ExtremeWare 72.e Installation and User Guide Software Version 7.2e Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 http://www.extremenetworks.
©2004 Extreme Networks, Inc. All rights reserved. Extreme Networks, ExtremeWare and BlackDiamond are registered trademarks of Extreme Networks, Inc. in the United States and certain other jurisdictions.
Contents Chapter 1 Introduction 15 Conventions 15 Related Publications Using ExtremeWare Publications Online 16 17 Summit 400-48 Switch Overview and Installation Summary of Features Hardware Software 19 19 20 Summit 400-48t Switch Physical Features Summit 400-48t Switch Front View Summit 400-48 Switch Rear View 21 21 22 Summit 400-48t Switch LEDs 23 Mini-GBIC Type and Support Mini-GBIC Type and Specifications 24 25 Port Connections Uplink Redundancy 27 27 Software Overview Virtual LANs (VL
Contents Chapter 2 4 Switch Installation 33 Determining the Switch Location 33 Following Safety Information 33 Installing the Switch Rack Mounting Free-Standing Desktop Mounting of Multiple Switches 34 34 34 35 Installing or Replacing a Mini-Gigabit Interface Connector (Mini-GBIC) Safety Information Preparing to Install or Replace a Mini-GBIC Removing and Inserting a Mini-GBIC 35 35 35 36 Connecting Equipment to the Console Port 37 Powering On the Switch 38 Checking the Installation 38 Lo
Contents MIB Access Control Notification Chapter 3 Chapter 4 56 57 Authenticating Users RADIUS Client TACACS+ Configuring RADIUS Client and TACACS+ 59 60 60 60 Using Network Login 60 Using the Simple Network Time Protocol Configuring and Using SNTP SNTP Example 60 61 64 Accessing the Switch Understanding the Command Syntax Syntax Helper Command Shortcuts Switch Numerical Ranges Names Symbols Limits 65 66 66 67 67 67 68 Line-Editing Keys 68 Command History 68 Common Commands 68 Configuring
Contents Chapter 5 Chapter 6 6 Path MTU Discovery IP Fragmentation with Jumbo Frames IP Fragmentation within a VLAN 80 80 81 Load Sharing on the Switch Static Load Sharing Load-Sharing Algorithm Configuring Switch Load Sharing Load-Sharing Example Verifying the Load-Sharing Configuration 81 81 82 83 83 83 Switch Port-Mirroring Summit 400 Switch Port-Mirroring Example 84 85 Extreme Discovery Protocol 85 Configuring Automatic Failover for Combination Ports Automatic Failover Examples 85 86 Virtu
Contents Displaying FDB Entries Chapter 7 Chapter 8 103 Quality of Service (QoS) Overview of Policy-Based Quality of Service 106 Applications and Types of QoS Voice Applications Video Applications Critical Database Applications Web Browsing Applications File Server Applications 106 106 106 107 107 107 Configuring QoS 108 QoS Profiles 108 Traffic Groupings IP-Based Traffic Groupings MAC-Based Traffic Groupings Explicit Class of Service (802.
Contents About RMON RMON Features of the Switch Configuring RMON Event Actions Chapter 9 8 134 134 135 136 Security Security Overview 137 Network Access Security 137 MAC-Based VLANs 138 IP Access Lists (ACLs) Access Masks Access Lists Rate Limits How Access Control Lists Work Access Mask Precedence Numbers Specifying a Default Rule The permit-established Keyword Adding Access Mask, Access List, and Rate Limit Entries Deleting Access Mask, Access List, and Rate Limit Entries Verifying Access Contr
Contents Routing Profiles for RIP Routing Access Profiles for OSPF Routing Access Profiles for PIM Chapter 10 Chapter 11 160 161 163 Denial of Service Protection Configuring Denial of Service Protection Creating Trusted Ports 164 164 165 Management Access Security 166 Authenticating Users Using RADIUS or TACACS+ RADIUS Client Configuring TACACS+ 166 166 172 Secure Shell 2 (SSH2) Enabling SSH2 for Inbound Switch Access Using SCP2 from an External SSH2 Client SSH2 Client Functions on the Switch 17
Contents Chapter 12 Chapter 13 10 STP Configurations Basic STP Configuration VLAN Spanning Multiple STPDs 194 194 196 Per-VLAN Spanning Tree STPD VLAN Mapping Native VLAN 197 198 198 Rapid Spanning Tree Protocol RSTP Terms RSTP Concepts RSTP Operation 198 199 199 202 STP Rules and Restrictions 209 Configuring STP on the Switch STP Configuration Examples 209 210 Displaying STP Settings 212 IP Unicast Routing Overview of IP Unicast Routing Router Interfaces Populating the Routing Table Subnet-
Contents Split Horizon Poison Reverse Triggered Updates Route Advertisement of VLANs RIP Version 1 Versus RIP Version 2 Chapter 14 229 229 230 230 230 Overview of OSPF Link-State Database Areas Point-to-Point Support 230 231 232 235 Route Re-Distribution Configuring Route Re-Distribution 236 236 RIP Configuration Example 238 Configuring OSPF Configuring OSPF Wait Interval 238 238 OSPF Configuration Example Configuration for ABR1 Configuration for IR1 239 240 240 Displaying OSPF Settings OSPF L
Contents Chapter 15 Appendix A 12 Using ExtremeWare Vista on the Summit 400 ExtremeWare Vista Overview Setting Up Your Browser 253 253 Accessing ExtremeWare Vista 254 Navigating within ExtremeWare Vista Browser Controls Status Messages 256 257 257 Configuring the Summit 400 using ExtremeWare Vista IP Forwarding License OSPF Ports RIP SNMP Spanning Tree Switch User Accounts Virtual LAN Access List 257 258 259 260 266 268 271 273 277 277 278 280 Reviewing ExtremeWare Vista Statistical Reports Even
Contents Appendix B Appendix C Software Upgrade and Boot Options Downloading a New Image Selecting a Primary or a Secondary Image Understanding the Image Version String Software Signatures Rebooting the Switch 313 313 314 315 315 Saving Configuration Changes Returning to Factory Defaults 315 316 Using TFTP to Upload the Configuration 316 Using TFTP to Download the Configuration Downloading a Complete Configuration Downloading an Incremental Configuration Scheduled Incremental Configuration Download
Contents 14 ExtremeWare 7.2.
Preface This preface provides an overview of this guide, describes guide conventions, and lists other publications that might be useful. Introduction This guide provides the required information to install the Summit 400-48 switch and configure the ExtremeWare™ software running on the Summit 400-48 switch. This guide is intended for use by network administrators who are responsible for installing and setting up network equipment.
Preface Table 1: Notice Icons Icon Notice Type Alerts you to... Note Important features or instructions. Caution Risk of personal injury, system damage, or loss of data. Warning Risk of severe personal injury. Table 2: Text Conventions Convention Description Screen displays This typeface indicates command syntax, or represents information as it appears on the screen.
Related Publications Documentation for Extreme Networks products is available on the World Wide Web at the following location: http://www.extremenetworks.com/ Using ExtremeWare Publications Online You can access ExtremeWare publications by downloading them from the Extreme Networks World Wide Web location or from your ExtremeWare product CD. Publications are provided in Adobe® Portable Document Format (PDF).
Preface 18 ExtremeWare 7.
1 Summit 400-48 Switch Overview and Installation This chapter describes the features and functionality of the Summit 400-48tes: • Summary of Features on page 19 • Summit 400-48t Switch Physical Features on page 21 — Summit 400-48t Switch LEDs on page 23 — Mini-GBIC Type and Support on page 24 — Port Connections on page 27 • Software Overview on page 28 — Software Licensing on page 30 — Software Factory Defaults on page 32 • Switch Installation on page 33 — Determining the Switch Location on page 33 — Foll
Summit 400-48 Switch Overview and Installation The fiber ports share PHY with the first four copper port.
Summit 400-48t Switch Physical Features • Remote Monitoring (RMON) • Traffic mirroring for ports by port number • Network Login—Web • Network Login—IEEE 802.1X Summit 400-48t Switch Physical Features The Summit 400-48t switch is a compact enclosure (see Figure 1) one rack unit in height (1.73 inches or 44.0 mm) that provides 48 autosensing 10/100/1000BASE-T ports using RJ-45 connectors.
Summit 400-48 Switch Overview and Installation Summit 400-48 Switch Rear View Figure 2 shows the rear view of the Summit 400-48 switch. Figure 2: Summit 400-48 switch rear view Compact flash (reserved for future) External power supply connection Mgmt port 10 Gigabit uplink option 10 Gigabit stacking ports (reserved for future) Power socket ES4K018A The rear panel consists of: • An option slot for the dual 10 Gigabit uplinks To install this option, see “Installing Optional Features” on page 39.
Summit 400-48t Switch LEDs NOTE The Summit 400-48 switch certification, safety label, and serial number are located on the bottom of the switch. Summit 400-48t Switch LEDs The front panel displays five types of LEDs: • Management The MGMT LED indicates the status of the switch. • Fan The FAN LED indicates the status of the cooling fans. • Power The Summit 400-48t comes with an internal power supply and can be connected to the Extreme External Power Supply tray.
Summit 400-48 Switch Overview and Installation Table 3: Summit 400-48t switch LED behavior (Continued) Power Supply LEDs PSU-I PSU-E Color Indicates Green, solid The internal power supply is operating normally. Amber, blinking The internal power supply has failed. Replace the internal power supply as soon as possible. Off The internal power supply has no power. Color Indicates Green, solid The external power supply is operating normally. Amber, blinking The external powersupply has failed.
Mini-GBIC Type and Support Mini-GBIC Type and Specifications Table 4 describes the mini-GBIC type and distances for the Summit 400-48t. Table 4: Mini-GBIC types and distances Maximum Distance (Meters) Standard Media Type Mhz•Km Rating 1000BASE-SX (850 nm optical window) 50/125 µm multimode fiber 400 500 50/125 µm multimode fiber 500 550 62.5/125 µm multimode fiber 160 220 62.5/125 µm multimode fiber 200 275 50/125 µm multimode fiber 400 550 50/125 µm multimode fiber 500 550 62.
Summit 400-48 Switch Overview and Installation Table 6: LX mini-GBIC specifications Parameter Minimum Typical Maximum Transceiver Optical output power –9.5 dBm Center wavelength 1275 nm –3 dBm 1310 nm 1355 nm Receiver Optical input power sensitivity –23 dBm Optical input power maximum Operating wavelength –3 dBm 1270 nm 1355 nm General Total system budget 13.5 dB Total optical system budget for the LX mini-GBIC is 13.5 dB.
Port Connections Figure 3: Total optical system budgets for long range GBICs ZX GBIC LX70 19.5 dB 22.0 dB 23.0 dB LX70 20.0 dB ZX GBIC ZX GBIC Rev. 03 LX70 LX100 ZX GBIC Rev. 03 LX70 LX70 ZX GBIC ZX GBIC Rev. 03 ZX GBIC Rev. 03 21.0 dB 30.0 dB 23.0 dB LX100 25.0 dB 23.5 dB 19.0 dB ZX GBIC LX100 29.0 dB 18.0 dB ZX GBIC ZX GBIC Rev. 03 21.5 dB 24.5 dB LX100 27.0 dB 24.
Summit 400-48 Switch Overview and Installation The switch determines whether the port is the primary or redundant port based upon the order in which the cables are inserted into the switch. When the switch senses that cables are in both the fiber and corresponding copper port, the switch enables the uplink redundancy feature. For example, if you insert mini-GBICs into ports 1X and 3X first, and then connect copper ports 1 and 3, the switch assigns ports 1 and 3 as redundant ports.
Software Overview For more information on VLANs, see Chapter 5. Spanning Tree Protocol The switch supports the IEEE 802.1D Spanning Tree Protocol (STP), which is a bridge-based mechanism for providing fault tolerance on networks. STP enables you to implement parallel paths for network traffic, and ensure that: • Redundant paths are disabled when the main paths are operational. • Redundant paths are enabled if the main traffic paths fail. A single spanning tree can span multiple VLANs.
Summit 400-48 Switch Overview and Installation ESRP-Aware Switches Extreme switches that are not running ESRP, but are connected on a network that has other Extreme switches running ESRP are ESRP-aware. When ESRP-aware switches are attached to ESRP-enabled switches, the ESRP-aware switches reliably perform fail-over and fail-back scenarios in the prescribed recovery times. No configuration of this feature is necessary. NOTE If you disable EDP on the switch, the switch is no longer ESRP-aware.
Software Licensing • Layer 3 QoS • Access Lists, except rate limiting • Network Login, both web-based and 802.1X Advanced Edge Functionality The Advanced Edge license enables support of additional routing protocols and functions, including: • IP routing using OSPF • IP multicast routing using PIM (Sparse Mode) • EAPS-Edge Product Support The Summit 400 can support Advanced Edge functionality. However, the switch is enabled and shipped with an Edge license.
Summit 400-48 Switch Overview and Installation http://www.extremenetworks.com/go/security.htm Fill out a contact form to indicate compliance or noncompliance with the export restrictions. If you are in compliance, you will be given information that will allow you to enable security features. Security Features Under License Control Summit 400-48t software supports the SSH2 protocol. SSH2 allows the encryption of Telnet session data between an SSH2 client and an Extreme Networks switch.
Switch Installation Table 9: Summit 400-48t Global Factory Defaults (Continued) Item Default Setting PIM-SM Disabled NTP Disabled DNS Disabled Port mirroring Disabled NOTE For default settings of individual Summit 400-48t-features, see individual chapters in this guide. Switch Installation CAUTION Use of controls or adjustments of performance or procedures other than those specified herein can result in hazardous radiation exposure.
Summit 400-48 Switch Overview and Installation Installing the Switch The Summit 400-48t can be mounted in a rack, or placed free-standing on a tabletop. Rack Mounting CAUTION Do not use the rack mount kits to suspend the switch from under a table or desk, or to attach the switch to a wall. To rack mount the Summit 400-48t: 1 Place the switch upright on a hard flat surface, with the front facing you. 2 Remove the existing screws from the sides of the case (retain the screws for Step 4).
Installing or Replacing a Mini-Gigabit Interface Connector (Mini-GBIC) Desktop Mounting of Multiple Switches You can physically place up to four Summit 400-48 switches on top of one another. NOTE This relates only to stacking the devices directly one on top of one another. Apply the pads to the underside of the device by sticking a pad at each corner of the switch. Place the devices on top of one another, ensuring that the corners align.
Summit 400-48 Switch Overview and Installation • Use the same type of mini-GBIC at each end of the link. • Connect one end of the link to the Tx port. Without an attenuator, measure the total loss from the Tx port to the other side of the link. Once you complete all of the described tasks, you are ready to install or replace a mini-GBIC. Removing and Inserting a Mini-GBIC You can remove mini-GBICs from, or insert mini-GBICs into your Summit 400-48t without powering off the system.
