following examples suggest typical uses of network security policies. Example. You want to give employees complete network access but limit access to visitors. The solution is to base network access on the authentication method, as indicated in Table 29. Table 29: Authentication-Based Network Access Example Authentication Method User Placement 802.1x with dynamic WEP Internal VLAN TKIP with pre-shared keys PSK VLAN WEP WEP VLAN Fails 802.
CLI Commands for Security on the Switch Table 31 lists the attributes included in the RADIUS response. Table 31: RADIUS Response Attributes Attribute Description EXTREME_NETLOGIN_VLAN_TAG VLAN for this MAC Vendor-Specific Attributes Table 32 lists the supported vendor-specific attributes (VSAs). The Extreme vendor ID is 1916.
Unified Access Security Table 34 lists the properties for the security profile configuration command. Table 34: Security Profile Command Property Values Case Default Ranges Action ssid-in-beacon on off | on Turns on whether the SSID is published in the beacon or not. If you set this to off then the beacon does not contain the SSID and the client must know the SSID before it can associate. Sniffing on the beacon shows an empty SSID.
Example Wireless Configuration Process Table 34: Security Profile Command Property Values (continued) Case Default Ranges Action dot1x multicast-cipher wep Specifies the cipher suite to use for legacy 802.1x or WPA clients. If the mcast cipher suite is aes, then the unicast cipher suite is AES. If the mcast cipher suite is tkip or wep, the unicast cipher suite is TKIP. Specifying this has no effect if non-WPA clients are used.
Unified Access Security To configure the VLAN, addresses, and RF profiles, follow these steps: 1 Create the wireless management VLAN. create vlan wireless-mgmt 2 Remove the wireless port from the default VLAN. configure vlan default delete ports 1:5 3 Add the wireless port to the management VLAN. configure vlan wireless-mgmt add ports 1:5 4 Configure this VLAN as the management VLAN. configure wireless vlan wireless-mgmt 5 Assign an IP address to the VLAN. configure vlan wireless-mgmt ip-address 192.
Example Wireless Configuration Process If you enter the wrong number of characters for the code, a message similar to the following appears. Invalid number of bytes in key. Expected 10 bytes, got 15 bytes. 8 Configure the security profile to use the 0 key you just defined as the default encryption key. configure security-profile wep-secure wep default-key-index 0 To configure dot1x security, follow these steps: 1 Create a security profile (dot1x-secure) by copying from the default unsecure profile.
Unified Access Security 94 Summit 300-48 Switch Software User Guide
8 Power Over Ethernet This chapter explains how to configure the Summit 300-48 switch to supply power to devices using the Power over Ethernet (PoE) capability. It contains the following sections: • Overview on page 95 • Port Power Management on page 96 • Per-Port LEDs on page 98 • Configuring Power Over Ethernet on page 98 Overview Power over Ethernet (PoE), defined by the IEEE 802.
Power Over Ethernet Port Power Management When you connect PDs, the Summit 300-48 switch automatically discovers and classifies those that are AF-complaint.
Port Power Management Common Power Pool The common power pool represents the total amount of power available on a per-slot basis, less any power reserved or allocated to currently powered devices. When a new device is discovered, its defined power requirements are subtracted from the common power pool. If the common pool does not have sufficient available power, power is not supplied to the device. In this case, the port is placed in a power-denied state.
Power Over Ethernet Ports are powered based upon their priority and discovery time. Higher priority ports with the oldest discovery time are powered first. If a device consumes more power than it is allocated by class type, it is considered a class violation. The device enters a fault state, and unreserved power is returned to the common pool. Power is also returned to the common pool if a port is disconnected.
Configuring Power Over Ethernet Table 36: Power Over Ethernet Configuration Commands (continued) Command Description enable inline-power ports Enables PoE for the listed ports. disable inline-power ports Disables PoE for the listed ports. config inline-power usage-threshold Sets the threshold for initiation of an alarm should the measured power exceed the threshold.
Power Over Ethernet Table 36: Power Over Ethernet Configuration Commands (continued) Command Description unconfig inline-power disconnect-precedence [lowest-priority | deny-port] Returns the disconnect-precedence to the default state of deny-port. When the power drain exceeds the available power budget, due to a rise in power consumption after power is allocated to the ports, the PoE controller disconnects one of the ports to prevent overload on the power supply.
Configuring Power Over Ethernet Table 36: Power Over Ethernet Configuration Commands (continued) Command Description unconfig inline-power operator-limit ports Resets the operator limit back to the default. unconfig inline-power violation-precedence ports Resets the violation precedence back to the default. unconfig inline-power reserved-budget ports Resets the reserved budget back to the default (0 milliwatts).