Connecting Equipment to the Console Port Inserting a Mini-GBIC NOTE Mini-GBICs can be installed in the SFP mini-GBIC receptacles for ports 1X—4X on the Summit 400-48tes. To insert a mini-GBIC connector: 1 Holding the mini-GBIC by its sides, insert the mini-GBIC into the SFP receptacle on the switch. 2 Push the mini-GBIC into the SFP receptacle until you hear an audible click, indicating the mini-GBIC is securely seated in the SFP receptacle.
Summit 400-48 Switch Overview and Installation Figure 7 shows the pin-outs for a 9-pin to RS-232 25-pin null-modem cable. Figure 7: Null-modem cable pin-outs Summit PC/Terminal Cable connector: 9-pin female Cable connector: 25-pin male/female Screen Shell TxD 3 RxD 2 Ground 5 RTS 7 CTS 8 DSR 6 DCD 1 DTR 4 1 3 2 7 4 20 5 6 8 Screen RxD TxD Ground RTS DTR CTS DSR DCD ser_sum1 Figure 8 shows the pin-outs for a 9-pin to 9-pin PC-AT null-modem serial cable.
Logging In for the First Time Logging In for the First Time After the Summit 400-48t completes the POST, it is operational. Once operational, you can log in to the switch and configure an IP address for the default VLAN (named default). To configure the IP settings manually, follow these steps: 1 Connect a terminal or workstation running terminal-emulation software to the console port. 2 At your terminal, press [Return] one or more times until you see the login prompt.
Summit 400-48 Switch Overview and Installation Installing the Summit XEN Card The Summit 400-48t allows you to add up to two 10 Gigabit uplink modules to increase the bandwidth of the switch. The Summit XEN Card supports either of these Extreme XENPAK optical transceivers: • SR XENPAK for the 850 nm range • LR XENPAK for the 1310 nm range • ER XENPAK for the 1550 nm range CAUTION The Summit XEN Card cannot be hot-swapped.
Installing Optional Features CAUTION The XENPAK module can emit invisible laser radiation. Avoid direct eye exposure to beam. WARNING! To prevent ESD damage to the Product Name, always use an ESD-preventive wrist strap when installing or removing the module. Handle the module by its sides only. Never touch the card-edge connectors at the insertion end of the module. To install XENPAK modules: 1 Remove the XENPAK module from its antistatic container. 2 Remove the dust covers from the module connectors.
Summit 400-48 Switch Overview and Installation Installing the External Power System The Extreme External Power System allows you to add a redundant power supply to the Summit 400 in case of a power supply failure. It consists of a tray (EPS-T) that holds one or two EPS-160 power supplies, that provide one-to-one coverage for each External Power System that you attach. To install the EPS-160: 1 Rack mount or place on a desktop near the External Power System.
2 Managing the Switch This chapter covers the following topics: • Overview on page 43 • Using the Console Interface on page 44 • Using the 10/100/1000 Ethernet Management Port on page 44 • Using Telnet on page 44 • Using Secure Shell 2 (SSH2) on page 48 • Using SNMP on page 48 • Authenticating Users on page 59 • Using Network Login on page 60 • Using the Simple Network Time Protocol on page 60 Overview Using ExtremeWare, you can manage the switch using the following methods: • Access the CLI by connectin
Managing the Switch The switch supports up to the following number of concurrent user sessions: • One console session • Eight Telnet sessions • Eight SSH2 sessions • One web session Using the Console Interface The CLI built into the switch is accessible by way of the 9-pin, RS-232 port labeled console, located on the back of the switch. For more information on the console port pinouts, see Table 10 on page 37. After the connection has been established, you will see the switch prompt and you can log in.
Using Telnet NOTE Maximize the Telnet screen so that automatically updating screens display correctly. To open the Telnet session, you must specify the IP address of the device that you want to manage. Check the user manual supplied with the Telnet facility if you are unsure of how to do this. After the connection is established, you will see the switch prompt and you may log in.
Managing the Switch Manually Configuring the IP Settings If you are using IP without a BOOTP server, you must enter the IP parameters for the switch in order for the SNMP Network Manager, Telnet software, or web interface to communicate with the device. To assign IP parameters to the switch, you must perform the following tasks: • Log in to the switch with administrator privileges using the console interface. • Assign an IP address and subnet mask to a VLAN.
Using Telnet 6 Configure the default route for the switch using the following command: configure iproute add default {} For example: configure iproute add default 123.45.67.
Managing the Switch Using Secure Shell 2 (SSH2) Secure Shell 2 (SSH2) is a feature of ExtremeWare that allows you to encrypt Telnet session data between a network administrator using SSH2 client software and the switch, or to send encrypted data from the switch to an SSH2 client on a remote system. Image and configuration files may also be transferred to the switch using the Secure Copy Protocol 2 (SCP2).
Using SNMP Accessing Switch Agents To have access to the SNMP agent residing in the switch, at least one VLAN must have an IP address assigned to it. By default, SNMP access and SNMPv1/v2c traps are enabled. SNMP access and SNMP traps can be disabled and enabled independently—you can disable SNMP access but still allow SNMP traps to be sent, or vice versa. Supported MIBs In addition to private MIBs, the switch supports the standard MIBs listed in Appendix A.
Managing the Switch Use the none option to remove a previously configured access-profile. • Community strings—The community strings allow a simple method of authentication between the switch and the remote Network Manager. There are two types of community strings on the switch. Read community strings provide read-only access to the switch. The default read-only community string is public. Read-write community strings provide read and write access to the switch.
Using SNMP already been using SNMPv1/v2c trap receivers, trap groups are very easy to incorporate into your network. You cannot define your own trap groups. If you need to define more selectively which notifications to receive, you will need to use the notification filter capabilities available in SNMPv3.
Managing the Switch Table 11: SNMP Trap Groups (Continued) Trap Group Notifications MIB Subtree system-traps extremeOverheat extremeFanFailed extremeFanOK extremePowerSupplyFail extremePowerSupplyGood extremeModuleStateChange extremeHealthCheckFailed extremeCpuUtilizationRisingTrap extremeCpuUtilizationFallingTrap coldStart warmStart 1.3.6.1.4.1.1916.0.6 1.3.6.1.4.1.1916.0.7 1.3.6.1.4.1.1916.0.8 1.3.6.1.4.1.1916.0.10 1.3.6.1.4.1.1916.0.11 1.3.6.1.4.1.1916.0.15 1.3.6.1.4.1.1916.4.1.0.1 1.3.6.1.4.1.
Using SNMP • RFC 3415, View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP), talks about VACM as a way to access the MIB. SNMPv3 Overview The SNMPv3 standards for network management were primarily driven the need for greater security and access control. The new standards use a modular design and model management information by cleanly defining a message processing subsystem, a security subsystem, and an access control subsystem.
Managing the Switch SNMPv3 Security In SNMPv3 the User-Based Security Model (USM) for SNMP was introduced. USM deals with security related aspects like authentication, encryption of SNMP messages and defining users and their various access security levels. This standard also encompass protection against message delay and message replay. USM Timeliness Mechanisms There is one SNMPv3 engine on an Extreme switch, identified by its snmpEngineID.
Using SNMP To delete a user, use the following command: configure snmpv3 delete user [all-non-defaults | {hex} ] NOTE In the SNMPv3 specifications there is the concept of a security name. In the ExtremeWare implementation, the user name and security name are identical. In this manual we use both terms to refer to the same thing. Groups. Groups are used to manage access for the MIB.
Managing the Switch • SNMPv2c—community strings based security • SNMPv3—USM security The default is User-Based Security Model (USM). You can select the security model based on the network manager in your network. The three security levels supported by USM are: • noAuthnoPriv—No authentication, no privacy. This is the case with existing SNMPv1/v2c agents. • AuthnoPriv—Authentication, no privacy. Messages are tested only for authentication. • AuthPriv—Authentication, privacy.
Using SNMP To define a view that includes the entire MIB-2, use the following subtree/mask: 1.3.6.1.2.1.1 / 1.1.1.1.1.0.0.0 which, on the command line, is: 1.3.6.1.2.1.1 / f8 When you create the MIB view, you can choose to include the MIB subtree/mask, or to exclude the MIB subtree/mask.
Managing the Switch The from option sets the source IP address in the notification packets. The tag-list option allows you to associate a list of tags with the target address. The tag defaultNotify is set by default. Tags are discussed in the section “Notification Tags”.
Authenticating Users To display the association between parameter names and filter profiles, use the following command: show snmpv3 filter-profile {{hex} } {param {hex} } To display the filters that belong a filter profile, use the following command: show snmpv3 filter {{hex} {{subtree}
Managing the Switch NOTE You cannot configure RADIUS and TACACS+ at the same time. RADIUS Client Remote Authentication Dial In User Service (RADIUS, RFC 2138) is a mechanism for authenticating and centrally administrating access to network nodes. The ExtremeWare RADIUS client implementation allows authentication for Telnet, Vista, or console access to the switch.
Using the Simple Network Time Protocol Configuring and Using SNTP To use SNTP, follow these steps: 1 Identify the host(s) that are configured as NTP server(s). Additionally, identify the preferred method for obtaining NTP updates. The options are for the NTP server to send out broadcasts, or for switches using NTP to query the NTP server(s) directly. A combination of both methods is possible. You must identify the method that should be used for the switch being configured.
Managing the Switch Table 12: Time Zone Configuration Command Options (Continued) absolute_day Specifies a specific day of a specific year on which to begin or end DST. Format is: // where: • is specified as 1-12 • is specified as 1-31 • is specified as 1970 - 2035 The year must be the same for the begin and end dates. time_of_day Specifies the time of day to begin or end Daylight Savings Time. May be specified as an hour (0-23) or as hour:minutes.
Using the Simple Network Time Protocol Table 13: Greenwich Mean Time Offsets GMT Offset in Hours GMT Offset in Minutes Common Time Zone References +0:00 +0 GMT - Greenwich Mean UT or UTC - Universal (Coordinated) Cities London, England; Dublin, Ireland; Edinburgh, Scotland; Lisbon, Portugal; Reykjavik, Iceland; Casablanca, Morocco WET - Western European -1:00 -60 WAT - West Africa Azores, Cape Verde Islands -2:00 -120 AT - Azores -3:00 -180 -4:00 -240 AST - Atlantic Standard Caracas; La P
Managing the Switch Table 13: Greenwich Mean Time Offsets (Continued) GMT Offset in Hours GMT Offset in Minutes Common Time Zone References +11:00 +660 +12:00 +720 IDLE - International Date Line East NZST - New Zealand Standard Cities Wellington, New Zealand; Fiji, Marshall Islands NZT - New Zealand SNTP Example In this example, the switch queries a specific NTP server and a backup NTP server. The switch is located in Cupertino, CA, and an update occurs every 20 minutes.
3 Accessing the Switch This chapter covers the following topics: • Understanding the Command Syntax on page 65 • Line-Editing Keys on page 68 • Command History on page 68 • Common Commands on page 68 • Configuring Management Access on page 70 • Domain Name Service Client Services on page 73 • Checking Basic Connectivity on page 74 Understanding the Command Syntax This section describes the steps to take when entering a command.
Accessing the Switch 3 The value part of the command specifies how you want the parameter to be set. Values include numerics, strings, or addresses, depending on the parameter. 4 After entering the complete command, press [Return]. NOTE If an asterisk (*) appears in front of the command-line prompt, it indicates that you have outstanding configuration changes that have not been saved. For more information on saving configuration changes, see Appendix B. Syntax Helper The CLI has a built-in syntax helper.
Understanding the Command Syntax Switch Numerical Ranges Commands that require you to enter one or more port numbers use the parameter in the syntax. A portlist can be a range of numbers, for example: port 1-3 You can add additional port numbers to the list, separated by a comma: port 1-3,6,8 Names All named components of the switch configuration must have a unique name. Names must begin with an alphabetical character and are delimited by whitespace, unless enclosed in quotation marks.
Accessing the Switch Limits The command line can process up to 200 characters, including spaces. If you enter more than 200 characters, the switch generates a stack overflow error and processes the first 200 characters. Line-Editing Keys Table 15 describes the line-editing keys available using the CLI. Table 15: Line-Editing Keys Key(s) Description Backspace Deletes character to left of cursor and shifts remainder of line to left.
Common Commands Table 16: Common Commands (Continued) Command Description configure account {encrypted} {} Configures a user account password. configure banner Configures the banner string. You can enter up to 24 rows of 79-column text that is displayed before the login prompt of each session. Press [Return] at the beginning of a line to terminate the command and apply the banner. To clear the banner, press [Return] at the beginning of the first line.
Accessing the Switch Table 16: Common Commands (Continued) Command Description disable ssh2 Disables SSH2 Telnet access to the switch. disable telnet Disables Telnet access to the switch. disable web Disables web access to the switch. enable bootp vlan [ | all] Enables BOOTP for one or more VLANs. enable cli-config-logging Enables the logging of CLI configuration commands to the Syslog for auditing purposes. The default setting is enabled.
Configuring Management Access User Account A user-level account has viewing access to all manageable parameters, with the exception of: • User account database. • SNMP community strings. A user-level account can use the ping command to test device reachability, and change the password assigned to the account name. If you have logged on with user capabilities, the command-line prompt ends with a (>) sign.
Accessing the Switch NOTE Passwords are case-sensitive; user names are not case-sensitive. To add a password to the default admin account, follow these steps: 1 Log in to the switch using the name admin. 2 At the password prompt, press [Return]. 3 Add a default admin password by entering the following command: configure account admin 4 Enter the new password at the prompt. 5 Re-enter the new password at the prompt.
Domain Name Service Client Services Viewing Accounts To view the accounts that have been created, you must have administrator privileges. Use the following command to see the accounts: show accounts Deleting an Account To delete a account, you must have administrator privileges. To delete an account, use the following command: delete account NOTE Do not delete the default administrator account.
Accessing the Switch Checking Basic Connectivity The switch offers the following commands for checking basic connectivity: • ping • traceroute Ping The ping command enables you to send Internet Control Message Protocol (ICMP) echo messages to a remote IP device. The ping command is available for both the user and administrator privilege level.
Checking Basic Connectivity • from uses the specified source address in the ICMP packet. If not specified, the address of the transmitting interface is used. • ttl configures the switch to trace the hops until the time-to-live has been exceeded for the switch. • port uses the specified UDP port number. ExtremeWare 7.
Accessing the Switch 76 ExtremeWare 7.
4 Configuring Ports This chapter covers the following topics: • Enabling and Disabling Switch Ports on page 77 • Configuring Switch Port Speed and Duplex Setting on page 77 • Jumbo Frames on page 79 • Load Sharing on the Switch on page 81 • Switch Port-Mirroring on page 84 • Switch Port-Mirroring on page 84 • Extreme Discovery Protocol on page 85 Enabling and Disabling Switch Ports To enable or disable one or more ports, use the following command: enable ports [ | all] disable ports [
Configuring Ports Combination Ports” on page 85. If you plan to use the automatic failover feature, ensure that port settings are set correctly for autonegotiation. Fiber ports run at 1000 Mbps, regardless of whether you attempt to manually slow them using the CLI. If you plan on running the copper ports at 1000 Mbps, it is recommended that you keep autonegotiation on. For ports running at slower speeds, you can manually configure the speed of 10/100/1000 Mbps ports and disable autonegotiation.
Jumbo Frames of time it takes to transmit one byte on the link at the specified or negotiated link speed. The configured Interpacket Gap value has no effect on received packets. The default value is 12. The minimum and maximum allowed values range between 12 and 1023. The standard effective Interpacket Gap for Gigabit Ethernet interfaces ranges between 12 and 1023. Some vendors' 10 Gigabit Ethernet interfaces drop packets when packets are transmitted using a value of 12.
Configuring Ports Jumbo Frames Example The following example create two VLANs sw1 and sw2. It adds port 12 to sw1 and port 13 to sw2. It configures port 12 and 13 for jumbo frames up to 9216 bytes (including CRC). It also configures VLANs sw1 and sw2 to accept IP packets up to 9194 bytes.
Load Sharing on the Switch 3 Assign an IP address to the VLAN. 4 Enable ipforwarding on the VLAN. 5 Set the MTU size for the VLAN, using the following command: configure ip-mtu vlan The ip-mtu value can be 1500 - 9194, with 1500 the default. NOTE To set the MTU size greater than 1500, all ports in the VLAN must have jumbo frames enabled. IP Fragmentation within a VLAN ExtremeWare supports IP fragmentation within a VLAN. This feature does not require you to configure the MTU size.
Configuring Ports may be compatible with third-party trunking or link-aggregation algorithms. Check with an Extreme Networks technical representative for more information. Load-Sharing Algorithm The Summit 400-48 uses an address-based load-sharing algorithm as the distribution technique to determine the output port selection. Algorithm selection is not intended for use in predictive traffic engineering.
Load Sharing on the Switch Configuring Switch Load Sharing To set up a switch to load share among ports, you must create a load-sharing group of ports. The first port in the load-sharing group is configured to be the “master” logical port. This is the reference port used in configuration commands. It can be thought of as the logical port representing the entire port group.
Configuring Ports ----------------------------------* Summit400-48t:46 # show ports sharing Load Sharing Monitor Config Current Ld Share Ld Share Link Link Master Master Type Group Status Ups ========================================================== 37 37 a 37 A 1 a 38 R 0 a 39 A 1 a 40 A 1 a 41 A 1 a 42 A 1 Link Status: (A) Active, (D) Disabled, (LB) Loopback, (ND) Not Distributing (NP) Not Present, (R) Ready Ld Share Type: (a) address based Switch Port-Mirroring Port-mirroring configures the switch to
Extreme Discovery Protocol NOTE When a mirrored port is configured, the forwarding database for items being mirrored (e.g., ports or VLANs) is automatically cleared if the link status on the mirrored port changes. This clearing results in some temporary flooding until the normal learning process completes. Removing or inserting a probe device into the mirror port may appear to cause flooding, but this temporary condition is normal.
Configuring Ports The selection of whether a copper or fiber connection is determined by the order in which the cables are first inserted into the switch. For example, if you inserted a SFP connector into 1X and then a Ethernet cable into port 1, the fiber port becomes the primary uplink port and port 1 becomes the redundant port. Hardware determines when a link is lost and swaps the primary and redundant ports to maintain stability.
5 Virtual LANs (VLANs) This chapter covers the following topics: • Overview of Virtual LANs on page 87 • Types of VLANs on page 88 • VLAN Names on page 92 • Configuring VLANs on the Switch on page 93 • Displaying VLAN Settings on page 94 • MAC-Based VLANs on page 95 • on page 97 Setting up Virtual Local Area Networks (VLANs) on the switch eases many time-consuming tasks of network administration while increasing efficiency in network operations.
Virtual LANs (VLANs) Types of VLANs VLANs can be created according to the following criteria: • Physical port • 802.1Q tag • Ethernet, LLC SAP, or LLC/SNAP Ethernet protocol type • MAC address • A combination of these criteria Port-Based VLANs In a port-based VLAN, a VLAN name is given to a group of one or more ports on the switch. All ports are members of the port-based VLAN default.
Types of VLANs Spanning Switches with Port-Based VLANs To create a port-based VLAN that spans two switches, you must do two things: 1 Assign the port on each switch to the VLAN. 2 Cable the two switches together using one port on each switch per VLAN. Figure 12 illustrates a single VLAN that spans a BlackDiamond switch and a Summit 400 switch. All ports on the BlackDiamond switch belong to VLAN Sales. Port 1X and ports 1 through 28 on the Summit 400 switch also belong to VLAN Sales.
Virtual LANs (VLANs) Figure 13: Two port-based VLANs spanning two switches System 1 1 2 3 4 A B 5 6 7 8 Accounting 1 1 2 2 3 3 4 4 System 2 Engineering ES4K007A VLAN Accounting spans system 1 and system 2 by way of a connection between system 2, port 1X and system 1, slot 1, port 6. VLAN Engineering spans system 1 and system 2 by way of a connection between system 2, port 2X, and system 1, slot 8, port 6.
Types of VLANs Assigning a VLAN Tag Each VLAN may be assigned an 802.1Q VLAN tag. As ports are added to a VLAN with an 802.1Q tag defined, you decide whether each port will use tagging for that VLAN. The default mode of the switch is to have all ports assigned to the VLAN named default with an 802.1Q VLAN tag (VLANid) of 1 assigned. Not all ports in the VLAN must be tagged.
Virtual LANs (VLANs) Figure 15: Logical diagram of tagged and untagged traffic Marketing Sales System 1 Ports 1-8 System 1 Port 33 * Port 1X * System 1 Ports 25-32 & 4X System 2 Slot 1, Port 2 Slot 2, Ports 1-8 & 17-24 System 2 Slot 1, Port 1 * System 2 Slot 1, Port 3 Slot 1, Port 4 Slot 2, Ports 9-16 & 25-32 *Tagged Ports ES4K020 In Figure 14 and Figure 15: • The trunk port on each switch carries traffic for both VLAN Marketing and VLAN Sales. • The trunk port on each switch is tagged.
Configuring VLANs on the Switch • Quotation mark VLAN names must begin with an alphabetical letter. Quotation marks can be used to enclose a VLAN name that includes special characters, including single quotation marks or commas. Spaces may not be included, even within quotation marks. For example, the names test, test1, and test_15 are acceptable VLAN names. The names “test&5” and “joe’s” may be used if enclosed in quotation marks. Names such as “5test” or “test 5” are not permitted.
Virtual LANs (VLANs) NOTE If you plan to use this VLAN as a control VLAN for an EAPS domain, do NOT assign an IP address to the VLAN. 3 Assign a VLANid, if any ports in this VLAN will use a tag. 4 Assign one or more ports to the VLAN. As you add each port to the VLAN, decide if the port will use an 802.1Q tag. VLAN Configuration Examples The following example creates a port-based VLAN named accounting, assigns the IP address 132.15.121.
MAC-Based VLANs • How the VLAN was created. • IP address. • STPD information. • Protocol information. • QoS profile information. • Ports assigned. • Tagged/untagged status for each port. • How the ports were added to the VLAN. • Number of VLANs configured on the switch. Use the detail option to display the detailed format. MAC-Based VLANs MAC-Based VLANs allow physical ports to be mapped to a VLAN based on the source MAC address learned in the FDB.
Virtual LANs (VLANs) 00:00:00:00:00:01 2 matching entries sales any • The group “any” is equivalent to the group “0”. Ports that are configured as “any” allow any MAC address to be assigned to a VLAN, regardless of group association. • Partial configurations of the MAC to VLAN database can be downloaded to the switch using the timed download configuration feature.
MAC-Based VLANs To display timed download information, use the following command: show switch Example In relation to MAC-based VLANs, the downloaded file is an ASCII file that consists of CLI commands used to configure the most recent MAC-to-VLAN database. This feature is different from the normal download configuration command in that it allows incremental configuration without the automatic rebooting of the switch.
Virtual LANs (VLANs) 98 ExtremeWare 7.
6 Forwarding Database (FDB) This chapter describes the following topics: • Overview of the FDB on page 99 • Associating QoS Profiles with an FDB Entry on page 101 • FDB Configuration Examples on page 102 • Displaying FDB Entries on page 103 Overview of the FDB The switch maintains a database of all media access control (MAC) addresses received on all of its ports. It uses the information in this database to decide whether a frame should be forwarded or filtered.
Forwarding Database (FDB) • You can enter and update entries using the command line interface (CLI). • Certain static entries are added by the system upon switch boot up. FDB Entry Types FDB entries may be dynamic or static, and may be permanent or non-permanent. The following describes the types of entries that can exist in the FDB: • Dynamic entries—A dynamic entry is learned by the switch by examining packets to determine the source MAC address, VLAN, and port information.
Associating QoS Profiles with an FDB Entry Non-permanent static entries are created by the switch software for various reasons, typically upon switch boot up. They are identified by the “s” flag in show fdb output. If the FDB entry aging time is set to zero, all entries in the database are considered static, non-aging entries. This means that they do not age, but they are still deleted if the switch is reset.
Forwarding Database (FDB) learned, it is created as a permanent dynamic entry, designated by “dpm” in the flags field of the show fdb output.
Displaying FDB Entries Overriding 802.1p Priority This example associates the QoS profile qp5 with the wildcard permanent FDB entry any-mac on VLAN v110: create fdbentry any-mac vlan v110 dynamic ingress-qosprofile qp5 Configuring the FDB Aging Time You can configure the again time for dynamic FDB entries using the following command: configure fdb agingtime If the aging time is set to zero, all aging entries in the database are defined as static, nonaging entries.
Forwarding Database (FDB) 104 ExtremeWare 7.
7 Quality of Service (QoS) This chapter covers the following topics: • Overview of Policy-Based Quality of Service on page 106 • Applications and Types of QoS on page 106 • Configuring QoS on page 108 • QoS Profiles on page 108 • Traffic Groupings on page 109 — IP-Based Traffic Groupings on page 110 — MAC-Based Traffic Groupings on page 110 — Explicit Class of Service (802.
Quality of Service (QoS) Overview of Policy-Based Quality of Service Policy-based QoS allows you to protect bandwidth for important categories of applications or specifically limit the bandwidth associated with less critical traffic. For example, if voice–over-IP traffic requires a reserved amount of bandwidth to function properly, using policy-based QoS, you can reserve sufficient bandwidth critical to this type of application.
Applications and Types of QoS where there are speed differences (for example, going from Gigabit Ethernet to Fast Ethernet). Key QoS parameters for video applications include minimum bandwidth, priority, and possibly buffering (depending upon the behavior of the application). Critical Database Applications Database applications, such as those associated with ERP, typically do not demand significant bandwidth and are tolerant of delay.
Quality of Service (QoS) Configuring QoS To configure QoS, you define how your switch responds to different categories of traffic by creating and configuring QoS profiles. You then group traffic into categories (according to application, as previously discussed) and assign each category to a QoS profile. Configuring QoS is a three-step process: 1 Configure the QoS profile. QoS profile—A class of service that is defined through prioritization settings.
Traffic Groupings Table 20: QoS Parameters (Continued) Qp2 Q1 Lowhi 0 0% 100% Qp3 Q2 Normal 0 0% 100% Qp4 Q3 Normalhi 0 0% 100% Qp5 Q4 Medium 0 0% 100% Qp6 Q5 Mediumhi 0 0% 100% Qp7 Q6 High 0 0% 100% Qp8 Q7 Highhi 0 0% 100% Traffic Groupings A traffic grouping is a classification of traffic that has one or more attributes in common. Traffic is typically grouped based on the applications discussed starting on page 106.
Quality of Service (QoS) IP-Based Traffic Groupings IP-based traffic groupings are based on any combination of the following items: • IP source or destination address • TCP or UDP protocols • TCP/UDP port information IP-based traffic groupings are defined using access lists. Access lists are discussed in detail in “IP Access Lists (ACLs)” on page 138.
Traffic Groupings Dynamic MAC Addresses Dynamic MAC addresses can be assigned a QoS profile whenever traffic is coming from or going to the MAC address. This is done using the following command: create fdbentry [ | any-mac] vlan dynamic ingress-qosprofile {ingress-qosprofile } For any port on which the specified MAC address is learned in the specified VLAN, the port is assigned the specified QoS profile.
Quality of Service (QoS) on an application-specific basis. Extreme switch products have the capability of observing and manipulating packet marking information with no performance penalty. The documented capabilities for 802.1p priority markings or DiffServ capabilities (if supported) are not impacted by the switching or routing configuration of the switch. For example, 802.
Traffic Groupings Table 22: 802.1p Priority Value-to-QoS Profile Default Mapping (Continued) Priority Value QoS Profile 6 Qp7 7 Qp8 Configuring 802.1p Priority For Slow Path Traffic Some traffic can originate on the switch, for example Ping or Telnet packets. This traffic comes from the switch CPU and is referred to as slow path traffic. This traffic is internally tagged with an 802.1p priority of 7, by default, and egresses the VLAN through the highest queue.
Quality of Service (QoS) Figure 17: IP packet header encapsulation 0 1 2 3 4 5 6 7 DiffServ code point 0 bits Version 31 IHL Type-of-service Identification Time-to-live Total length Flags Protocol Fragment offset Header checksum Source address Destination address Options (+ padding) Data (variable) EW_023 Observing DiffServ Information When a packet arrives at the switch on an ingress port, the switch examines the first six of eight TOS bits, called the code point.
Traffic Groupings Table 23: Default Code Point-to-QoS Profile Mapping (Continued) Code Point QoS Profile 8-15 Qp2 16-23 Qp3 24-31 Qp4 32-39 Qp5 40-47 Qp6 48-55 Qp7 56-63 Qp8 Once assigned, the rest of the switches in the network prioritize the packet using the characteristics specified by the QoS profile. Replacing DiffServ Code Points An access list can be used to change the DiffServ code point in the packet prior to the packet being transmitted by the switch.
Quality of Service (QoS) VLAN A VLAN traffic grouping indicates that all intra-VLAN switched traffic and all routed traffic sourced from the named VLAN uses the indicated QoS profile. To configure a VLAN traffic grouping, use the following command: configure vlan qosprofile For example, all devices on VLAN servnet require use of the QoS profile qp4.