Power Over Ethernet 102 Summit 300-48 Switch Software User Guide
9 Forwarding Database (FDB) This chapter describes the following topics: • Overview of the FDB on page 103 • Configuring FDB Entries on page 105 • Displaying FDB Entries on page 106 Overview of the FDB The switch maintains a database of all media access control (MAC) addresses received on all of its ports. It uses the information in this database to decide whether a frame should be forwarded or filtered.
Forwarding Database (FDB) interface are stored as permanent. The Summit 300-48 switches support a maximum of 128 permanent entries. Once created, permanent entries stay the same as when they were created. For example, the permanent entry store is not updated when any of the following take place: — A VLAN identifier (VLANid) is changed. — A port mode is changed (tagged/untagged). — A port is deleted from a VLAN. — A port is disabled. — A port enters blocking state. — A port QoS setting is changed.
Configuring FDB Entries Configuring FDB Entries To configure entries in the FDB, use the commands listed in Table 38. Table 38: FDB Configuration Commands Command Description clear fdb [{ | vlan | ports }] Clears dynamic FDB entries that match the filter. When no options are specified, the command clears all FDB entries. config fdb agingtime Configures the FDB aging time. The range is 15 through 1,000,000 seconds. The default value is 300 seconds.
Forwarding Database (FDB) Table 38: FDB Configuration Commands (continued) Command Description enable learning port Enables MAC address learning on one or more ports. FDB Configuration Examples The following example adds a permanent entry to the FDB: create fdbentry 00:E0:2B:12:34:56 vlan marketing port 1:4 The permanent entry has the following characteristics: • MAC address is 00:E0:2B:12:34:56. • VLAN name is marketing. • Port number for this device is 1:4.
10 Access Policies This chapter describes the following topics: • Overview of Access Policies on page 107 • Using Access Control Lists on page 107 Overview of Access Policies Access policies are a generalized category of features that impact forwarding and route forwarding decisions. Access policies are used primarily for security and quality of service (QoS) purposes.
Access Policies shared multiple access control lists, using different lists of values to examine packets. The following sections describe how to use access control lists. Access Masks There are between twelve and fourteen access masks available in the Summit 300-48, depending on which features are enabled on the switch. Each access mask is created with a unique name and defines a list of fields that will be examined by any access control list that uses that mask (and by any rate limit that uses the mask).
Using Access Control Lists Rate Limits Each entry that makes up a rate limit contains a unique name and specifies a previously created access mask. Like an access list, a rate limit includes a list of values to compare with the incoming packets and an action to take for packets that match. Additionally, a rate limit specifies an action to take when matching packets arrive at a rate above the limit you set.
Access Policies Access Mask Precedence Numbers The access mask precedence number is optional, and determines the order in which each rule is examined by the switch. Access control list entries are evaluated from highest precedence to lowest precedence. Precedence numbers range from 1 to 25,600, with the number 1 having the highest precedence. However, an access mask without a precedence specified has a higher precedence than any access mask with a precedence specified.
Using Access Control Lists The permit-established Keyword The permit-established keyword is used to directionally control attempts to open a TCP session. Session initiation can be explicitly blocked using this keyword. NOTE For an example of using the permit-established keyword, refer to “Using the Permit-Established Keyword” on page 116. The permit-established keyword denies the access control list.
Access Policies The maximum number of access list allowed by the hardware is 254 for each block of eight 10/100 Ethernet ports and 126 for each Gigabit Ethernet port, for a total of 1014 rules (254*3+126*2). Most user entered access list commands will require multiple rules on the hardware. For example, a global rule (an access control list using an access mask without “ports” defined), will require 5 rules, one for each of the 5 blocks of ports on the hardware.
Using Access Control Lists Table 39: Access Control List Configuration Commands Command Description create access-list access-mask {dest-mac } {source-mac } {vlan } {ethertype [IP | ARP | ]} {tos | code-point } {ipprotocol [tcp|udp|icmp|igmp|]} {dest-ip /} {dest-L4port } {source-ip /} {source-L4port | {icmp-type } {icmp-code
Access Policies Table 39: Access Control List Configuration Commands (continued) Command Description create access-mask {dest-mac} {source-mac} {vlan } {ethertype} {tos | code-point} {ipprotocol} {dest-ip /} {dest-L4port} {source-ip /} {source-L4port | {icmp-type} {icmp-code}} {permit-established} {egressport} {ports} {precedence } Creates an access mask. The mask specifes which packet fields to examine.