Modifying a QoS Configuration NOTE The QoS monitor displays the statistics of incoming packets. The real-time display corresponds to the 802.1p values of the incoming packets. Any priority changes within the switch are not reflected in the display. Displaying QoS Profile Information The QoS monitor can also be used to verify the QoS configuration and monitor the use of the QoS policies that are in place.
Quality of Service (QoS) 118 ExtremeWare 7.
8 Status Monitoring and Statistics This chapter describes the following topics: • Port Statistics on page 119 • Port Errors on page 120 • Port Monitoring Display Keys on page 121 • Setting the System Recovery Level on page 121 • Event Management System/Logging on page 122 • RMON on page 134 Viewing statistics on a regular basis allows you to see how well your network is performing.
Status Monitoring and Statistics • Received Packet Count (Rx Pkt Count)—The total number of good packets that have been received by the port. • Received Byte Count (RX Byte Count)—The total number of bytes that were received by the port, including bad or lost frames. This number includes bytes contained in the Frame Check Sequence (FCS), but excludes bytes in the preamble. • Received Broadcast (RX Bcast)—The total number of frames received by the port that are addressed to a broadcast address.
Port Monitoring Display Keys • Receive Jabber Frames (RX Jab)—The total number of frames received by the port that was of greater than the support maximum length and had a Cyclic Redundancy Check (CRC) error. • Receive Alignment Errors (RX Align)—The total number of frames received by the port that occurs if a frame has a CRC error and does not contain an integral number of octets.
Status Monitoring and Statistics Event Management System/Logging Beginning in ExtremeWare 7.1.0, the system responsible for logging and debugging was updated and enhanced. We use the general term, event, for any type of occurrence on a switch which could generate a log message, or require an action. For example, a link going down, a user logging in, a command entered on the command line, or the software executing a debugging statement, are all events that might generate a log message.
Event Management System/Logging Once enabled, the target receives the messages it is configured for. See the section “Target Configuration” for information on viewing the current configuration of a target. The memory buffer can only contain the configured number of messages, so the oldest message is lost when a new message arrives, and the buffer is full.
Status Monitoring and Statistics Table 25: Severity Levels Assigned by the Switch1 Level Description Critical A serious problem has been detected which is compromising the operation of the system and that the system can not function as expected unless the situation is remedied. The switch may need to be reset. Error A problem has been detected which is interfering with the normal operation of the system and that the system is not functioning as expected.
Event Management System/Logging Components and Conditions Beginning with the introduction of EMS in release 7.1.0, the event conditions detected by ExtremeWare were organized into components and subcomponents. This is somewhat similar to the fault log subsystems used in previous versions. Not all conditions have been placed in the component/subcomponent structure of EMS, but all the conditions will be moved over time into this structure.
Status Monitoring and Statistics show log events stp.inbpdu.
Event Management System/Logging item, the incident is either included or excluded, depending on whether the exclude keyword was used. Subsequent filter items on the list are compared if necessary. If the list of filter items has been exhausted with no match, the event is excluded, and is blocked by the filter.
Status Monitoring and Statistics expression is only compared with the messages that have already passed the target’s filter. For more information on controlling the format of the messages, see the section, “Formatting Event Messages”. Simple Regular Expressions. A simple regular expression is a string of single characters including the dot character (.), which are optionally combined with quantifiers and constraints.
Event Management System/Logging Use the and keyword to specify multiple parameter type/value pairs that must match those in the incident. For example, to allow only those events with specific source and destination MAC addresses, use the following command: configure log filter myFilter add events bridge severity notice match source mac-address 00:01:30:23:C1:00 and destination mac-address 01:80:C2:00:00:02 Match Versus Strict-Match.
Status Monitoring and Statistics 05/29/2003 12:16:36 The SNTP server parameter value (TheWrongServer.example.com) can not be resolved. In order to provide some detailed information to technical support, you set the current session format using the following command: configure log target session format date mmm-dd timestamp hundredths event-name condition source-line on process-name on The same example would appear as: May 29 12:17:20.11 SNTP: tSntpc: (sntpcLib.
Event Management System/Logging Uploading Events Logs The log stored in the memory buffer and the NVRAM can be uploaded to a TFTP server.
Status Monitoring and Statistics Occurred : Flags : In(cluded): Notified : Trace Info 0 0 0 # of times this event has occurred since last clear or reboot (+) Debug events are not counted while log debug-mode is disabled # of enabled targets whose filter includes this event # of times this event has occurred when 'Included' was non-zero Output of the command: show log counters stp.inbpdu.
Event Management System/Logging enable log target [console-display | memory-buffer | nvram | session | syslog [ {:} [local0 ... local7]]] disable log target [console-display | memory-buffer | nvram | session | syslog [ {:} [local0 ... local7]]] Note that the existing command enable log display applies only to the serial port console. Since the ability to display log messages on other sessions was added, the target name session was chosen.
Status Monitoring and Statistics RMON Using the Remote Monitoring (RMON) capabilities of the switch allows network administrators to improve system efficiency and reduce the load on the network. The following sections explain more about the RMON concept and the RMON features supported by the switch. NOTE You can only use the RMON features of the system if you have an RMON management application, and have enabled RMON on the switch.
RMON History The History group provides historical views of network performance by taking periodic samples of the counters supplied by the Statistics group. The group features user-defined sample intervals and bucket counters for complete customization of trend analysis. The group is useful for analysis of traffic patterns and trends on a LAN segment or VLAN, and to establish baseline information indicating normal operating parameters.
Status Monitoring and Statistics Event Actions The actions that you can define for each alarm are shown in Table 27. Table 27: Event Actions Action High Threshold No action Notify only Send trap to all trap receivers. Notify and log Send trap; place entry in RMON log. To be notified of events using SNMP traps, you must configure one or more trap receivers, as described in Chapter 2. 136 ExtremeWare 7.
9 Security This chapter describes the following topics: • Security Overview on page 137 • Network Access Security on page 137 — MAC-Based VLANs on page 138 — IP Access Lists (ACLs) on page 138 — Network Login on page 146 • Switch Protection on page 156 — Routing Access Profiles on page 156 — Denial of Service Protection on page 164 • Management Access Security on page 166 — Authenticating Users Using RADIUS or TACACS+ on page 166 — Secure Shell 2 (SSH2) on page 173 Security Overview Extreme Networks prod
Security MAC-Based VLANs MAC-Based VLANs allow physical ports to be mapped to a VLAN based on the source MAC address learned in the FDB. This feature allows you to designate a set of ports that have their VLAN membership dynamically determined by the MAC address of the end station that plugs into the physical port. You can configure the source MAC address-to-VLAN mapping either offline or dynamically on the switch.
IP Access Lists (ACLs) to compare with the incoming packets, and an action to take for packets that match. When you create an access list, you must specify a value for each of the fields that make up the access mask used by the list.
Security matching packets arrive at a rate above the limit you set. When you create a rate limit, you must specify a value for each of the fields that make up the access mask used by the list.
IP Access Lists (ACLs) forwarded. A permit access list can also apply a QoS profile to the packet and modify the packet’s 802.1p value and the DiffServ code point. Access Mask Precedence Numbers The access mask precedence number determines the order in which each rule is examined by the switch and is optional. Access control list entries are evaluated from highest precedence to lowest precedence.
Security Maximum Entries If you try to create an access mask when no more are available, the system will issue a warning message. Three access masks are constantly used by the system, leaving a maximum of 13 user-definable access masks. However, enabling some features causes the system to use additional access masks, reducing the number available. For each of the following features that you enable, the system will use one access mask. When the feature is disabled, the mask will again be available.
IP Access Lists (ACLs) Access Control List Examples This section presents three access control list examples: • Using the permit-establish keyword • Filtering ICMP packets • Using a rate limit Using the Permit-Established Keyword This example uses an access list that permits TCP sessions (Telnet, FTP, and HTTP) to be established in one direction. The switch, shown in Figure 18, is configured as follows: • Two VLANs, NET10 VLAN and NET20 VLAN, are defined.
Security Figure 19: Access control list denies all TCP and UDP traffic 10.10.10.1 10.10.20.1 10.10.10.100 10.10.20.100 NET10 VLAN NET20 VLAN TCP UDP ICMP ES4K010 Step 2—Allow TCP traffic. The next set of access list commands permits TCP-based traffic to flow. Because each session is bi-directional, an access list must be defined for each direction of the traffic flow. UDP traffic is still blocked.
IP Access Lists (ACLs) Figure 21: Host A initiates a TCP session to host B SYN SYN / ACK ACK Host A Host B EW_036 An access list that uses the permit-established keyword filters the SYN packet in one direction. Use the permit-established keyword to allow only host A to be able to establish a TCP session to host B and to prevent any TCP sessions from being initiated by host B, as illustrated in Figure 21.
Security Figure 23: ICMP packets are filtered out 10.10.10.1 10.10.20.1 10.10.10.100 10.10.20.100 NET10 VLAN NET20 VLAN ICMP ES4K011 Example 3: Rate-limiting Packets This example creates a rate limit to limit the incoming traffic from the 10.10.10.x subnet to 10 Mbps on ingress port 2. Ingress traffic on port 2 below the rate limit is sent to QoS profile qp1 with its DiffServ code point set to 7. Ingress traffic on port 2 in excess of the rate limit will be dropped.
Network Login Authentication Types Authentication is handled either as a web-based process or as described in the IEEE 802.1x specification. The initial release of Network Login by Extreme Networks supported only web-based authentication, but later releases have supported both types of authentication. Although somewhat similar in design and purpose, web-based and 802.1x authentication of Network Login can be considered complementary, with Extreme Networks offering a smooth transition from web-based to 802.
Security Co-existence of Web-Based and 802.1x Authentication ExtremeWare supports both web-based and 802.1x authentication. Authenticating with 802.1x does not require any additional commands besides those used for web-based mode. When a port is configured for Network Login, the port is put in unauthenticated state. It is ready to perform either type of authentication. Whether to perform web-based or 802.1x is dependent on the type of packets being received from the client.
Network Login Authentication Methods The authentication methods supported are a matter between the supplicant and the authentication server. The most commonly used methods are: • MD5-Challenge. • Transport Layer Security (TLS), which uses Public Key Infrastructure (PKI) and strong mutual authentication. • Tunneled TLS (TTLS), which is a Funk/Certicom proposal. TLS represents the most secure protocol among these methods. TTLS is advertised to be as strong as TLS.
Security Add the following line to the RADIUS server dictionary file for netlogin-only enabled users: Extreme:Extreme-Netlogin-Only = Enabled Netlogin-Only Disabled A netlogin-only disabled user can log in using Network Login and can also access the switch using Telnet, SSH, or HTTP.
Network Login Table 28: VSA definitions for web-based network login VSA Attribute Value Type Sent-in Description Extreme-Netlogin -Vlan 203 String Access-Accept Name of destination VLAN (must already exist on switch) after successful authentication. Extreme-Netlogin -Url 204 String Access-Accept Destination web page after successful authentication. Extreme-Netlogin -Url-Desc 205 String Access-Accept Text description of network login URL attribute.
Security • Once the first MAC is authenticated, the port is transitioned to the authenticated state and other unauthenticated MACs can listen to all data destined for the first MAC. This could raise some security concerns as unauthenticated MACs can listen to all broadcast and multicast traffic directed to a Network Login-authenticated port.
Network Login Note that the 192.168 IP address range can be used on all switches because the user is on the VLAN only long enough to log in to the network. After the login is complete, the user is switched to a permanent VLAN with a real IP address delivered from a real DHCP server. The following example demonstrates the second network login configuration step for a Summit 48si edge switch, in which the guest VLAN is created: create vlan guest configure guest ipa 45.100.1.
Security NOTE The idea of explicit release/renew is required to bring the network login client machine in the same subnet as the connected VLAN. In Campus Mode using web-based authentication, this requirement is mandatory after every logout and before login again as the port moves back and forth between the temporary and permanent VLANs. On other hand in ISP Mode, release/renew of IP address is not required, as the network login client machine stays in the same subnet as the network login VLAN.
Network Login DHCP Server on the Switch A DHCP server with limited configuration capabilities is included in the switch to provide IP addresses to clients. The DHCP server is not supported as a standalone feature. It is used only as part of the Network Login feature. DHCP is enabled on a per port, per VLAN basis.
Security Where is the DNS name of the switch. For example, configure netlogin base-url network-access.net makes the switch send DNS responses back to the netlogin clients when a DNS query is made for network-access.net. To configure the network login redirect page, use the following command: configure netlogin redirect-page Where defines the redirection information for the users once logged in.
Using Routing Access Profiles Using Routing Access Profiles To use routing access profiles, you must perform the following steps: 1 Create an access profile. 2 Configure the access profile to be of type permit, deny, or none. 3 Add entries to the access profile. Entries can be one of the following types: — IP addresses and subnet masks — VLAN 4 Apply the access profile. Creating an Access Profile The first thing to do when using routing access profiles is to create an access profile.
Security Adding an Access Profile Entry Next, configure the access profile, using the following command: configure access-profile add {} {permit | deny} [ipaddress {exact} | as-path | bgp-community [internet | no-export | no-advertise | no-export-subconfed | | number ] | ipxnet | ipxsap | vlan] The following sections describe the configure access-profile add command.
Using Routing Access Profiles Table 30: Regular Expression Notation (Continued) Character Definition .
Security Deleting an Access Profile Entry To delete an access profile entry, use the following command: configure access-profile delete Applying Access Profiles Once the access profile is defined, apply it to one or more routing protocols or VLANs. When an access profile is applied to a protocol function (for example, the export of RIP routes) or a VLAN, this forms an access policy.
Using Routing Access Profiles Figure 24: RIP access policy example Internet Internet 10.0.0.10 / 24 Backbone (RIP) Switch being configured 10.0.0.11 / 24 Engsvrs 10.0.0.12 / 24 Sales 10.1.1.1 / 24 Engsvrs 10.2.1.
Security • Inter-area Filter—For switches configured to support multiple OSPF areas (an ABR function), an access profile can be applied to an OSPF area that filters a set of OSPF inter-area routes from being sourced from any other areas.
Using Routing Access Profiles Figure 25: OSPF access policy example Internet Switch being configured Internet 10.0.0.10 / 24 Backbone (OSPF) area 0.0.0.0 10.0.0.11 / 24 Engsvrs 10.1.1.1 / 24 Engsvrs area 0.0.0.1 10.0.0.12 / 24 Sales 10.2.1.1 / 24 Sales area 0.0.0.2 ES4K014 To configure the switch labeled Internet, the commands would be as follows: create access-profile okinternet ipaddress configure access-profile okinternet mode permit configure access-profile okinternet add 192.1.1.
Security Denial of Service Protection A Denial-of-Service (DoS) attack occurs when a critical network or computing resource is overwhelmed and rendered inoperative in a way that legitimate requests for service cannot succeed. In its simplest form, a Denial of Service attack is indistinguishable from normal heavy traffic. The Summit 400 switch is not vulnerable to this simple attack because it is designed to process packets in hardware at wire speed.