Using Access Control Lists Table 39: Access Control List Configuration Commands (continued) Command Description create rate-limit access-mask {dest-mac } {source-mac } {vlan } {ethertype [IP | ARP | ]} {tos | code-point } {ipprotocol [tcp|udp|icmp|igmp|]} {dest-ip /} {dest-L4port } {source-ip /} {source-L4port | {icmp-type
Access Policies Table 39: Access Control List Configuration Commands (continued) Command Description delete access-mask Deletes an access mask. Any access lists or rate limits that reference this mask must first be deleted. delete rate-limit Deletes a rate limit. show access-list { | ports } Displays access-list information. show access-mask {} Displays access-list information. show rate-limit { | ports } Displays access-list information.
Using Access Control Lists Step 1 – Deny IP Traffic. First, create an access-mask that examines the IP protocol field for each packet. Then create two access-lists, one that blocks all TCP, one that blocks UDP. Although ICMP is used in conjunction with IP, it is technically not an IP data packet. Thus, ICMP data traffic, such as ping traffic, is not affected.
Access Policies Figure 9: Access list allows TCP traffic TCP UDP ICMP 10.10.10.100 10.10.20.100 EW_035 Step 3 - Permit-Established Access List. When a TCP session begins, there is a three-way handshake that includes a sequence of a SYN, SYN/ACK, and ACK packets. Figure 10 shows an illustration of the handshake that occurs when host A initiates a TCP session to host B. After this sequence, actual data can be passed.
Using Access Control Lists Figure 11 shows the final outcome of this access list. Figure 11: Permit-established access list filters out SYN packet to destination SYN SYN 10.10.10.100 10.10.20.100 EW_037 Example 2: Filter ICMP Packets This example creates an access list that filters out ping (ICMP echo) packets. ICMP echo packets are defined as type 8 code 0.
Access Policies 120 Summit 300-48 Switch Software User Guide
11 Quality of Service (QoS) This chapter describes the following topics: • Overview of Policy-Based Quality of Service on page 121 • Applications and Types of QoS on page 122 • Configuring QoS for a Port or VLAN on page 123 • Traffic Groupings on page 124 — MAC-Based Traffic Groupings on page 125 — Explicit Class of Service (802.
Quality of Service (QoS) Summit 300-48 switches support up to four physical queues per port. NOTE As with all Extreme switch products, QoS has no impact on switch performance. Using even the most complex traffic groupings has no cost in terms of switch performance. Applications and Types of QoS Different applications have different QoS requirements.
Configuring QoS for a Port or VLAN Web Browsing Applications QoS needs for Web browsing applications cannot be generalized into a single category. For example, ERP applications that use a browser front-end may be more important than retrieving daily news information. Traffic groupings can typically be distinguished from each other by their server source and destinations.
Quality of Service (QoS) Traffic Groupings After a QoS profile has been modified for bandwidth and priority, you assign traffic a grouping to the profile. A traffic grouping is a classification of traffic that has one or more attributes in common. Traffic is typically grouped based on the applications discussed starting on page -122.
Traffic Groupings prescribe the bandwidth management and priority handling for that traffic grouping. This level of packet filtering has no impact on performance. MAC-Based Traffic Groupings QoS profiles can be assigned to destination MAC addresses.
Quality of Service (QoS) Explicit Class of Service (802.1p and DiffServ) Traffic Groupings This category of traffic groupings describes what is sometimes referred to as explicit packet marking, and refers to information contained within a packet intended to explicitly determine a class of service. That information includes: • IP DiffServ code points, formerly known as IP TOS bits • Prioritization bits used in IEEE 802.
Traffic Groupings supports four hardware queues. The transmitting hardware queue determines the bandwidth management and priority characteristics used when transmitting packets. To control the mapping of 802.1p prioritization values to hardware queues, 802.1p prioritization values can be mapped to a QoS profile. The default mapping of each 802.1p priority value to QoS profile is shown in Table 43. Table 43: 802.
Quality of Service (QoS) Configuring DiffServ Contained in the header of every IP packet is a field for IP Type of Service (TOS), now also called the DiffServ field. The TOS field is used by the switch to determine the type of service provided to the packet. Observing DiffServ code points as a traffic grouping mechanism for defining QoS policies and overwriting the Diffserv code point fields are supported in the Summit 300-48 switch. Figure 14 shows the encapsulation of an IP packet header.
Traffic Groupings Observing DiffServ Information When a packet arrives at the switch on an ingress port, the switch examines the first six of eight TOS bits, called the code point. The switch can assign the QoS profile used to subsequently transmit the packet based on the code point. The QoS profile controls a hardware queue used when transmitting the packet out of the switch, and determines the forwarding characteristics of a particular code point.