Denial of Service Protection For example, to review the DoS traffic for port 1, issue this command: sh cpu-dos-protect ports 1 The output from this command follows: * ex160:22 # sh cpu-dos-protect ports 1 Cpu dos protect: enabled Port L3Miss L3Err Bcast IpUnkMcast Learn Curr Int Cfg Thr Cfg Int Pass ______________________________________________________________________ 1 150 150 150 150 150 1 150 1 3 Trusted ports: none The output of this show command displays the following information, which can help yo
Security flood of response packets is not mistaken as the attack.
Authenticating Users Using RADIUS or TACACS+ configure radius [primary | secondary] server [ | ] {} client-ip [] To configure the timeout if a server fails to respond, use the following command: configure radius timeout Configuring the Shared Secret Password In addition to specifying the RADIUS server IP information, RADIUS also contains a means to verify communication between network devices and the server.
Security To enable RADIUS accounting, use the following command: enable radius-accounting To disable RADIUS accounting, use the following command: disable radius-accounting Per-Command Authentication Using RADIUS The RADIUS implementation can be used to perform per-command authentication. Per-command authentication allows you to define several levels of user capabilities by controlling the permitted command sets based on the RADIUS username and password.
Authenticating Users Using RADIUS or TACACS+ When you configure the Cistron server for use with Extreme switches, you must pay close attention to the users file setup. The Cistron RADIUS dictionary associates the word Administrative-User with Service-Type value 6, and expects the Service-Type entry to appear alone on one line with a leading tab character.
Security After modifying the ‘vendor.ini’ file, the desired user accounts must be configured for the Max-Concurrent connections. Using the SBR Administrator application, enable the check box for ‘Max-Concurrent connections’ and fill in the desired number of maximum sessions. Extreme RADIUS Extreme Networks provides its users, free of charge, a radius server based on Merit RADIUS. Extreme RADIUS provides per-command authentication capabilities in addition to the standard set of radius features.
Authenticating Users Using RADIUS or TACACS+ 10.203.1.42 10.0.52.
Security In PROFILE2, a user associated with this profile can use any enable command, the clear counters command and the show management command, but can perform no other functions on the switch. We also know from the users file that gerald has these capabilities.
Secure Shell 2 (SSH2) attempting to administer the switch. TACACS+ is used to communicate between the switch and an authentication database. NOTE You cannot use RADIUS and TACACS+ at the same time. You can configure two TACACS+ servers, specifying the primary server address, secondary server address, and UDP port number to be used for TACACS+ sessions.
Security • Generating or specifying an authentication key for the SSH2 session. To enable SSH2, use the following command: enable ssh2 {access-profile [ | none]} {port } You can specify a list of predefined clients that are allowed SSH2 access to the switch. To do this, you must create an access profile that contains a list of allowed IP addresses. You can also specify a TCP port number to be used for SSH2 communication. By default the TCP port number is 22.
Secure Shell 2 (SSH2) The user must have administrator-level access to the switch. The switch can be specified by its switch name or IP address. Configuration or image files stored on the system running the SSH2 client may be named as desired by the user. However, files on the switch have predefined names, as follows: • configuration.cfg—The current configuration • incremental.cfg—The current incremental configuration • primary.img—The primary ExtremeWare image • secondary.
Security 176 ExtremeWare 7.
10 Ethernet Automatic Protection Switching This chapter describes the use of the Ethernet Automatic Protection Switching (EAPS™) protocol, and includes information on the following topics: • Overview of the EAPS Protocol on page 177 • Fault Detection and Recovery on page 180 • Configuring EAPS on a Switch on page 182 Overview of the EAPS Protocol The EAPS protocol provides fast protection switching to layer 2 switches interconnected in an Ethernet ring topology, such as a Metropolitan Area Network (MAN) o
Ethernet Automatic Protection Switching Figure 26: Gigabit Ethernet fiber EAPS MAN ring Transit node Transit node Gigabit Ethernet Fiber EAPS MAN ring Transit node Transit node Master node EW_070 One port of the master node is designated the master node’s primary port (P) to the ring; another port is designated as the master node’s secondary port (S) to the ring.
Overview of the EAPS Protocol Figure 27: EAPS operation S4 S3 S5 S2 S6 P S S1 Direction of health-check message Secondary port is logically blocked Master node EW_071 If the ring is complete, the master node logically blocks all data traffic in the transmit and receive directions on the secondary port to prevent a loop. If the master node detects a break in the ring, it unblocks its secondary port and allows data traffic to be transmitted and received through it.
Ethernet Automatic Protection Switching Table 31: EAPS Terms (Continued) Term Description protected VLAN A VLAN that carries data traffic through an EAPS domain. You must configure one or more protected VLANs for each EAPS domain. (Also known as data VLAN) Fault Detection and Recovery EAPS fault detection on a ring is based on a single control VLAN per EAPS domain. This EAPS domain provides protection to one or more data-carrying VLANs called protected VLANs.
Fault Detection and Recovery • Polling response Link Down Message Sent by a Transit Node When any transit node detects a loss of link connectivity on any of its ring ports, it immediately sends a “link down” message on the control VLAN using its good link to the master node. When the master node receives the “link down” message (see Figure 28), it immediately declares a “failed” state and opens its logically blocked secondary port on all the protected VLANs.
Ethernet Automatic Protection Switching During the time between when the transit node detects that the link is operable again and when the master node detects that the ring is complete, the secondary port on the master node is still open and data could start traversing the transit node port that just came up.
Configuring EAPS on a Switch Defining the EAPS Mode of the Switch To configure the EAPS node type of the switch, use the following command: configure eaps mode [master | transit] One node on the ring must be configured as the master node for the specified domain; all other nodes on the ring are configured as transit nodes for the same domain. The following command example identifies this switch as the master node for the EAPS domain named eaps_1.
Ethernet Automatic Protection Switching the secondary port blocking, and writes a critical error message to syslog warning the user that there is a fault in the ring. An SNMP trap is also sent. To use the failtimer expiry action of earlier releases, use the open-secondary-port parameter. NOTE Increasing the failtime value provides more protection by waiting longer to receive a health-check packet when the network is congested.
Configuring EAPS on a Switch NOTE The control VLAN must NOT be configured with an IP address. In addition, only ring ports may be added to this control VLAN. No other ports can be members of this VLAN. Failure to observe these restrictions can result in a loop in the network. NOTE When you configure the VLAN that will act as the control VLAN, that VLAN must be assigned a QoS profile of Qp8, and the ring ports of the control VLAN must be tagged.
Ethernet Automatic Protection Switching NOTE The configuration of the Superbridge, SubBridge, and IP range control VLANs cannot be modified.
Configuring EAPS on a Switch To display more detailed EAPS status information, use the following command: show eaps {} {detail} If you enter the show eaps command without an argument or keyword, the command displays a summary of status information for all configured EAPS domains. You can use the detail keyword to display more detailed status information. NOTE The output displayed by this command depends on whether the node is a transit node or a master node.
Ethernet Automatic Protection Switching Table 32: show eaps Display Fields (Continued) Field Description State: On a transit node, the command displays one of the following states: • Idle—The EAPS domain has been enabled, but the configuration is not complete. • Links-Up—This EAPS domain is running, and both its ports are up and in the FORWARDING state. • Links-Down—This EAPS domain is running, but one or both of its ports are down.
Configuring EAPS on a Switch Table 32: show eaps Display Fields (Continued) Field Description Fail Timer interval: The configured value of the timer in seconds, specifying the time that the master node waits before the failtimer expires. Failtimer expiry action: Displays the action taken when the failtimer expires: • Send-alert—Sends a critical message to the syslog when the failtimer expires. • Open-secondary-port—Opens the secondary port when the failtimer expires.
Ethernet Automatic Protection Switching 190 ExtremeWare 7.
11 Spanning Tree Protocol (STP) This chapter covers the following topics: • Overview of the Spanning Tree Protocol on page 191 • Spanning Tree Domains on page 192 • STP Configurations on page 194 • Per-VLAN Spanning Tree on page 197 • Rapid Spanning Tree Protocol on page 198 • STP Rules and Restrictions on page 209 • Configuring STP on the Switch on page 209 • Displaying STP Settings on page 212 Using the Spanning Tree Protocol (STP) functionality of the switch makes your network more fault tolerant.
Spanning Tree Protocol (STP) Spanning Tree Domains The switch can be partitioned into multiple virtual bridges. Each virtual bridge can run an independent Spanning Tree instance. Each Spanning Tree instance is called a Spanning Tree Domain (STPD). Each STPD has its own root bridge and active path. After an STPD is created, one or more VLANs can be assigned to it. NOTE A VLAN can span multiple STPDs.
Spanning Tree Domains Port Modes An STP port has two modes of operation: • 802.1d mode This mode is used for backward compatibility with previous STP versions and for compatibility with third-party switches using IEEE standard 802.1d. BPDUs are sent untagged in 1D mode. Because of this, on any given physical interface there can be only one STPD running in 1D mode. • PVST+ mode This mode implements PVST+ in compatibility with third-party switches running this version of STP.
Spanning Tree Protocol (STP) To display the configuration, use the following command: show stpd { | detail} STP Configurations When you assign VLANs to an STPD, pay careful attention to the STP configuration and its effect on the forwarding of VLAN traffic. This section describes two types of STP configurations: • Basic STP • A VLAN that spans multiple STPDs Basic STP Configuration This section describes a basic, 802.1D STP configuration.
STP Configurations Figure 29: Multiple Spanning Tree Domains Sales, Personnel, Marketing Manufacturing, Engineering, Marketing Switch A Switch Y Switch B STPD 1 Switch Z Switch M STPD 2 Sales, Personnel, Manufacturing, Engineering, Marketing ES4K016 When the switches in this configuration start up, STP configures each STPD such that there are no active loops in the topology. STP could configure the topology in a number of ways to make it loop-free.
Spanning Tree Protocol (STP) Figure 30: Tag-based STP configuration Marketing & Sales Marketing, Sales & Engineering Switch 1 Switch 3 Switch 2 Sales & Engineering ES4K023 The tag-based network in Figure 30 has the following configuration: • Switch 1 contains VLAN Marketing and VLAN Sales. • Switch 2 contains VLAN Engineering and VLAN Sales. • Switch 3 contains VLAN Marketing, VLAN Engineering, and VLAN Sales.
Per-VLAN Spanning Tree Alternatively, the same VLAN may span multiple large geographical areas (because they belong to the same enterprise) and may traverse a great many nodes. In this case, it is desirable to have multiple STP domains operating in a single VLAN, one for each looped area. The justifications include the following: • The complexity of the STP algorithm increases, and performance drops, with the size and complexity of the network. The 802.
Spanning Tree Protocol (STP) NOTE In this document, PVST and PVST+ are used interchangeably. PVST+ is an enhanced version of PVST that is interoperable with 802.1Q STP. The following discussions are in regard to PVST+, if not specifically mentioned. STPD VLAN Mapping Each VLAN participating in PVST+ must be in a separate STPD and the VLAN number must be the same as the STPD identifier (StpdID).As a result, PVST+ VLANs can not be partitioned.
Rapid Spanning Tree Protocol RSTP Terms Table 33 describes the terms associated with RSTP. Table 33: RSTP Terms Term Description root port Provides the shortest path to the root bridge. All bridges except the root bridge, contain one root port. For more information about the root port, see “Port Roles” on page 199. designated port Provides the shortest path connection to the root bridge for the attached LAN segment. There is only one designated port on each LAN segment.
Spanning Tree Protocol (STP) RSTP assigns one of four port roles to bridge ports in the network, as described in Table 34. Table 34: RSTP port roles Port Role Description Root Provides the shortest path to the root bridge. There is only one root port per bridge; the root bridge does not have a root port. If a bridge has two or more ports with the same path cost, the port with the best port identifier becomes the root port.
Rapid Spanning Tree Protocol Configuring Link Types. By default, all ports are broadcast links. To configure the ports in an STPD, use the following command: configure stpd ports link-type [auto | edge | broadcast | point-to-point] • auto—Configures the ports as auto links. If the link is in full duplex mode, or if link aggregation is enabled on the port, an auto link behaves like a point-to-point link. • edge—Configures the ports as edge ports.
Spanning Tree Protocol (STP) Table 37: Derived timers (Continued) Timer Description Hold A port uses the hold timer to restrict the rate that successive BPDUs can be sent. The default value is the same as the value for the bridge hello timer. Recent backup The timer starts when a port leaves the backup role. When this timer is running, the port cannot become a root port. The default value is double the hello time (4 seconds). Recent root The timer starts when a port leaves the root port role.
Rapid Spanning Tree Protocol • Is a designated port and attaches to another bridge by a point-to-point link and receives an “agree” message from the other bridge port. • Is an edge port. An edge port is a port connected to a non-STP device and is in the forwarding state. The preceding sections provide more information about RSTP behavior.
Spanning Tree Protocol (STP) To prevent this type of loop from occurring, the recent root timer starts when the port leaves the root port role. The timer stops if the port enters the blocking state. RSTP requires that the recent root timer stops on the previous root port before the new root port can enter the forwarding state. Designated Port Rapid Behavior When a port becomes a new designated port, or the STP priority changes on an existing designated port, the port becomes an unsynced designated port.
Rapid Spanning Tree Protocol Suppose we have a network, as shown in Figure 33, with six bridges (bridge A through bridge F) where the following is true: • Bridge A is the root bridge • Bridge D contains an alternate port in the blocking state • All other ports in the network are in the forwarding state Figure 33: Initial network configuration A B C A,0 A,1 A,2 F E D A,1 A,2 A,3 Designated port Root port Blocked port EW_103a The preceding steps describe how the network reconverges.
Spanning Tree Protocol (STP) 2 Bridge E believes that bridge A is the root bridge. When bridge E receives the BPDU on its root port from bridge F, bridge E: • Determines that it received an inferior BPDU.
Rapid Spanning Tree Protocol 4 Bridge D believes that bridge A is the root bridge.
Spanning Tree Protocol (STP) 6 To complete the topology change, the following occurs: • Bridge D moves the port that received the agree message into the forwarding state • Bridge F confirms that its receiving port (the port that received the “propose” message) is the root port, and immediately replies with an “agree” message to bridge E to unblock the proposing port Figure 39: Completing the topology change A B C A,0 A,1 A,2 Root port Designated port F E D A,5 A,4 A,3 EW_103g Figure 40 displ
STP Rules and Restrictions STP Rules and Restrictions This section summarizes the rules and restrictions for configuring STP. • The StpdID must be the VLANid of one of its member VLANs, and that VLAN can not be partitioned. • A default VLAN can not be partitioned. If a VLAN traverses multiple STP domains, the VLAN must be tagged. • An STPD can carry, at most, one VLAN running in PVST+ mode, and its StpdID must be identical with that VLANid. In addition, the PVST+ VLAN can not be partitioned.