Quality of Service (QoS) DiffServ Examples For information on the access list and access mask commands in the following examples, see Chapter 10, “Access Policies”. Use the following command to use the DiffServe code point value to assign traffic to the hardware queues: enable diffserv examination ports all In the following example, all the traffic from network 10.1.2.x is assigned the DiffServe code point 23 and the 802.
Verifying Configuration and Performance The same information is also available for ports or VLANs using one of the following commands: show ports info {detail} or show vlan Verifying Configuration and Performance After you have created QoS policies that manage the traffic through the switch, you can use the QoS monitor to determine whether the application performance meets your expectations. QoS Monitor The QoS monitor is a utility that monitors the incoming packets on a port or ports.
Quality of Service (QoS) Displaying QoS Profile Information The QoS monitor can also be used to verify the QoS configuration and monitor the use of the QoS policies that are in place.
12 Status Monitoring and Statistics This chapter describes the following topics: • Status Monitoring on page 133 • Port Statistics on page 135 • Port Errors on page 136 • Port Monitoring Display Keys on page 137 • Setting the System Recovery Level on page 137 • Logging on page 138 • RMON on page 142 Viewing statistics on a regular basis allows you to see how well your network is performing.
Status Monitoring and Statistics Table 47 describes commands that are used to monitor the status of the switch. Table 47: Status Monitoring Commands Command Description show log {} Displays the current snapshot of the log. Options include: • priority — Filters the log to display message with the selected priority or higher (more critical). Priorities include critical, emergency, alert, error, warning, notice, info, and debug. If not specified, all messages are displayed.
Port Statistics Table 47: Status Monitoring Commands (continued) Command Description show tech-support Displays the output for the following commands: • show version • show switch • show config • show diag • show gdb • show iparp • show ipfdb • show ipstats • show iproute • show ipmc cache detail • show igmp snooping detail • show memory detail • show log It also displays the output from internal debug commands. This command disables the CLI paging feature.
Status Monitoring and Statistics • Received Byte Count (RX Byte Count) — The total number of bytes that were received by the port, including bad or lost frames. This number includes bytes contained in the Frame Check Sequence (FCS), but excludes bytes in the preamble. • Received Broadcast (RX Bcast) — The total number of frames received by the port that are addressed to a broadcast address.
Port Monitoring Display Keys • Receive Fragmented Frames (RX Frag) — The total number of frames received by the port were of incorrect length and contained a bad FCS value. • Receive Jabber Frames (RX Jab) — The total number of frames received by the port that was of greater than the support maximum length and had a Cyclic Redundancy Check (CRC) error.
Status Monitoring and Statistics NOTE Extreme Networks recommends that you set the system recovery level to critical. This allows ExtremeWare to log an error to the syslog and automatically reboot the system after a critical exception. Logging The switch log tracks all configuration and fault information pertaining to the device.
Logging Table 50: Fault Log Subsystems (continued) Subsystem Description Port Port management-related configuration. Examples include port statistics and errors. • Message — The message contains the log information with text that is specific to the problem. Local Logging The switch maintains 1,000 messages in its internal log.
Status Monitoring and Statistics — ipaddress — The IP address of the syslog host. — facility — The syslog facility level for local use. Options include local0 through local7. — priority — Filters the log to display message with the selected priority or higher (more critical). Priorities include (in order) critical, emergency, alert, error, warning, notice, info, and debug. If not specified, only critical priority messages are sent to the syslog host.
Logging Table 51: Logging Commands (continued) Command Description config syslog {add} {} {} Configures the syslog host address and filters messages sent to the syslog host. Up to 4 syslog servers can be configured. Options include: config syslog delete {} { • host name/ip— The IP address or name of the syslog host. • port — The port of the syslog host.
Status Monitoring and Statistics RMON Using the Remote Monitoring (RMON) capabilities of the switch allows network administrators to improve system efficiency and reduce the load on the network. The following sections explain more about the RMON concept and the RMON features supported by the switch. NOTE You can only use the RMON features of the system if you have an RMON management application, and have enabled RMON on the switch.
RMON History The History group provides historical views of network performance by taking periodic samples of the counters supplied by the Statistics group. The group features user-defined sample intervals and bucket counters for complete customization of trend analysis. The group is useful for analysis of traffic patterns and trends on a LAN segment or VLAN, and to establish baseline information indicating normal operating parameters.