Spanning Tree Protocol (STP) • Bridge priority • StpdID The following parameters can be configured on each port: • Path cost • Port priority • Port mode NOTE The device supports the RFC 1493 Bridge MIB. Parameters of only the s0 default STPD are accessible through this MIB. NOTE If an STPD contains at least one port not in dot1D mode, the STPD must be configured with an StpdID. STP Configuration Examples This section provides three configuration examples: • Basic 802.1d STP • RSTP 802.1w Basic 802.
Configuring STP on the Switch Figure 41: RSTP example Sales, Personnel, Marketing Manufacturing, Engineering, Marketing Switch A Switch Y Switch B Switch Z STPD 1 Switch M STPD 2 Sales, Personnel, Manufacturing, Engineering, Marketing ES4K016 In this example, the commands configure switch A in STPD1 for rapid reconvergence. Use the same commands to configure each switch and STPD in the network.
Spanning Tree Protocol (STP) Displaying STP Settings To display STP settings, use the following command: show stpd { | detail} This command displays the following information: • STPD name • STPD state • STPD mode of operation • Rapid Root Failover • Tag • Ports • Active VLANs • Bridge Priority • Bridge ID • Designated root • STPD configuration information To display the STP state of a port, use the following command: show stpd ports {detail} This comman
Displaying STP Settings • STPD port state (forwarding, blocking, and so on) • Configured port link type • Operational port link type ExtremeWare 7.
Spanning Tree Protocol (STP) 214 ExtremeWare 7.
12 IP Unicast Routing This chapter describes the following topics: • Overview of IP Unicast Routing on page 215 • Proxy ARP on page 218 • Relative Route Priorities on page 219 • Configuring IP Unicast Routing on page 220 • Routing Configuration Example on page 221 • Configuring DHCP/BOOTP Relay on page 223 • UDP-Forwarding on page 225 This chapter assumes that you are already familiar with IP unicast routing.
IP Unicast Routing Router Interfaces The routing software and hardware routes IP traffic between router interfaces. A router interface is simply a VLAN that has an IP address assigned to it. As you create VLANs with IP addresses belonging to different IP subnets, you can also choose to route between the VLANs. Both the VLAN switching and IP routing function occur within the switch. NOTE Each IP address and mask assigned to a VLAN must represent a unique IP subnet.
Overview of IP Unicast Routing Populating the Routing Table The switch maintains an IP routing table for both network routes and host routes.
IP Unicast Routing • Static routes • Directly attached network interfaces that are not active. NOTE If you define multiple default routes, the route that has the lowest metric is used. If multiple default routes have the same lowest metric, the system picks one of the routes. You can also configure blackhole routes—traffic to these destinations is silently dropped. IP Route Sharing IP route sharing allows multiple equal-cost routes to be used concurrently.
Relative Route Priorities router redundancy and simplify IP client configuration. The switch supports proxy ARP for this type of network configuration. The section describes some example of how to use proxy ARP with the switch.
IP Unicast Routing Table 38: Relative Route Priorities Route Origin Priority Direct 10 BlackHole 50 Static 1100 ICMP 1200 OSPFIntra 2200 OSPFInter 2300 RIP 2400 OSPFExtern1 3200 OSPFExtern2 3300 BOOTP 5000 To change the relative route priority, use the following command: configure iproute priority [rip | bootp | icmp | static | ospf-intra | ospf-inter | ospf-as-external | ospf-extern1 | ospf-extern2] Configuring IP Unicast Routing This section describes the commands associ
Routing Configuration Example Verifying the IP Unicast Routing Configuration Use the show iproute command to display the current configuration of IP unicast routing for the switch, and for each VLAN. The show iproute command displays the currently configured routes, and includes how each route was learned. Additional verification commands include: • show iparp—Displays the IP ARP table of the system.
IP Unicast Routing create vlan Personnel config Finance add port 5,6 config Personnel add port 21,22 config Finance ipaddress 192.207.35.1 config Personnel ipaddress 192.207.36.1 config rip add vlan Finance config rip add vlan Personnel enable ipforwarding enable rip ICMP Packet Processing As ICMP packets are routed or generated, you can take various actions to control distribution.
Configuring DHCP/BOOTP Relay disable icmp time-exceeded {vlan } To enable or disable the generation of an ICMP timestamp response on one or all VLANs, use the following commands: enable icmp timestamp {vlan } disable icmp timestamp {vlan } To enable or disable the generation of ICMP unreachable messages on one or all VLANs, use the following commands: enable icmp unreachables {vlan } disable icmp unreachables {vlan } To enable or disable the modific
IP Unicast Routing packet that is to be relayed by the switch. Similarly, if a DHCP reply received by the switch contains a valid relay agent option, the option will be stripped from the packet before it is relayed to the client. The DHCP relay agent option consists of two pieces of data, called sub-options. The first is the agent circuit ID sub-option, and the second is the agent remote ID sub-option.
UDP-Forwarding UDP-Forwarding UDP-forwarding is a flexible and generalized routing utility for handling the directed forwarding of broadcast UDP packets. UDP-forwarding allows applications, such as multiple DHCP relay services from differing sets of VLANs, to be directed to different DHCP servers. The following rules apply to UDP broadcast packets handled by this feature: • If the UDP profile includes BOOTP or DHCP, it is handled according to guidelines in RFC 1542.
IP Unicast Routing UDP Echo Server You can use UDP Echo packets to measure the transit time for data between the transmitting and receiving end. To enable UDP echo server support, use the following command: enable udp-echo-server To disable UDP echo server support, use the following command: disable udp-echo-server 226 ExtremeWare 7.
13 Interior Gateway Protocols This chapter describes the following topics: • Overview on page 228 • Overview of RIP on page 229 • Overview of OSPF on page 230 • Route Re-Distribution on page 236 • RIP Configuration Example on page 238 • Configuring OSPF on page 238 • OSPF Configuration Example on page 239 • Displaying OSPF Settings on page 241 This chapter assumes that you are already familiar with IP unicast routing.
Interior Gateway Protocols Overview The switch supports the use of two interior gateway protocols (IGPs); the Routing Information Protocol (RIP) and the Open Shortest Path First (OSPF) protocol. RIP is a distance-vector protocol, based on the Bellman-Ford (or distance-vector) algorithm. The distance-vector algorithm has been in use for many years, and is widely deployed and understood. OSPF is a link-state protocol, based on the Dijkstra link-state algorithm.
Overview of RIP Overview of RIP RIP is an Interior Gateway Protocol (IGP) first used in computer routing in the Advanced Research Projects Agency Network (ARPAnet) as early as 1969. It is primarily intended for use in homogeneous networks of moderate size. To determine the best path to a distant network, a router using RIP always selects the path that has the least number of hops. Each router that data must traverse is considered to be one hop.
Interior Gateway Protocols Triggered Updates Triggered updates occur whenever a router changes the metric for a route, and it is required to send an update message immediately, even if it is not yet time for a regular update message to be sent. This will generally result in faster convergence, but may also result in more RIP-related traffic.
Overview of OSPF Link-State Database Upon initialization, each router transmits a link-state advertisement (LSA) on each of its interfaces. LSAs are collected by each router and entered into the LSDB of each router. Once all LSAs are received, the router uses the LSDB to calculate the best routes for use in the IP routing table. OSPF uses flooding to distribute LSAs between routers. Any change in routing information is sent to all of the routers in the network.
Interior Gateway Protocols Opaque LSAs Opaque LSAs are a generic OSPF mechanism used to carry auxiliary information in the OSPF database. Opaque LSAs are most commonly used to support OSPF traffic engineering. Normally, support for opaque LSAs is auto-negotiated between OSPF neighbors.
Overview of OSPF NOTE Area 0.0.0.0 exists by default and cannot be deleted or changed. The backbone allows summary information to be exchanged between ABRs. Every ABR hears the area summaries from all other ABRs. The ABR then forms a picture of the distance to all networks outside of its area by examining the collected advertisements, and adding in the backbone distance to each advertising router. When a VLAN is configured to run OSPF, you must configure the area for the VLAN.
Interior Gateway Protocols • Stub area. • NSSA. Virtual links can be configured through normal areas. External routes can be distributed into normal areas. Virtual Links In the situation when a new area is introduced that does not have a direct physical attachment to the backbone, a virtual link is used. A virtual link provides a logical path between the ABR of the disconnected area and the ABR of the normal area that connects to the backbone.
Overview of OSPF Figure 45: Virtual link providing redundancy Virtual link Area 2 ABR 1 Area 1 ABR 2 Area 0 Area 3 EW_017 Point-to-Point Support You can manually configure the OSPF link type for a VLAN. Table 40 describes the link types. Table 40: OSPF Link Types Link Type Number of Routers Description Auto Varies ExtremeWare automatically determines the OSPF link type based on the interface type. This is the default setting.
Interior Gateway Protocols Route Re-Distribution RIP and OSPF can be enabled simultaneously on the switch. Route re-distribution allows the switch to exchange routes, including static routes, between the three routing protocols. Figure 46 is an example of route re-distribution between an OSPF autonomous system and a RIP autonomous system. Figure 46: Route re-distribution OSPF AS Backbone Area 0.0.0.0 ABR Area 121.2.3.
Route Re-Distribution Re-Distributing Routes into OSPF Enable or disable the exporting of RIP, static, and direct (interface) routes to OSPF using the following commands: enable ospf export [direct | rip | static] [cost [ase-type-1 | ase-type-2] {tag }] These commands enable or disable the exporting of RIP, static, and direct routes by way of LSA to other OSPF routers as AS-external type 1 or type 2 routes. The default setting is disabled.
Interior Gateway Protocols RIP Configuration Example A switch that has three VLANs is defined as follows: • Finance — Contain ports 5 and 6. — IP address 192.207.35.1. • Personnel — Contain ports 22 and 23. — IP address 192.207.36.1. In this configuration, all IP traffic from stations connected to ports 5 and 6 have access to the switch by way of the VLAN Finance. Ports 22 and 23 reach the switch by way of the VLAN Personnel.
OSPF Configuration Example configure ospf vlan timer You can configure the following parameters: • Retransmit interval—The length of time that the router waits before retransmitting an LSA that is not acknowledged. If you set an interval that is too short, unnecessary retransmissions will result. The default value is 5 seconds. NOTE The OSPF standard specifies that wait times are equal to the dead router wait interval.
Interior Gateway Protocols Area 0 is the backbone area. It is located at the headquarters and has the following characteristics: • Two internal routers (IR1 and IR2) • Two area border routers (ABR1 and ABR2) • Network number 10.0.x.x • Two identified VLANs (HQ_10_0_2 and HQ_10_0_3) Area 5 is connected to the backbone area by way of ABR1 and ABR2. It is located in Chicago and has the following characteristics: • Network number 160.26.x.
Displaying OSPF Settings configure vlan HQ_10_0_1 ipaddress 10.0.1.2 255.255.255.0 configure vlan HQ_10_0_2 ipaddress 10.0.2.2 255.255.255.0 enable ipforwarding configure ospf add vlan all area 0.0.0.0 enable ospf Displaying OSPF Settings There are a number of commands you can use to display settings for OSPF. To show global OSPF information, use the show ospf command with no options.
Interior Gateway Protocols • Interface authentication—prevents unauthorized routers from forming adjacency. This is achieved by inserting authentication information in the Hello PDUs and validating them on the received Hello PDUs. You can configure authentication separately for level 1 and level 2. • Domain or area authentication—prevents intruders from injecting invalid routing information into this router.
Displaying OSPF Settings problems. For example, when a router has a memory shortage, it might be that the Link State database is not complete, resulting in an incomplete or inaccurate routing table. By setting the overload bit in its LSPs, other routers can ignore the unreliable router in their SPF calculations until the router has recovered from its problems. Set the overload bit when you want to prevent traffic flow.
Interior Gateway Protocols 244 ExtremeWare 7.
14 IP Multicast Routing This chapter covers the following topics: • IP Multicast Routing Overview on page 245 • PIM Sparse Mode (PIM-SM) Overview on page 246 • IGMP Overview on page 247 • Multicast Tools on page 249 • Configuring IP Multicasting Routing on page 250 • Configuration for IR1 on page 250 For more information on IP multicasting, refer to the following publications: • RFC 1112 – Host Extension for IP Multicasting • RFC 2236 – Internet Group Management Protocol, Version 2 • PIM-SM Version 2 – dra
IP Multicast Routing NOTE You should configure IP unicast routing before you configure IP multicast routing. PIM Sparse Mode (PIM-SM) Overview Protocol independent Multicast-Sparse Mode (PIM-SM) routes multicast packets to multicast groups. The sparse mode protocol is designed for installations where the multicast groups are scattered over a large area such as a wide area network (WAN). PIM-SM is a router-to-router protocol, so all routers and switches must upgrade to the same PIM-SM version.
IGMP Overview configure pim crp static
IP Multicast Routing IGMP Snooping IGMP snooping is a layer 2 function of the switch. It does not require multicast routing to be enabled. In IGMP snooping, the layer 2 switch keeps track of IGMP requests, and only forwards multicast traffic to the part of the local network that requires it. IGMP snooping optimizes the usage of network bandwidth, and prevents multicast traffic from being flooded to parts of the local network that do not need it.
Multicast Tools should IP address type entries, and the IP address of each entry must be in the class-D multicast address space, but should not be in the multicast control subnet range (224.0.0.x/24).
IP Multicast Routing If a router does not support the mtrace functionality, it will silently drop the request packet and no information will be returned. For this situation, you could send the trace with a small number of maximum hops allowed, increasing the number of hops as the stream is traced. The group IP address must be in the class-D multicast address space, but should not be in the multicast control subnet range (224.0.0.x/24).
Configuring IP Multicasting Routing Figure 48: IP multicast routing using PIM-SM configuration example 10.0.1.1 IR 1 10.0.1.2 HQ_10_0_1 3 0_ 0_ _1 HQ Headquarters ABR 2 10.0.3.1 10.0.2.2 _1 0_ 0_ 2 10.0.3.2 ABR 1 HQ_10_10_4 IR 2 HQ Area 0 10.0.2.1 Rendezvous point 161.48.2.2 LA 6_ Ch i_1 2 60 8_ _2 _4 Virtual link 161.48.2.1 61 26 160.26.26.1 _1 160.26.25.1 Los Angeles 160.26.26.2 Chicago 160.26.25.
IP Multicast Routing 252 ExtremeWare 7.