Status Monitoring and Statistics Event Actions The actions that you can define for each alarm are shown in Table 52. Table 52: Event Actions Action High Threshold No action Notify only Send trap to all trap receivers. Notify and log Send trap; place entry in RMON log. To be notified of events using SNMP traps, you must configure one or more trap receivers, as described in Chapter 3, “Managing the Switch”.
13 Spanning Tree Protocol (STP) This chapter describes the following topics: • Overview of the Spanning Tree Protocol on page 145 • Spanning Tree Domains on page 145 • STP Configurations on page 146 • Configuring STP on the Switch on page 148 • Displaying STP Settings on page 151 • Disabling and Resetting STP on page 152 Using the Spanning Tree Protocol (STP) functionality of the switch makes your network more fault tolerant.
Spanning Tree Protocol (STP) A port can belong to only one STPD. If a port is a member of multiple VLANs, then all those VLANs must belong to the same STPD.
STP Configurations • Marketing is defined on all switches (switch A, switch B, switch Y, switch Z, and switch M). Two STPDs are defined: • STPD1 contains VLANs Sales and Personnel. • STPD2 contains VLANs Manufacturing and Engineering. The VLAN Marketing is a member of the default STPD, but not assigned to either STPD1 or STPD2.
Spanning Tree Protocol (STP) Figure 16: Tag-based STP configuration Marketing & Sales Marketing, Sales & Engineering Switch 1 Switch 3 Switch 2 Sales & Engineering LB48015 The tag-based network in Figure 16 has the following configuration: • Switch 1 contains VLAN Marketing and VLAN Sales. • Switch 2 contains VLAN Engineering and VLAN Sales. • Switch 3 contains VLAN Marketing, VLAN Engineering, and VLAN Sales.
Configuring STP on the Switch 3 Enable STP for one or more STP domains using the following command: enable stpd {} NOTE All VLANs belong to the default STPD (s0). If you do not want to run STP on a VLAN, you must add the VLAN to a STPD that is disabled. Once you have created the STPD, you can optionally configure STP parameters for the STPD. CAUTION You should not configure any STP parameters unless you have considerable knowledge and experience with STP.
Spanning Tree Protocol (STP) Table 53: STP Configuration Commands (continued) Command Description config stpd maxage Specifies the maximum age of a BPDU in this STPD. The range is 6 through 40. The default setting is 20 seconds. Note that the time must be greater than, or equal to 2 * (Hello Time + 1) and less than, or equal to 2 * (Forward Delay –1).
Displaying STP Settings STP Configuration Example The following Summit 300-48 switch example creates and enables an STPD named Backbone_st. It assigns the Manufacturing VLAN to the STPD. It disables STP on ports 1:1 through 1:7 and port 1:12.
Spanning Tree Protocol (STP) Disabling and Resetting STP To disable STP or return STP settings to their defaults, use the commands listed in Table 54. Table 54: STP Disable and Reset Commands Command Description delete stpd Removes an STPD. An STPD can only be removed if all VLANs have been deleted from it. The default STPD, s0, cannot be deleted. disable ignore-bpdu vlan Allows the switch to recognize STP BPDUs.
14 IP Unicast Routing This chapter describes the following topics: • Overview of IP Unicast Routing on page 153 • Proxy ARP on page 156 • Relative Route Priorities on page 157 • Configuring IP Unicast Routing on page 157 • IP Commands on page 158 • Routing Configuration Example on page 162 • Displaying Router Settings on page 163 • Resetting and Disabling Router Settings on page 163 • Configuring DHCP/BOOTP Relay on page 164 • UDP-Forwarding on page 165 This chapter assumes that you are already familiar wi
IP Unicast Routing Router Interfaces The routing software and hardware routes IP traffic between router interfaces. A router interface is simply a VLAN that has an IP address assigned to it. As you create VLANs with IP addresses belonging to different IP subnets, you can also choose to route between the VLANs. Both the VLAN switching and IP routing function occur within the switch. NOTE Each IP address and mask assigned to a VLAN must represent a unique IP subnet.
Overview of IP Unicast Routing — Locally, by way of interface addresses assigned to the system — By other static routes, as configured by the administrator NOTE If you define a default route, and subsequently delete the VLAN on the subnet associated with the default route, the invalid default route entry remains. You must manually delete the configured default route. Static Routes Static routes are manually entered into the routing table. Static routes are used to reach networks not advertised by routers.
IP Unicast Routing Proxy ARP Proxy Address Resolution Protocol (ARP) was first invented so that ARP-capable devices could respond to ARP Request packets on behalf of ARP-incapable devices. Proxy ARP can also be used to achieve router redundancy and simplify IP client configuration. The switch supports proxy ARP for this type of network configuration. The section describes some example of how to use proxy ARP with the switch.
Relative Route Priorities Relative Route Priorities Table 55 lists the relative priorities assigned to routes depending upon the learned source of the route. CAUTION Although these priorities can be changed, do not attempt any manipulation unless you are expertly familiar with the possible consequences.
IP Unicast Routing Verifying the IP Unicast Routing Configuration Use the show iproute command to display the current configuration of IP unicast routing for the switch, and for each VLAN. The show iproute command displays the currently configured routes, and includes how each route was learned. Additional verification commands include: • show iparp — Displays the IP ARP table of the system.
IP Commands Table 56: Basic IP Commands (continued) Command Description disable bootp vlan [ | all] Disables the generation and processing of BOOTP packets. disable bootprelay Disables the forwarding of BOOTP requests. disable ipforwarding {vlan } Disables routing for one or all VLANs. disable ipforwarding broadcast {vlan } Disables routing of broadcasts to other networks. disable loopback-mode vlan [ | all] Disables loopback-mode on an interface.
IP Unicast Routing Table 57: Route Table Configuration Commands (continued) Command Description config iproute add default {} Adds a default gateway to the routing table. A default gateway must be located on a configured IP interface. If no metric is specified, the default metric of 1 is used. Use the unicast-only or multicast-only options to specify a particular traffic type. If not specified, both unicast and multicast traffic uses the default route.
IP Commands Table 58: ICMP Configuration Commands (continued) Command Description disable ip-option loose-source-route Disables the loose source route IP option. disable ip-option record-route Disables the record route IP option. disable ip-option record-timestamp Disables the record timestamp IP option. disable ip-option strict-source-route Disables the strict source route IP option. disable ip-option use-router-alert Disables the generation of the router alert IP option.
IP Unicast Routing Table 58: ICMP Configuration Commands (continued) Command Description enable ip-option use-router-alert Enables the switch to generate the router alert IP option with routing protocol packets. enable irdp {vlan } Enables the generation of ICMP router advertisement messages on one or all VLANs. The default setting is enabled. unconfig icmp Resets all ICMP settings to the default values. unconfig irdp Resets all router advertisement settings to the default values.
Displaying Router Settings The example in Figure 18 is configured as follows: create vlan Finance create vlan Personnel config Finance add port 2,4 config Personnel add port 3,5 config Finance ipaddress 192.207.35.1 config Personnel ipaddress 192.207.36.1 enable ipforwarding Displaying Router Settings To display settings for various IP routing components, use the commands listed in Table 59.
IP Unicast Routing Table 60: Router Reset and Disable Commands (continued) Command Description disable icmp address-mask {vlan } Disables the generation of an ICMP address-mask reply messages. If a VLAN is not specified, the command applies to all IP interfaces. disable icmp parameter-problem {vlan } Disables the generation of ICMP parameter-problem messages. If a VLAN is not specified, the command applies to all IP interfaces.
UDP-Forwarding 3 Configure the addresses to which DHCP or BOOTP requests should be directed, using the following command: config bootprelay add To delete an entry, use the following command: config bootprelay delete { | all} Verifying the DHCP/BOOTP Relay Configuration To verify the DHCP/BOOTP relay configuration, use the following command: show ipconfig This command displays the configuration of the BOOTP relay service, and the addresses that are currently configured.
IP Unicast Routing UDP-Forwarding Example In this example, the VLAN Marketing and the VLAN Operations are pointed toward a specific backbone DHCP server (with IP address 10.1.1.1) and a backup server (with IP address 10.1.1.2). Additionally, the VLAN LabUser is configured to use any responding DHCP server on a separate VLAN called LabSvrs.
UDP-Forwarding Table 61: UDP-Forwarding Commands (continued) Command Description config vlan udp-profile Assigns a UDP-forwarding profile to the source VLAN. Once the UDP profile is associated with the VLAN, the switch picks up any broadcast UDP packets that matches with the user configured UDP port number, and forwards those packets to the user-defined destination. If the UDP port is the DHCP/BOOTP port number, appropriate DHCP/BOOTP proxy functions are invoked.
IP Unicast Routing 168 Summit 300-48 Switch Software User Guide
A Safety Information Important Safety Information WARNING! Read the following safety information thoroughly before installing your Extreme Networks switch. Failure to follow this safety information can lead to personal injury or damage to the equipment. Installation, maintenance, removal of parts, and removal of the unit and components must be done by qualified service personnel only.