15 Using ExtremeWare Vista on the Summit 400 This chapter describes the following topics: • ExtremeWare Vista Overview on page 253 • Accessing ExtremeWare Vista on page 254 • Navigating within ExtremeWare Vista on page 256 • Configuring the Summit 400 using ExtremeWare Vista on page 257 • Reviewing ExtremeWare Vista Statistical Reports on page 283 • Locating Support Information on page 299 • Logging Out of ExtremeWare Vista on page 303 ExtremeWare Vista Overview A standard device-management feature on the
Using ExtremeWare Vista on the Summit 400 • Check for newer versions of stored pages. Every visit to the page should be selected as a cache setting. If you are using Netscape Navigator, configure the cache option to check for changes “Every Time” you request a page. If you are using Microsoft Internet Explorer, configure the Temporary Internet Files setting to check for newer versions of stored pages by selecting “Every visit to the page.
Accessing ExtremeWare Vista Figure 49: Home Page for ExtremeWare Vista 2 Click Logon to open the Username and Password dialog box shown in Figure 50. Figure 50: Username and Password Dialog Box ExtremeWare 7.
Using ExtremeWare Vista on the Summit 400 3 Type your username and password and click OK. The main page for the switch opens as shown in Figure 51. If you enter the username and password of an administrator-level account, you have access to all ExtremeWare Vista pages. If you enter a user-level account name and password, you only have access to the Statistics and Support information.
Configuring the Summit 400 using ExtremeWare Vista When you choose a submenu link in the task frame, the content frame populates with the corresponding data. However when you choose a new task, the content frame does not change until you choose a new a submenu link and repopulate the frame. Browser Controls Browser controls include drop-down list boxes, check boxes, and multiselect list boxes. A multiselect list box has a scrollbar on the right side of the box.
Using ExtremeWare Vista on the Summit 400 • RIP on page 268 • SNMP on page 271 • Spanning Tree on page 273 • Switch on page 277 • User Accounts on page 277 • Virtual LAN on page 278 • Access List on page 280 Figure 52: Configuration Submenu Links IP Forwarding From this window, you can enable or disable the IP unicast forwarding across VLANs. For an example of this window, see Figure 53. In the top of the window is a table that shows each existing IP interface configuration.
Configuring the Summit 400 using ExtremeWare Vista For more information on forwarding of IP packets, see: • Configuring IP Unicast Routing on page 220 • Subnet-Directed Broadcast Forwarding on page 218 • IP Multicast Routing Overview on page 245 Figure 53: IP Interface Configuration License The License window allows you to enable the Advanced Edge license by submitting a valid license key purchased from Extreme Networks. See Figure 54 for an example of this window.
Using ExtremeWare Vista on the Summit 400 Figure 54: License Window OSPF The OSPF configuration window allows you to perform a wide-range of OSPF configuration tasks.
Configuring the Summit 400 using ExtremeWare Vista • Enable or disable the exporting of RIP, static, and direct (interface) routes to OSPF. Be sure you disable exporting of static and RIP before setting other global OSPF parameters. • Enable or disable the exporting of static, direct, and OSPF-learned routes into a RIP domain. • Set the route type as external type 1 or external type 2. • Set the cost metric for all RIP-learned, static, and direct routes injected into OSPF.
Using ExtremeWare Vista on the Summit 400 Configure an Area Range This portion of the window allows you to configure a range of IP addresses in an OSPF area. The example in Figure 56 shows that six areas are defined: the backbone (0.0.0.0), and area IDs 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4, and 5.5.5.5. The Area Range Configuration box shows non-default values for the areas. The Add Area Ranges allow you to add a range to an area, set a netmask, or to specify advertising.
Configuring the Summit 400 using ExtremeWare Vista Figure 57: OSPF Area Configuration For more information on area types, see “Areas” on page 232.
Using ExtremeWare Vista on the Summit 400 Transit delay—From 1 to 3600 seconds Hello interval—From 1 to 65535 seconds Router dead time—From 1 to 2147483647 seconds Retransmit interval—From 1 to 3600 seconds The three boxes that follow the table allow you to change the values of the interfaces in that table. Figure 58: IP Interface Configuration for OSPF The first box allows you to associate VLANs with areas by selecting a VLAN name and an area ID.
Configuring the Summit 400 using ExtremeWare Vista Figure 59: OSPF Virtual Links Configure OSPF Authentication The final section in the OSPF configuration window allows you to configure an interface. This section is shown at the bottom of Figure 60. The table displays the interface and whether an interface type is currently configured. The configuration box allows you to specify a simple authentication password of up to eight characters, or a Message Digest 5 (MD5) key for the interface.
Using ExtremeWare Vista on the Summit 400 Figure 60: OSPF Authentication Ports Port configuration provides a convenient way to see all the pertinent information about a port in one place. Figure 61 shows the following fields in the port configuration window: Ports—The port number, 1 to 48 State—The port state, either enabled or disabled Link—The link status, either active or ready Autonegotiation—Indicates whether to autonegotiate the port speed and the duplex mode.
Configuring the Summit 400 using ExtremeWare Vista QoS Profile—A QoS profile in the format of QPn, where n is from 1 to 8 Figure 61: Port Configuration Window Below the Port Configuration table is the box for configuring port parameters. When configuring ports, you must select appropriate values for all parameters before submitting the change. The selectable fields are: Port Number—Port numbers 1 to 48, or from 1 to 50 if you have the optional XEN card installed.
Using ExtremeWare Vista on the Summit 400 Figure 62: Configure Port Parameters RIP The RIP configuration window allows you to configure global RIP parameters or RIP for an IP interface. Configure Global RIP Parameters Use the global parameters to set up RIP for the switch. See the top portion of Figure 63 for an example of the global parameters window. From this portion of the window, you can make multiple changes with a single update: • Enable or disable RIP for the switch.
Configuring the Summit 400 using ExtremeWare Vista Use the Unconfigure button to reset the global RIP parameters to the default values. Use the Submit button to submit the changes to the system. Figure 63: RIP Global Configuration For more information about setting RIP parameters globally, see “Overview of RIP” on page 229. Configure RIP for an IP interface Following the global configuration section is for configuring RIP for an individual IP interface.
Using ExtremeWare Vista on the Summit 400 Figure 64: IP Interface Configuration for RIP Using this portion of the window, you can: • Review the existing RIP configuration for an IP interface.
Configuring the Summit 400 using ExtremeWare Vista • Set the Rx mode values for the selected VLANs. The pull-down menu allows you to specify the following: None—Do not receive packets on this interface. Any—Receive packets on this interface in any mode. V1 Only—Receive RIP v1 format packets to the broadcast address. V2 Only—Receive RIP v2 format packets to the RIP multicast address. If no VLAN is specified, the setting is applied to all VLANs. The default setting is V2 Only.
Using ExtremeWare Vista on the Summit 400 Figure 65: System Contact and Community Authentication Information The Community Authentication Information fields specify community strings, which allow a simple method of authentication between the switch and the remote Network Manager. The default read-only community string is public. The default read-write community string is private. Each community string can have a maximum of 127 characters, and can be enclosed by double quotation marks.
Configuring the Summit 400 using ExtremeWare Vista Figure 66: Configure Trap Options Spanning Tree From this window, you can configure all aspects of a Spanning Tree Domain (STPD). The window is divided into two sections. In the top section, you can create or delete a Spanning Tree Domain (STPD) as shown in Figure 67. ExtremeWare 7.
Using ExtremeWare Vista on the Summit 400 Figure 67: Spanning Tree Configuration (1 of 4) In the bottom section, you can: • Review all STPD configurations Each STPD shows the: — STPD name. — State of the domain, either enabled or disabled. — Priority level of the bridge, a value between 1 and 65535 (default 32768). — Hello time interval for the bridge, a value between 1 and 10 seconds (default 2 seconds).
Configuring the Summit 400 using ExtremeWare Vista Figure 68: Spanning Tree Configuration (2 of 4) • Review all ports belonging to STPDs. A port can belong to only one STPD. If a port is a member of multiple VLANs, then all those VLANs must belong to the same STPD. The Spanning Tree Port Configuration Table contains the following fields: Port Number—Port numbers 1 to 48 or from 1 to 50 if you have the optional XEN card installed.
Using ExtremeWare Vista on the Summit 400 Figure 69: Spanning Tree Configuration (3 of 4) Figure 70: Spanning Tree Configuration (4 of 4) 276 ExtremeWare 7.
Configuring the Summit 400 using ExtremeWare Vista Switch This window, shown in Figure 71, manages basic switch operation. The four sections are: • Set date and time • Enable or disable Telnet remote management and SNMP management • Select the image and configuration to use You can choose a primary or secondary image to use from the pull-down menu. • Save the configuration Settings that are stored in run-time memory are not retained by the switch when the switch is rebooted.
Using ExtremeWare Vista on the Summit 400 • Whether that user has administrator privileges • The number of times the user has logged into the system since the last reboot • Whether the user has point-to-point (PPP) user access You can also manage user accounts through this window. Each account requires a user name and password. Users with administrative access have read-write authority, where normally a user would have read-only access to the system.
Configuring the Summit 400 using ExtremeWare Vista Figure 73: VLAN Administration (1 of 2) Configuring a VLAN The second section of the VLAN window allows you to change VLAN parameters. Use the pull-down menu to choose an existing VLAN name and click Get to populate the remaining fields. Figure 74 shows an example of the Configure VLAN Information. Use the following fields to make changes to a VLAN: IP Address—Either changes the IP address or unconfigures the IP address.
Using ExtremeWare Vista on the Summit 400 Figure 74: VLAN Administration (2 of 2) The next section allows you to adds ports to the VLAN. Adding Ports to a VLAN. You can either add the port as tagged or untagged. If you click Tagged, the port is added as a tag-based port. If you click Untagged, the port is added as an untagged port. Figure 74 shows an example of adding ports to a VLAN. The next box allows you to select a port and click Remove to delete the port.
Configuring the Summit 400 using ExtremeWare Vista Ether Type—Ethernet type IP Proto—IP protocol TOS/Code Point—IP DiffServ code points Dest IP—Destination IP address Dest IP Mask—Destination subnet mask Dest L4 Port—Destination UDP layer 4 port Src IP—Source IP address Src IP Mask—Source IP subnet mask Src L4 Port/ICMP—Source UDP layer 4 port/ICMP TCP Permit Estb—TCP permit established Egr Port—Egress port Ingr Port—Ingress port Pre—Precedence Figure 75: Access List Configuration (1 of 3) As Figure 75 sh
Using ExtremeWare Vista on the Summit 400 Rate Limiting Like an access list, a rate limit includes a list of values to compare with the incoming packets and an action to take for packets that match. Additionally, a rate limit specifies an action to take when matching packets arrive at a rate above the limit you set. When you create a rate limit, you must specify a value for each of the fields that make up the access mask used by the list.
Reviewing ExtremeWare Vista Statistical Reports Figure 77: Access List Configuration (4 of 4) Reviewing ExtremeWare Vista Statistical Reports ExtremeWare Vista offers a number of pre-formatted reports on the most frequently requested information. These statistical reports provide current information about the switch and its configuration. To access the statistical reports, click Statistics in the task bar to reveal the submenu links.
Using ExtremeWare Vista on the Summit 400 RIP—Contains global RIP statistics and router interface statistics Switch—Contains the hardware profile for the switch Event Log The System Even Log tracks all configuration and fault information pertaining to the device. Each entry in the log contains the following information: • Timestamp—The timestamp records the month and day of the event, along with the time (hours, minutes, and seconds) in the form HH:MM:SS.
Reviewing ExtremeWare Vista Statistical Reports MAC Destination—MAC address of the device VLAN—VLAN name and tag Flags—Identifier for static (s) or dynamic (d) Port List—The destination port or ports for the MAC address Figure 79: FDB (1 of 2) Summary information is located at the bottom of the view.
Using ExtremeWare Vista on the Summit 400 Figure 80: FDB (2 of 2) For further information about the FDB, see “Overview of the FDB” on page 99. IP ARP Use the IP ARP to find the MAC address associated with an IP address.
Reviewing ExtremeWare Vista Statistical Reports Figure 81: IP ARP Table IP Configuration In this window you can review two different tables containing IP configuration information. The Global IP Configuration Statistics table provides IP settings and summary statistics for the entire switch. The Router Interface table provides details on each VLAN. Both tables are shown in Figure 82.
Using ExtremeWare Vista on the Summit 400 OSPF—The OSPF routing protocol for the switch. The setting is either enabled or disabled. Advertisement Address—The destination address of the router advertisement messages. Maximum Interval—The maximum time between router advertisements. The default setting is 600 seconds. Minimum Interval—The minimum amount of time between router advertisements. The default setting is 450 seconds. Lifetime—The client aging timer setting, the default is 1,800 seconds.
Reviewing ExtremeWare Vista Statistical Reports Netmask Broadcast—The broadcast address in dotted-quad notation Multicast TTL—The multicast time-to-live MTU—Maximum Transmission Unit (MTU) size Metric—The hop count to the destination address IP Forwarding—IP forwarding on this interface is enabled or disabled Fwd Bcast—The hardware forwarding of subnet-directed broadcast IP packets is enabled or disabled RIP—RIP is enabled or disabled on this interface OSPF—OSPF is enabled or disabled on this interface IDR
Using ExtremeWare Vista on the Summit 400 Use—The number of times the entry is used VLAN—VLAN name Origin—Route origin. One of the following: • direct • blackhole • static • ICMP • OSPFIntra • OSPFInter • RIP • OSPFExtern1 • OSPFExtern2 • BOOTP As shown in Figure 83, you can also use the View Options to restrict different aspects of the view. For more information on IP routing, see “Populating the Routing Table” on page 217.
Reviewing ExtremeWare Vista Statistical Reports • Across the whole switch, see “Global IP Statistics” • On an interface, see “Global ICMP Statistics” on page 291 • Across VLANs, see “Global ICMP Statistics” on page 292 Global IP Statistics The Global IP Statistics report IP traffic flow through the switch.
Using ExtremeWare Vista on the Summit 400 • Out Responses • Out Errors • Bad Checksums Figure 85: Global ICMP Statistics Router Interface IP Statistics The Router Interface IP Statistics give detailed traffic details at the VLAN level, as shown in Figure 86.
Reviewing ExtremeWare Vista Statistical Reports Figure 86: Router Interface IP Statistics Ports This window provides information about active ports as reported by the Summit 400 hardware. As shown in Figure 87, the report consists of the following fields: Port Number Port Speed Link State Received Packet Count Transmitted Packet Count Received Byte Count Transmitted Byte Count Collisions ExtremeWare 7.
Using ExtremeWare Vista on the Summit 400 Figure 87: Physical Port Statistics Port Collisions This window provides information about Ethernet collisions that occur when the port is operating in half-duplex mode. An example of this window is shown in Figure 88. 294 ExtremeWare 7.