Safety Information • The appliance coupler (the connector to the unit and not the wall plug) must have a configuration for mating with an EN60320/IEC320 appliance inlet. • France and Peru only This unit cannot be powered from IT† supplies. If your supplies are of IT type, this unit must be powered by 230 V (2P+T) via an isolation transformer ratio 1:1, with the secondary connection point labeled Neutral, connected directly to ground.
Important Safety Information Lithium Battery The lithium battery is not user-replaceable. WARNING! Danger of explosion if battery is incorrectly replaced. Replace only with the same or equivalent type recommended by the manufacturer. Dispose of used batteries according to the manufacturer’s instructions. • Disposal requirements vary by country and by state. • Lithium batteries are not listed by the Environmental Protection Agency (EPA) as a hazardous waste.
Safety Information 172 Summit 300-48 Switch Software User Guide
B Supported Standards The following is a list of software standards supported by ExtremeWare for the Summit 300-48 switch. Standards and Protocols RFC 1122 Host requirements RFC 793 TCP IEEE 802.1D-1998 (802.1p) Packet priority RFC 826 ARP IEEE 802.
Supported Standards 174 Summit 300-48 Switch Software User Guide
C Software Upgrade and Boot Options This appendix describes the following topics: • Downloading a New Image on page 175 • Saving Configuration Changes on page 176 • Using TFTP to Upload the Configuration on page 177 • Using TFTP to Download the Configuration on page 178 • Upgrading and Accessing BootROM on page 179 • Boot Option Commands on page 181 Downloading a New Image The image file contains the executable code that runs on the switch. It comes preinstalled from the factory.
Software Upgrade and Boot Options Rebooting the Switch To reboot the switch, use the following command: reboot { time
Using TFTP to Upload the Configuration To erase the currently selected configuration image and reset all switch parameters, use the following command: unconfig switch all Using TFTP to Upload the Configuration You can upload the current configuration to a TFTP server on your network. The uploaded ASCII file retains the command-line interface (CLI) format.
Software Upgrade and Boot Options Using TFTP to Download the Configuration You can download ASCII files that contain CLI commands to the switch to modify the switch configuration. Three types of configuration scenarios that can be downloaded: • Complete configuration • Incremental configuration • Scheduled incremental configuration Downloading a Complete Configuration Downloading a complete configuration replicates or restores the entire configuration to the switch.
Upgrading and Accessing BootROM To display scheduled download information, use the following command: show switch To cancel scheduled incremental downloads, use the following command: download configuration cancel Remember to Save Regardless of which download option is used, configurations are downloaded into switch runtime memory, only. The configuration is saved only when the save command is issued, or if the configuration file, itself, contains the save command.
Software Upgrade and Boot Options Table 62: Bootstrap Command Options Option Description boot Boots a loader. enable Enables features. h Accesses online help. help Accesses online help. ? Accesses online help. reboot Reboots the system. rz zmodem download. show Displays bootstrap information. use Sets the file to use for config, loader and image commands.
Boot Option Commands Boot Option Commands Table 64 lists the CLI commands associated with switch boot options. Table 64: Boot Option Commands Command Description config download server [primary | secondary] [ | ] Configures the TFTP server(s) used by a scheduled incremental configuration download. download bootrom [ | ] Downloads a BOOT ROM image from a TFTP [bootstrap | diagnostics | server.
Software Upgrade and Boot Options Table 64: Boot Option Commands (continued) Command Description use configuration [primary | secondary] Configures the switch to use a particular configuration on the next reboot. Options include the primary configuration area or the secondary configuration area. use image [primary | secondary] Configures the switch to use a particular image on the next reboot.
D Troubleshooting If you encounter problems when using the switch, this appendix may be helpful. If you have a problem not listed here or in the release notes, contact your local technical support representative. LEDs Power LED does not light: Check that the power cable is firmly connected to the device and to the supply outlet. On powering-up, the MGMT LED lights yellow: The device has failed its Power On Self Test (POST) and you should contact your supplier for advice.
Troubleshooting • Both ends of the Gigabit link are set to the same autonegotiation state. Both sides of the Gigabit link must be enabled or disabled. It the two are different, typically the side with autonegotiation disabled will have the link LED lit, and the side with autonegotiation enabled will not be lit. The default configuration for a Gigabit port is autonegotiation enabled.
Using the Command-Line Interface Check that the port through which you are trying to access the device has not been disabled. If it is enabled, check the connections and network cabling at the port. Check that the port through which you are trying to access the device is in a correctly configured VLAN. Try accessing the device through a different port. If you can now access the device, a problem with the original port is indicated. Re-examine the connections and cabling.