Reviewing ExtremeWare Vista Statistical Reports Figure 88: Port Collisions Port Errors In this window, you can review Ethernet link errors. As shown in Figure 89, the table reflects the following information for each active port: • Link State • Rx Lost • Rx Bad Cyclic Redundancy Check (CRC) • Rx Undersize • Rx Oversize • Rx Fragments • Rx Jabber • Rx Alignment • Tx Errored • Tx Deferred • Tx Late Collisions ExtremeWare 7.
Using ExtremeWare Vista on the Summit 400 Figure 89: Ethernet Port Errors Port Utilization This window shows port utilization.
Reviewing ExtremeWare Vista Statistical Reports Figure 90: Utilization Averages RIP This window provides statistics about the Routing Information Protocol (RIP) both at the global (switch level) and at the interface level. At the switch level, the Global Routing Information Protocol Statistics table shows the number of route changes and the number of queries.
Using ExtremeWare Vista on the Summit 400 Bad Routes Figure 91: RIP Statistics Switch Use this window to locate hardware status information.
Locating Support Information External Power Supply—(optional) If present, provides power supply information. If the power supply is operating at full capacity, an OK message displays in green. If it is present, installed, but not operating, the status is displayed in red. A separate table follows the hardware status that is dedicated to internal cooling fan status.
Using ExtremeWare Vista on the Summit 400 Figure 93: Product Manual Link TFTP Download You can download the latest software images using Trivial File Transfer Protocol (TFTP) from this window.
Locating Support Information Figure 94: TFTP Download Contact Support The Contact Support window contains the mailing address, telephone number, fax number, and URL for Customer Support. An example of this window is shown in Figure 95. ExtremeWare 7.
Using ExtremeWare Vista on the Summit 400 Figure 95: Support Address Email Support When you click the submenu link for Email Support, the browser closes the ExtremeWare Vista page and opens your browser’s email window. You can then send an email directly to customer support as shown in Figure 96. 302 ExtremeWare 7.
Logging Out of ExtremeWare Vista Figure 96: Email Support Logging Out of ExtremeWare Vista When you click the Logout button in the task frame, it causes an immediate exit from ExtremeWare Vista. Be sure you want to exit the application because there is no confirmation screen. ExtremeWare 7.
Using ExtremeWare Vista on the Summit 400 304 ExtremeWare 7.
A Technical Specifications This appendix provides technical specifications for the Summit 400-48 switch. It covers the following topics • Summit 400-48t Switch on page 305 Summit 400-48t Switch The Summit 400-48 has these physical characteristics: Physical and Environmental Dimensions Height: 1.73 inches (4.40 cm) Width: 17.6 inches (44.1 cm) Depth: 16.4 inches (41.6 cm) Weight Weight: 11 lbs (4.
Technical Specifications Safety Certifications North America UL 60950 3rd Edition, listed (US Safety) CAN/CSA-C22.2 No.
Supported Protocols, MIBs, and Standards GOST (Russian Federation) ACN 090 029 066 C-Tick (Australian Communication Authority) Underwriters Laboratories (USA and Canada) MIC (South Korea) BSMI, Republic of Taiwan NOM (Mexican Official Normalization, Electronic Certification and Normalization) Supported Protocols, MIBs, and Standards The following is a list of software standards and protocols supported by the Summit 400.
Technical Specifications DiffServ - Standards and MIBs RFC 2474 Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers RFC 2475 An Architecture for Differentiated Services RFC 2597 Assured Forwarding PHB Group RFC 2598 An Expedited Forwarding PHB Environmental EN 300 019-2-1 (2000-09) Storage Class 1.2 Packaged EN 300 09-2-2 (1999-09) Transportation Class 2.3 Packaged EN 300 019-2-2 (1999-09) Stationary Use at Weather Protected Locations, Class 3.
Supported Protocols, MIBs, and Standards Management - SNMP & MIBs RFC 1157 Simple Network Management Protocol (SNMP) RFC-1215 Convention for defining traps for use with the SNMP RFC 1573 Evolution of Interface RFC 1901 Introduction to Community-based SNMPv2 RFC 1902 Structure of Management Information for Version 2 of the Simple Network Management Protocol (SNMPv2) RFC 1903 Textual Conventions for Version 2 of the Simple Network Management Protocol (SNMPv2) RFC 1904 Conformance Statements for Version 2 of
Technical Specifications Management - Other: RFC 1866 Hypertext Markup Language - 2.0 NetFlow version 1 export RFC 2068 Hypertext Transfer Protocol -- HTTP/1.
Supported Protocols, MIBs, and Standards Quality of Service IEEE 802.1D -1998 (802.1p) Packet Priority RFC 2475 An Architecture for Differentiated Service RFC 2474 Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers Layer 1-4, layer 7 (user name) Policy-Based Mapping RFC 2598 An Expedited Forwarding PHB RFC 2597 Assured Forwarding PHB Group Bi-directional Rate Shaping Policy-Based Mapping/Overwriting of DiffServ code points, .
Technical Specifications 312 ExtremeWare 7.
B Software Upgrade and Boot Options This appendix describes the following topics: • Downloading a New Image on page 313 • Saving Configuration Changes on page 315 • Using TFTP to Download the Configuration on page 317 • Upgrading and Accessing BootROM on page 318 Downloading a New Image The image file contains the executable code that runs on the switch. It comes preinstalled from the factory. As new versions of the image are released, you should upgrade the software running on your system.
Software Upgrade and Boot Options indicated, the next selected boot-up image space is used. This is the primary image space by default, but it can be changed with the following command: use image [primary | secondary] Understanding the Image Version String The image version string contains build information for each version of ExtremeWare. You can use either the show version or show switch command to display the ExtremeWare version running on your switch.
Saving Configuration Changes Table 43: Sample show output Release Type Show Version Command Show Switch Command Beta Version 7.0.1 (Build 3) beta1.triumph-r4 7.0.1b3 beta1.triumph-r4 Development Branch Version 7.0.0 (Build 67) branch.triumph-r5 7.0.0b67 branch.triumph-r5 Software Signatures Each ExtremeWare image contains a unique signature. The BootROM checks for signature compatibility and denies an incompatible software upgrade.
Software Upgrade and Boot Options NOTE If the switch is rebooted while in the middle of a configuration save, the switch boots to factory default settings. The configuration that is not in the process of being saved is unaffected. Returning to Factory Defaults To return the switch configuration to factory defaults, use the following command: unconfigure switch This command resets the entire configuration, with the exception of user accounts and passwords that have been configured, and the date and time.
Using TFTP to Download the Configuration Using TFTP to Download the Configuration You can download ASCII files that contain CLI commands to the switch to modify the switch configuration. Three types of configuration scenarios that can be downloaded: • Complete configuration • Incremental configuration • Scheduled incremental configuration If you load a configuration from a different model, you can safely write the correct configuration over the unsupported configuration.
Software Upgrade and Boot Options Scheduled Incremental Configuration Download You can schedule the switch to download a partial or incremental configuration on a regular basis. You could use this feature to update the configuration of the switch regularly from a centrally administered TFTP server. As part of the scheduled incremental download, you can optionally configure a backup TFTP server.
Upgrading and Accessing BootROM To access the BootROM menu, follow these steps: 1 Attach a serial cable to the console port of the switch. 2 Attach the other end of the serial cable to a properly configured terminal or terminal emulator, power cycle the switch while depressing the spacebar on the keyboard of the terminal. As soon as you see the BootROM-> prompt, release the spacebar. You can see a simple help menu by pressing h.
Software Upgrade and Boot Options 320 ExtremeWare 7.
C Troubleshooting If you encounter problems when using the switch, this appendix may be helpful. If you have a problem not listed here or in the release notes, contact your local technical support representative. LEDs Power LED does not light: Check that the power cable is firmly connected to the device and to the supply outlet. On powering-up, the MGMT LED lights yellow: The device has failed its Power On Self Test (POST) and you should contact your supplier for advice.
Troubleshooting Cable Diagnostics If you are having a problem establishing a link, you might have a faulty Ethernet cable. An Ethernet cable is composed of four pairs of unshielded twisted-pair (UTP). Of those four pairs, two are required to create the link. In addition to physically inspecting the cable, you can run a CLI command to test the cable.
Using the Command-Line Interface Using the Command-Line Interface The initial welcome prompt does not display: Check that your terminal or terminal emulator is correctly configured. For console port access, you may need to press [Return] several times before the welcome prompt appears. Check the settings on your terminal or terminal emulator. The settings are 9600 baud, 8 data bits, 1 stop bit, no parity, XON/OFF flow control enabled.
Troubleshooting Check that SNMP access was not disabled for the system. Permanent entries remain in the FDB: If you have made a permanent entry in the FDB (which requires you to specify the VLAN to which it belongs and then delete the VLAN), the FDB entry will remain. Though causing no harm, you must manually delete the entry from the FDB if you want to remove it.
Using the Command-Line Interface Always verify that the Extreme switch and the network device match in configuration for speed and duplex. No link light on Gigabit fiber port: Check to ensure that the transmit fiber goes to the receive fiber side of the other device, and vice-versa. All gigabit fiber cables are of the cross-over type. The Extreme switch has auto-negotiation set to on by default for gigabit ports.
Troubleshooting If you are connecting to a third-party device and have checked that the VLAN IDs are the same, the Ethertype field used to identify packets as 802.1Q packets may differ between the devices. The default value used by the switch is 8100. VLANs, IP Addresses and default routes: The system can have an IP address for each configured VLAN. It is necessary to have an IP address associated with a VLAN if you intend to manage (Telnet, SNMP, ping) through that VLAN or route IP traffic.
TOP Command To change the debug tracing facility for a certain system to a specified debug level, use the following command: configure debug-trace vlan Some of the debug trace systems commands can be applied to a particular VLAN, some apply to the switch as a whole, so the vlan option is not available with all systems.
Troubleshooting System Odometer Each field replaceable component contains a system odometer counter in EEPROM. You can use the show switch command to see how long an individual component has been in service since it was manufactured. Reboot Loop Protection If the system reboots due to a failure that remains after the reboot, it reboots when it detects the failure again.
Contacting Extreme Technical Support Contacting Extreme Technical Support If you have a network issue that you are unable to resolve, contact Extreme Networks technical support. Extreme Networks maintains several Technical Assistance Centers (TACs) around the world to answer networking questions and resolve network problems. You can contact technical support by phone at: • (800) 998-2408 • (408) 579-2826 or by email at: • support@extremenetworks.com You can also visit the support website at: http://www.
Troubleshooting 330 ExtremeWare 7.
Index of Commands C clear counters 131, 172 clear debug-trace 326 clear fdb 111 clear log counters 131 clear session 47, 68 configure access-profile add 158 configure access-profile delete 160 configure access-profile mode 157 configure account 69 configure banner 69 configure banner netlogin 69 configure bootprelay add 223 configure bootprelay delete 223 configure bootprelay dhcp-agent information check 224 configure bootprelay dhcp-agent information option 224 configure bootprelay dhcp-agent information
Index of Commands configure radius-accounting timeout 167 configure reboot-loop-protection threshold 328 configure rip vlan export-filter 160 configure rip vlan import-filter 160 configure rip vlan trusted-gateway 160 configure sharing address-based 82 configure snmp add community 49 configure snmp add trapreceiver community 49 configure snmp add trapreceiver community trap-group 51 configure snmp delete trapreceiver 49 configure snmp readonly access-profile 49 configure snmp readwrite access-profile 49 co
Index of Commands disable snmp traps port-up-down ports disable ssh2 disable stpd rapid-root-failover disable telnet disable udp-echo-server disable web download bootrom download configuration download configuration cancel download configuration every download image 50 70 193 47, 70 226 70 73, 318 73, 96, 317 318 96, 318 73 enable snmp access 48 enable snmp traps 50 enable snmp traps exceed-committed-rate ports 50 enable sntp-client 62 enable ssh2 70, 174 enable stpd 209 enable stpd rapid-root-failver 19
Index of Commands show iparp 221 show ipconfig 221, 224 show ipfdb 218, 221 show iproute 221 show log 130 show log components 125 show log configuration filter 127 show log configuration target 123 show log counters 131 show log events 125 show management 47, 50, 172 show netlogin 156 show netlogin vlan 155 show ospf 237, 241 show ospf area 241 show ospf interfaces 241 show ospf lsdb 241 show ospf lsdb area lstype 241 show ports configuration 321 show ports info 115 show ports qosmonitor 116 show ports rxe
Index Numerics 10 Gigabit uplinks 1000BASE-LX 1000BASE-SX 1000BASE-ZX 1d mode, STP 802.1p 802.1q 802.1x authentication overview pros and cons 802.
Index C cable diagnostics cable types and distances cabling for redundancy Campus mode certification marks checksum computation CLI command history command shortcuts line-editing keys named components numerical ranges, Summit switch symbols syntax helper troublehooting using collisions combination ports command history shortcuts Command-Line Interface.
Index Ethernet packet encapsulation Events, RMON explicit packet marking export restrictions exporting routes to OSPF External Power System Extreme Discovery Protocol See EDP Extreme Networks vendor ID ExtremeWare factory defaults features ExtremeWare Vista access levels accessing browser controls browser setup buttons Ethernet collisions event logging FDB fonts frames hardware status home page IP ARP IP configuration statistics IP forwarding configuration IP routing table statistics IP statistics JavaScri
Index IP unicast routing BOOTP relay configuration examples configuring default gateway description DHCP relay ECMP enabling IP route sharing proxy ARP router interfaces routing table using ExtremeWare Vista verifying the configuration IP-based traffic grouping ISP mode 223 221 220 215 29 223 218 220 218 218 216 217 258 221 110 149 J JavaScript on ExtremeWare Vista join prune interval jumbo frames description enabling IP fragmentation path MTU discovery 253 247 79 79 80 80 K keys line-editing port moni
Index NSSA null-modem cable pin-outs 233 38 O opaque LSAs, OSPF Open Shortest Path First.
Index TCP port rapid root failover Rapid Spanning Tree Protocol. See RSTP rate limits adding and QoS deleting reboot loop protection receive errors redistributing routes redundant power installation relay agent option, DHCP option 82 Remote Monitoring.
Index Greenwich Mean Time offset Greenwich Mean Time Offsets (table) NTP servers socket, AC power software licensing security features SSH2 protocol using ExtremeWare Vista source port traffic grouping Spanning Tree Protocol.
Index troubleshooting cables CLI CPU utilization FDB fiber IP multicast password permanent FDB entries power reboot loops technical support VLANs troubleshooting STP trunks trusted neighbor policy TTLS 322 323 327 326 325 249 324 324 321 328 329 325 326 90 247 149 U UDP-forwarding unconfigure RIP unicast forwarding uplink redundancy uploading the configuration user accounts user login user name users access levels authenticating creating default viewing USM security UTP problems 225 269 258 27 316 71, 2