Troubleshooting The only way to establish a full duplex link is to either force it at both sides, or run auto-negotiation on both sides (using full duplex as an advertised capability, which is the default setting on the Extreme switch). NOTE A mismatch of duplex mode between the Extreme switch and another network device will cause poor network performance. Viewing statistics using the show port rx command on the Extreme switch may display a constant increment of CRC errors.
Debug Tracing with a number, or contains non-alphabetical characters, you must use quotation marks whenever referring to the VLAN name. VLANs, IP Addresses and default routes: The system can have an IP address for each configured VLAN. It is necessary to have an IP address associated with a VLAN if you intend to manage (Telnet, SNMP, ping) through that VLAN or route IP traffic. You can also configure multiple default routes for the system.
Troubleshooting • support@extremenetworks.com You can also visit the support website at: • http://www.extremenetworks.com/extreme/support/techsupport.asp to download software updates (requires a service contract) and documentation.
Index Numerics 02.1x/EAP 802.11a, 802.11b, 802.11g 802.
configuration downloading downloading complete downloading incremental logging primary and secondary saving changes schedule download uploading to file wireless ports configuring PoE console connection controlling Telnet access conventions notice icons, About This Guide text, About This Guide creating access lists access masks rate limits 178 178 178 140 176 176 178 177 79 98 36 39 15 16 111 111 111 D database applications, and QoS default passwords settings users default STP domain default VLAN delete ac
DHCP relay disabling enabling IP route sharing proxy ARP reset and disable commands (table) resetting router interfaces router show commands (table) routing table configuration commands (table) multiple routes populating static routes settings, displaying verifying the configuration IRDP 164 163 157 155 156 163 163 154 163 159 155 154 155 163 158 162 K keys line-editing port monitoring 25 137 L LEDs for PoE usage licensing description line-editing keys load sharing algorithms configuring description loa
primary image privacy private community, SNMP protocol analyzers, use with port-mirroring proxy ARP communicating with devices outside subnet conditions configuring MAC address in response responding to requests subnets table, displaying proxy ARP, description public community, SNMP 175 85 41 60 156 156 156 156 156 156 163 156 41 Q QoS 802.1p configuration commands (table) 802.
Greenwich Mean Time Offsets (table) NTP servers software licensing security features SSH2 protocol Spanning Tree Protocol.
types UDP-Forwarding voice applications, QoS 64 165 122 W Web access, controlling web browsing applications, and QoS WEP wireless event logging and reporting example network features networking show commands wireless ports configuration commands configuration process configuring interfaces managing WPA 194 - Index 47 123 84 81 74 74 73 80 80 75 79 75 75 74 Summit 300-48 Switch Software User Guide
Index of Commands C clear counters 140 clear fdb 105, 125 clear inline-power connection-history slot 99 clear inline-power fault ports 100 clear iparp 158, 163 clear ipfdb 158, 163 clear log 140 clear session 26, 38 config account 26 config banner 26 config bootprelay add 158, 165 config bootprelay delete 158, 165 config dns-client add 31 config dns-client default-domain 31 config dns-client delete 31 config download server 178, 181 config fdb agingtime 105 config inline-power budget 99 config inline-power
config vlan ipaddress config vlan name config vlan priority config vlan qosprofile config vlan tag config vlan udp-profile config wireless port config wireless port interface configure wireless create access-list create access-mask create account create fdbentry create fdbentry blackhole create fdbentry dynamic create rate-limit create rf-profile copy create rf-profile mode create security-profile create stpd create udp-profile create vlan 27, 38, 70, 157 70 127 123, 130 70 167 79 80 78 111, 113 111, 114 2
enable inline-power enable inline-power ports enable inline-power slot enable ipforwarding enable ipforwarding broadcast enable ip-option loose-source-route enable ip-option record-route enable ip-option record-timestamp enable ip-option strict-source-route enable ip-option use-router-alert enable iproute sharing enable irdp enable learning port enable log display enable loopback-mode vlan enable mirroring enable ports enable rmon enable route sharing enable sharing enable snmp access enable snmp traps enab
show wireless config show wireless ports show wireless ports interface 80 80 80 T telnet traceroute 31, 36 31, 32 U unconfig icmp 162, 164 unconfig inline-power detection ports 100 unconfig inline-power disconnect-precedence 100 unconfig inline-power operator-limit ports 101 unconfig inline-power reserved-budget ports 101 unconfig inline-power usage-threshold 99 unconfig inline-power violation-precedence ports 101 unconfig irdp 162, 164 unconfig management 42 unconfig ports display-string 57 unconfig po
